Version 4.1.6 bug fixes

System

Configuration backups - Trusted Platform Module (TPM)

Support reference 79671

During the backup of a configuration with the privatekeys parameter set to none (this parameter can only be modified via CLI/Serverd command: CONFIG BACKUP), private keys stored in ondisk mode on the TPM are no longer wrongly decrypted.

Support reference 79671

Multiple configuration backups can no longer be launched simultaneously or too close apart, so private keys stored in ondisk mode on the TPM will no longer be wrongly decrypted.

Filtering and NAT

Support reference 79526

Whenever a group contained 128 or more objects with at least one that had a forced MAC address, rules that used this group would no longer be applied when traffic matched them. This issue has been fixed.

Support references 80043 - 79636 - 80412 - 80376 - 79771

When a time object was enabled or disabled, the re-evaluation of connections that match the filter rule containing this time object no longer cause the firewall to unexpectedly restart.

Proxies

Support references 79957 - 80108

Configurations that use multi-user authentication would sometimes fail to fully load web pages that embed CSP (content-security-policy) directives. This issue has been fixed.

Support reference 81624

In configurations that use multi-user authentication, the application of "img-src https://*" CSP (content-security-policy) directives would sometimes cause the proxy service to unexpectedly restart. This issue has been fixed.

Support reference 79858

An issue with competing access when saving new connections via the proxy has been fixed. This issue would cause the firewall to unexpectedly shut down and switch the roles of the members in a high availability configuration.

SMTP proxy

Support reference 78196 - 79813 - 81759

The proxy would sometimes restart unexpectedly after queuing e-mails and receiving an SMTP 421 error from the server. This issue has been fixed.

HTTP proxy

Support reference 79584

In configurations that meet all the following conditions:

  • HTTP proxy is used,
  • Kaspersky antivirus is enabled,
  • URL filtering is enabled.

Sending several HTTP requests through an internet browser within the same TCP connection (pipelining) no longer causes the proxy to suddenly restart.

SSL proxy

Support reference 77207

The SSL proxy would sometimes restart when all of the following conditions occurred:

  • An SSL filter policy applied a “Pass without decrypting” action when a CN could not be categorized,
  • A connection matched this rule (“Pass without decrypting”) because the classification of the CN failed.

  • A simultaneous connection to the same website was classified with the action “Block without decrypting”.

This issue has been fixed.

High availability

The errors that occur when the passive member of the cluster is updated are now correctly shown in the firewall’s web administration interface.

System events

Support reference 80426

System event no. 19 "LDAP unreachable" is activated again when there are issues accessing an LDAP directory defined in the firewall configuration.

SNMP agent

Support references 77226 - 78235

The OID "SNMPv2-MIB::sysObjectID.0", which made it possible to identify the type of device queried, presented the default net-snmp value instead of the Stormshield value. This anomaly has been fixed.

Support references 80036 - 77779

Excessive memory consumption issues that caused the SNMP agent service to unexpectedly shut down have been fixed.

Regular CRL retrieval

Support reference 81259

When an explicit proxy is defined on the firewall with a specific network port, the mechanism that regularly retrieves CRLs now correctly uses the port of the explicit proxy to access the Internet.

LDAP directory - Backup server

Support reference 80428

In an LDAP(S) configuration defined with a backup server, when:

  • The firewall switched to the backup LDAP(S) server because the main server stopped responding, and
  • The backup server also does not respond,

The firewall will then immediately attempt to connect to the main server again without waiting for the 10-minute timeout defined in factory settings.

External LDAP directory

Support reference 81531

After an external LDAP directory was created and made accessible via a secure connection, enabling the option Check the certificate against a Certification Authority and selecting a trusted CA no longer cause an internal error on the firewall.

IP address reputation and geolocation service

Support reference 81048

In some cases, the IP address reputation and geolocation service would unexpectedly shut down after competing access that occurs when a configuration is reloaded. Even when it was automatically restarted, service could still be disrupted. This issue has been fixed.

Support reference 77980

An anomaly relating to the IP address reputation and geolocation service would sometimes result in memory corruption, which would cause the firewall to unexpectedly restart. This issue has been fixed.

Network

Static routing and IPSec VPN

Support reference 80862

In policy-based IPSec VPN configurations (non-VTI), whenever a static route was created for the remote network via the IPSec interface, traffic was not encrypted and sent to this network as it was supposed to be. This issue has been fixed.

Bridge - MAC addresses

Support reference 80652

On interfaces attached to a bridge, when a network device is moved and the network traffic that it generates is no longer linked to the same physical interface, the firewall automatically maps the MAC address of the device to the new interface once a Gratuitous ARP request is received from the new device.

This switch was not correctly applied whenever the MAC address was different after the network device was moved This issue has been fixed.

Intrusion prevention

SMB - CIFS protocol

Support references 77484 - 77166

Anomalies in the SMB - CIFS protocol analysis would wrongly raise the "Invalid NBSS/SMB protocol" blocking alarm (nb-cifs alarm:158) during legitimate access to shared Microsoft Windows disk resources. These anomalies have been fixed.

Virtual machines

Serial numbers of VPAYG firewalls

Support reference 76157

The high availability monitoring mechanism did not recognize serial numbers of VPAYG firewalls (serial number of the firewall, to which an extension such as "-XXXXXXXX” is added). This issue has been fixed.

Hardware

Configuration via USB key

Support references 79645 - 79283

Whenever a firewall is configured via USB key, an information message now appears in the console and a waiting period of two minutes is initiated when the USB key needs to be removed to continue ongoing operations (firmware updates, connecting a firewall to a cluster, etc.). Removing the USB key suspends the counter.

This mechanism makes it possible to prevent key decryption errors on firewalls equipped with a TPM (SN3100 and SNi20).

Web administration interface

Filtering and NAT - Geolocation and public IP address reputation

Support reference 80980

When a geographic group or a public IP address reputation group is used in a filter/NAT rule, the tool tip that appears when the user scrolls over the group no longer wrongly displays “Object not found”.