Version 4.2.1 bug fixes

System

Configuration backups - Trusted Platform Module (TPM)

Support reference 79671

During the backup of a configuration with the privatekeys parameter set to none (this parameter can only be modified via CLI/Serverd command: CONFIG BACKUP), private keys stored in ondisk mode on the TPM are no longer wrongly decrypted.

Support reference 79671

Multiple configuration backups can no longer be launched simultaneously or too close apart, so private keys stored in ondisk mode on the TPM will no longer be wrongly decrypted.

High availability

The option Reboot all interfaces during switchover (except HA interfaces) has been optimized in high availability configurations. It informs third-party network connection devices (switches, etc.) any time members of the cluster switch roles. This option is no longer enabled on link aggregates when the option Enable link aggregation when the firewall is passive is selected.

Find out more

The errors that occur when the passive member of the cluster is updated are now correctly shown in the firewall’s web administration interface.

High availability - SSH keys

When a high availability configuration generated in version 4.2 switches to an earlier SNS version (after resetting the firewall to its factory configuration), the cluster’s SSH keys are now deleted correctly.

High availability - LDAP directory

Support reference 78461

An anomaly during the synchronization of LDAP data, due to errors in managing the special character “\” when it is used in the password to access the directory, made this LDAP directory inoperable. This anomaly has been fixed.

High availability - Synchronizing objects

Support reference 77441

The mechanism that synchronizes objects between members of the cluster would stop operating whenever the DNS server that resolved FQDN objects did not accept TCP-based DNS requests. This anomaly has been fixed.

Proxies

Support reference 79204

Issues with memory leaks on proxies have been fixed.

Support references 79957 - 80108 - 79952

Configurations that use multi-user authentication would sometimes fail to fully load web pages that embed CSP (content-security-policy) directives. This anomaly has been fixed.

Support reference 79858

An issue with competing access when saving new connections via the proxy has been fixed. This issue would cause the firewall to unexpectedly shut down and switch the roles of the members in a high availability configuration.

SMTP proxy

Support reference 78196

The proxy would sometimes restart unexpectedly after queuing e-mails and receiving an SMTP 421 error from the server. This anomaly has been fixed.

Support reference 77586

When the SMTP proxy is enabled together with SSL decryption of outgoing traffic and antivirus analysis on SMTP traffic (with the action Pass without analyzing for the options When the antivirus analysis fails and When data collection fails in the SMTP protocol analysis settings), the same events will no longer be wrongly logged multiple times in the l_smtp file.

HTTP proxy

Support reference 79584

In configurations that meet all the following conditions:

  • HTTP proxy is used,
  • Kaspersky antivirus is enabled,
  • URL filtering is enabled.

Sending several HTTP requests through an internet browser within the same TCP connection (pipelining) no longer causes the proxy to suddenly restart.

SNMP agent

Support references 77226 - 78235

The OID "SNMPv2-MIB::sysObjectID.0", which made it possible to identify the type of device queried, presented the default net-snmp value instead of the Stormshield value. This anomaly has been fixed.

Support references 77787 - 78693 - 77779 - 78164 - 78967

Excessive memory consumption issues that caused the SNMP agent service to unexpectedly shut down have been fixed.

Support reference 78761

SNMP informRequest messages are now considered valid SNMP requests and no longer raise the blocking alarm “Invalid HTTP protocol” (snmp:388).

Directory configuration

Support references 70940 - 71329 - 75280 - 77783

The maximum length of the character string the represents the subject of the certificate that was imported to allow the SSL connection to the internal LDAP directory has been raised from 128 to 256 characters.

IPSec VPN

Support references 78593 - 73609

In IPSec topologies deployed via SMC, peer certificates were not displayed in the firewall’s IPSec configuration.

As such, the administrator would sometimes select a certificate again for the peer, making the IPSec configuration ineffective. This issue has been fixed.

IPSec VPN - Implicit filter rules

Support reference 77096

The implicit “Allow ISAKMP (UDP port 500) and the ESP protocol for IPSec VPN peers” filter rule now allows IPSec traffic initialized by internal loopback interfaces.

IPSec VPN - Peer names

Peer names longer than 44 characters no longer prevent the setup of the IPSec tunnels concerned.

Host reputation

Support reference 77080

Invalid objects in the list of hosts whose reputations are monitored no longer cause a system error during attempts to reload the proxy.

Find out more

Filtering and NAT

Support reference 78647

Exporting NAT/filter rules in CSV format would wrongly generate the "Any" value for the "#nat_to_target" field in the export file, in cases where filter rules were not associated with any NAT rules. This anomaly would then prevent such CSV files from being imported into SMC if the filter rules concerned had a “Block” rule.

Support reference 76700

When there were configuration errors in the filter policy, the firewall would not load any filter rules (including implicit rules) when it restarted and blocked all traffic as a result. This issue, which required access to the firewall in serial console/VGA in order to enable a working policy, has been fixed.

Support reference 79526

Whenever a group contained 128 or more objects with at least one that had a forced MAC address, rules that used this group would no longer be applied when traffic matched them. This anomaly has been fixed.

Support references 79533 - 79636 - 80412 - 80376

When a time object was enabled or disabled, the re-evaluation of connections that match the filter rule containing this time object no longer cause the firewall to unexpectedly restart.

Support reference 79311

NAT rules that specified a destination IP address and/or destination port for the traffic after translation no longer functioned through an IPSec tunnel. This anomaly has been fixed.

SSL VPN

During attempts to set up an SSL VPN tunnel with a firewall on which stealth mode was disabled, the firewall no longer wrongly ignores the first packet sent by the SSL VPN client, and the tunnel can be set up correctly.

SSL VPN tunnel monitoring

Support reference 77801

Names of users connected via SSL VPN were displayed in plaintext in these tunnels’ monitoring module, even when the connected administrator did not have privileges to access personal data. This anomaly has been fixed.

Authentication - Temporary accounts

Support reference 79296

When the security policy on the firewall required passwords longer than 8 characters, adding, changing or deleting the authentication method for temporary accounts no longer generates a system error.

Certificates and PKI

The Certificate Revocation Lists (CRLs) entered in certificates are now downloaded together with those specified in the CAs.

Initial configuration via USB key

Support reference 75370

When several devices, such as USB keys and SD cards, are connected, only the USB key will now be taken into account.

Intrusion prevention

SSL protocol

Support reference 77817

An error in the declaration of the ExtensionLength SSL protocol analysis field would wrongly raise “Invalid SSL packet” blocking alarms (ssl alarm:118) for legitimate Client Hello SSL packets. This anomaly has been fixed.

SMB v2 protocol

Support reference 78216

An anomaly in the SMB protocol analysis engine would wrongly raise the "Invalid NBSS/SMB2 protocol" alarm (nb-cifs alarm:157), blocking legitimate SMBv2 traffic as a result. This anomaly has been fixed.

SMB - CIFS protocol

Support references 77484 - 77166

Anomalies in the SMB - CIFS protocol analysis would wrongly raise the "Invalid NBSS/SMB protocol" blocking alarm (nb-cifs alarm:158) during legitimate access to shared Microsoft Windows disk resources. These anomalies have been fixed.

DNS protocol

Support reference 77256

An anomaly in the DNS protocol analysis would wrongly raise the “Possible DNS rebinding attack” blocking alarm (dns alarm:154) when a DNS server responded with an external IP address consisting of its IPv6 address concatenated with its IPv4 address (IPv4 - IPv6 mapping). This anomaly has been fixed.

SMTP protocol

Support reference 77661

In a configuration such as the following:

When e-mails containing attachments that exceed the defined size are analyzed, the blocking alarm “Invalid SMTP protocol” (smtp alarm:121) is no longer wrongly raised.

FastPath mode

Support references 76810 - 77932

An issue with competing access when connection statistics were injected into the intrusion prevention engine has been fixed. This issue could cause significant CPU consumption and network packets to unexpectedly be rejected over IX interfaces (2x10Gbps and 4x10Gbps fiber modules).

Hardware

Configuration via USB key

Support references 79645 - 79283

Whenever a firewall is configured via USB key, an information message now appears in the console and a waiting period of two minutes is initiated when the USB key needs to be removed to continue ongoing operations (firmware updates, connecting a firewall to a cluster, etc.). Removing the USB key suspends the counter.

This mechanism makes it possible to prevent key decryption errors on firewalls equipped with a TPM (SN3100 and SNi20).

Find out more

Virtual machines

Serial numbers of VPAYG firewalls

Support reference 76157

The high availability monitoring mechanism did not recognize serial numbers of VPAYG firewalls (serial number of the firewall, to which an extension such as "-XXXXXXXX” is added). This anomaly has been fixed.

EVA firewalls deployed over VMWare with 10Gb/s interfaces

Support reference 76546

For firewalls deployed in a VMWare infrastructure, the maximum throughput displayed for 10Gb/s interfaces that use the vmxnet3 driver is no longer wrongly limited to 10Mb/s.

Web administration interface

Interfaces

Support reference 77682

Whenever a parent GRETAP interface of a VLAN was deleted, the VLAN would be hidden from the list of interfaces even though it was still defined in the firewall configuration. This operation now leaves the VLAN visible at the root of the list of available interfaces.

Support reference 77014

The system now correctly detects the connection status of USB/Ethernet (4G) interfaces and displays it in the Configuration > Network > Interfaces module.

Interfaces - Modem configuration profiles

Administrator accounts in read-only mode could not display the configuration profiles of modems. This anomaly has been fixed.

Interfaces - GRETAP

Support reference 78800

The correct MTU is now assigned to GRETAP interfaces when they are created (1462 bytes, instead of 1500 as in the four previous versions).

Protocols

Support reference 78157

After the profile name of a protocol analysis is edited, and the configuration module is changed, the Edit menu is no longer empty when the user goes back to the edited protocol analysis module.

Protocols - BACnet/IP

The service with a confirmedTextMessage confirmation would wrongly appear twice in the Remote Device Management group (IDs 19 and 20). ID 20 is now correctly assigned to the reinitializeDevice service.

Automatic backups - Custom server

Support reference 78018

The port defined during the creation of the custom backup server appears correctly again in the URL shown in the configuration module.

Do note that the anomaly affected only the display.

Find out more

Authentication - Radius method

Support reference 76824

During access to the configuration of the Radius server, if the pre-shared key field was accidentally erased, a blank pre-shared key would be entered instead of the previous value. This issue has been fixed and the firewall now refuses empty values for this field.

URL filtering - SSL filtering

Support reference 77458

The results of a URL categorization (URL filtering and SSL filtering modules) are no longer continuously displayed at the bottom of the screen when a module is changed.

Support reference 79017

Modifying several SSL filter rules or URL filter rules at the same time would generate an abnormally high number of system commands. This anomaly has been fixed.

Web objects

Support reference 76327

Immediately after a new URL or certificate category is created, clicking on the column to sort contents:

  • No longer creates system errors if no other categories were selected during the creation operation,
  • Does not wrongly show the contents of another category if it was selected during the creation operation.

Web objects - Object groups

Support reference 76325

The search field for groups of categories is no longer case-sensitive.

IPSec VPN

Support reference 74210

When an IPSec rule separator is added to a policy that contains more than one page of rules, the user is no longer sent back to the first page of the IPSec policy every time.

Support references 74966 - 75821

Double-clicking on an IPSec rule separator correctly opens it in edit mode, and the modification of the separator is fully functional again.

Support reference 75810

When a peer is created or modified, switching from certificate authentication to pre-shared key authentication, followed by a switch back to certificate authentication without reloading the configuration page, no longer causes system errors due to the detection of the certificate initially selected.

Support references 77246 - 77264 - 77274

When a peer with a configuration that contained errors (indicated by a message in the Checking the policy field) was created or modified, it could still be validated anyway. This anomaly, which caused an error while reloading the IPSec VPN configuration, has been fixed.

Support reference 77443

Creating, modifying or deleting a pre-shared key from the table of pre-shared keys for mobile tunnels (Configuration > IPSec VPN module > Identification tab) no longer creates a key conflict or prevents the setup of IPSec tunnels that use such keys.

IPSec VPN - Peers

Additional controls have been added to better manage the duplication, renaming or deletion of peers in the process of modification (changes not saved).

Certificates and PKI

Support reference 78965

After an external CA was imported into the PKI (this operation can only be performed in command line), it could no longer be declared as the default CA (for the SSL proxy for example), or selected when an identity was created (user, server, etc.). This anomaly has been fixed.

Aliases can now be entered (Subject Alternative Name field) when a server identity is created. The latest versions of web browsers sometimes require this field.

Captive portal

Support reference 78805

During the redirection to the authentication page, the Password field was selected by default instead of the User name field if it was empty. This anomaly has been fixed.

Filtering and NAT - Geolocation and public IP address reputation

Support reference 80980

When a geographic group or a public IP address reputation group is used in a filter/NAT rule, the tool tip that appears when the user scrolls over the group no longer wrongly displays “Object not found”.