SNS 4.2.8 bug fixes

System

IPsec VPN

Support references 83903 - 84062

IPsec VPN tunnels that were set up with certificate authentication would occasionally fail when the private key was protected by the TPM. A "No private key found for <CN>" error would then be logged. This issue has been fixed.

High availability (HA) - Firewall updates

Whenever the passive firewall in an HA cluster was updated to SNS version 4.2.3 or higher, then switched to active mode, the new passive firewall in SNS version 4.2.3 or higher could not be successfully updated. This issue has been fixed.

Authentication

Support reference 83411

Whenever an Authentication rule filter rule redirected traffic to the captive portal (authentication portal), Sponsorship could no longer be selected as the authentication method on this captive portal’s page. This anomaly appeared in SNS version 4 and has since been fixed.

Network

Support references 82366 - 83624 - 84201

Bird dynamic routing engine

Despite the static routes declared in the Bird configuration and the dynamic routes that Bird learned, the corresponding networks were not automatically added to the table of protected addresses. This issue has been fixed.

Intrusion prevention

Antivirus analysis

Support reference 80792

Since Zoom application traffic is incompatible with the antivirus analysis, these CNs have been added to the CN group proxyssl_bypass.

SMB/CIFS protocol

Support reference 83660

An issue that caused SMB packets to be blocked was fixed after the SMB/CIFS protocol analysis engine factored in the padding bytes at the end of SMB packets.

NTP

The "NTP: KoD denied" (ntp:456) alarm is no longer raised by mistake and in loop when the KoD (Kiss-of-Death) is attributed to the IP address of the NTP server.

HTTP

Support reference 83553

The HTTP protocol analysis has been optimized to avoid consuming too much memory and inappropriately overloading the firewall.