SNS 4.2.4 bug fixes

System

SSL VPN

Support reference 78163

The browser language is now taken into account in the Stormshield SSL VPN client’s download link presented by the captive portal of the firewall that hosts this service.

Support reference 79149

Additional controls have been implemented to display an error when the Available networks field is defined by a group that contains an IP address range. Such configurations prevented the SSL VPN service from running.

Support reference 73463

The SSL VPN management engine now runs correctly with the AES-GCM encryption suites (128-, 192- or 256-bit keys) recommended by the ANSSI (French network and information security agency).

Proxies

Support reference 81624

In configurations that use multi-user authentication, the application of "img-src https://*" CSP (content-security-policy) directives would sometimes cause the proxy service to unexpectedly restart. This issue has been fixed.

Support references 79257 - 79144

In configurations that use the explicit HTTP proxy or SMTP proxy without protocol analysis, and when a client connection sent the FIN flag immediately after sending the CONNECT flag, the proxy would keep the log of this closed connection in memory by mistake. An accumulation of such connection logs would then consume an excessive amount of firewall memory. This issue has been fixed.

SSL proxy

Support reference 77207

The SSL proxy would sometimes restart when all of the following conditions occurred:

  • An SSL filter policy applied a “Pass without decrypting” action when a CN could not be categorized,
  • A connection matched this rule (“Pass without decrypting”) because the classification of the CN failed.
  • A simultaneous connection to the same website was classified with the action “Block without decrypting”.

This issue has been fixed.

System events

Support reference 80426

System event no. 19 "LDAP unreachable" is activated when there are issues accessing an LDAP directory defined in the firewall configuration.

Automatic CRL verification

Support reference 82035

An anomaly during the automatic verification of CRL distribution points (CRLDP) listed in a sub-authority has been fixed. This anomaly would wrongly generate the alarm ‘The CRL published on the distribution point is invalid”.

Automatic verification of CRLs and external proxy

Support reference 81259

The verification of CRLs through an external proxy would occasionally not function because the port to reach the proxy was not correctly applied. This issue has been fixed.

Retrieving firmware updates and external proxy

Support references 79538 - 81331

The automatic retrieval of firmware through an external proxy would occasionally not function because the proxy was not applied. This issue has been fixed.

IPsec VPN

Support reference 77960

When IPsec VPN was used together with Path MTU Discovery (PMTUD), the Don't Fragment (DF) bit was not included in ESP packets and therefore prevented PMTUD from being used. This configuration is now supported.

Find out more

Support references 81013 - 81002

When the phase 1 lifetime of a tunnel lapses, the user is no longer deleted by mistake from the firewall’s authentication tables if the other tunnels used by this user are still active.

Support reference 77477

IPsec configurations which included a NAT rule that applies to packets going to the tunnel and a QoS rule for traffic passing through this tunnel would flood the firewall’s memory and make the cluster unstable in a high availability configuration. This issue has been fixed.

IPsec VPN - Diffusion Restreinte (DR) mode

On firewalls configured in Diffusion Restreinte (DR) mode, DR encryption profiles now allow only the use of 256-bit keys for AES-GCM and AES-CTR.

An error in the implementation of ECDSA based on Brainpool 256 elliptic curves prevented IPsec tunnels in DR mode from being set up with the TheGreenBow IPsec VPN client implementing DR mode. This error has been fixed.

WARNING
Fixing this error in fact makes it impossible to set up IPsec tunnels in DR mode based on ECDSA and Brainpool 256 elliptic curves between a firewall in version SNS 4.2.1 or SNS 4.2.2 and a firewall in version SNS 4.2.4 or higher.

External LDAP directory

Support reference 81531

After an external LDAP directory was created and made accessible via a secure connection, enabling the option Check the certificate against a Certification Authority and selecting a trusted CA no longer cause an internal error on the firewall.

LDAP directory - Backup server

Support reference 80428

In an LDAP(S) configuration defined with a backup server, when:

  • The firewall switched to the backup LDAP(S) server because the main server stopped responding, and
  • The backup server also does not respond,

The firewall will then immediately attempt to connect to the main server again without waiting for the 10-minute timeout defined in factory settings.

IP address reputation and geolocation service

Support reference 81048

In some cases, the IP address reputation and geolocation service would unexpectedly shut down after competing access that occurs when a configuration is reloaded. Even when it was automatically restarted, service could still be disrupted. This issue has been fixed.

Support references 77326 - 77980 - 79673 - 74614 - 80572 - 80624 - 79664 - 79589

An anomaly relating to the IP address reputation and geolocation service would sometimes result in memory corruption, which would cause the firewall to unexpectedly restart. This issue has been fixed.

Initial configuration via USB key

Support reference 80866

In an initial configuration via USB key, when an additional .CSV configuration file was imported into the installation sequence, the command entered in the last line of the file was not executed. This issue has been fixed.

Captive portal

Support reference 79386

Closing the logout page of the captive portal would log the user out again, regardless of the browser used.

Authentication service

Support reference 81423

An issue during communication with an external LDAP server configured on the firewall (network issue, partial response from the server, etc.) would cause the firewall's authentication service to freeze, logging out users and preventing them from logging back in. This issue has been fixed.

SNMP agent

Support reference 81710

A memory leak issue in the management of the SNMP agent queue has been fixed.

Support references 81573 - 81588 - 81529

When the firewall receives an SNMP request, the response address that the SNMP agent uses is correct again and corresponds to the IP address of the firewall queried during this SNMP request.

Support references 82734 - 82735

Syntax errors have been corrected in STORMSHIELD-VPNSP-MIB, STORMSHIELD-VPNSA-MIB, STORMSHIELD-VPNIKESA-MIB and STORMSHIELD-ALARM-MIB MIB files.

Certificates

Support reference 82110

An anomaly in how empty OCSP fields are managed would wrongly generate the error message "XSS Protection" when the properties of the certificate in question were displayed. This anomaly has been fixed.

Hardware bypass - SNi20 model firewalls

Support reference 82241

The hardware bypass mechanism could be non-functional on some SNi20 firewalls. This problem has been fixed.

Network

Static routing and IPsec VPN

Support reference 80862

In policy-based IPsec VPN configurations (non-VTI), whenever a static route was created for the remote network via the IPsec interface, traffic was not encrypted and sent to this network as it was supposed to be. This issue has been fixed.

Multicast routing - Address translation

Support reference 80359

Multicast network traffic packets are no longer duplicated if multicast routing is applied after a destination NAT rule is applied to this traffic.

Bridge - MAC addresses

Support reference 80652

On interfaces attached to a bridge, when a network device is moved and the network traffic that it generates is no longer linked to the same physical interface, the firewall automatically maps the MAC address of the device to the new interface once a Gratuitous ARP request is received from the new device.

This switch was not correctly applied whenever the MAC address was different after the network device was moved This anomaly has been fixed.

Intrusion prevention

FastPath mechanism

Support reference 82078

The combination of NAT and the insertion of inappropriate routes into the tables of the intrusion prevention engine could cause inadequate use of the FastPath mechanism, causing the firewall to freeze. This issue has been fixed.

 

Hardware

The Intel update utility in the microcode of Intel network cards would occasionally fail to recognize additional cards installed on SN6100 firewalls. This anomaly has been fixed.

Monitoring

IPsec tunnels

Support reference 82043

Mobile IPsec tunnels set up and defined in Config mode now appear in the IPsec tunnel monitoring module.

Web administration interface

High availability

Support reference 80888

Changes to the minimum duration of connections that must be synchronized are now correctly applied (High availability > Advanced properties).