SNS 4.4.1 bug fixes
System
SSH connection to a cluster
Administrators connected to the active member of the cluster in SSH with their own account (other than the admin account) were forced to enter the password of the admin account if they also wanted to connect to the passive member of the cluster in SSH. This anomaly has been fixed.
HTTP requests
Support reference 83085
After a component was changed in SNS version 4.1.1, the User-Agent and Connection: close headers were no longer found in HTTP requests, which could prevent CRLs from being automatically retrieved. This issue has been fixed.
SSL proxy
Support reference 73331
The SSL proxy now accepts the "_" character in FQDN names for the SNI (Server Name Indication) extension.
CLI/serverd commands
The help returned from the command CONFIG IPSEC PEER NEW HELP now indicates a range of correct values for the token ikedscp (<0-63> instead of the previous wrong value of <0-56>).
The help returned from the command CONFIG COMMUNICATION SYSLOG PROFILE UPDATE HELP now specifies the existence of the token LogRouterStat.
Hardware management - SN160(W), SN210(W) and SN310 model firewalls
Support references 82933 - 84307
When a SN160(W), SN210(W) or SN310 model firewall is powered down, an anomaly in the order in which the hardware management mechanisms were shut down prevented the Online LED from switching off. This anomaly, which could give the false impression that the firewall has not been correctly shut down, has been fixed.
Filter - NAT
Support reference 82534
An anomaly while exporting NAT rules in a CSV file has been fixed: the export now factors in the contents of the Protocol column.
Support reference 79079
An SSL VPN interface (TCP/UDP) can now be selected directly as the source interface in a filter rule.
IPsec VPN and GRE
Support reference 82051
ESP -> GRE -> ESP double encapsulation (encapsulation of an IPsec tunnel in a GRE tunnel, which is in turn encapsulated in an IPsec tunnel) is operational once again. This regression appeared in SNS version 4.1.
Limiting the duration of remote administrator sessions
The function allowing the super-administrator to limit the maximum idle timeout allowed for administrator accounts on the firewall is operational once again (regression appeared in SNS version 4.2).
HTTP proxy
Support reference 80100
Changing the ICAP configuration (in particular disabling this configuration) of an HTTP protocol analysis profile while a connection involving ICAP is in progress no longer makes the proxy suddenly freeze.
Inactive Ethernet interface with a forced MAC address and attached VLAN
Support reference 80970
When forcing the MAC address of an Ethernet interface that is parent to a VLAN, the VLAN would not inherit the forced MAC address. This anomaly has been fixed.
Console mode and serial port enabled
Support reference 82054
On firewalls with an enabled console mode and serial port display configuration, connecting a keyboard and monitor was exceptionally mandatory in order to restart in single user mode (e.g., to change the password of the admin account). This issue has been fixed.
Logs
Support reference 82287
The size of the log processing queue and the memory allocated to this process have been increased to minimize the risk of losing logs when the firewall handles a high volume of traffic.
Intrusion prevention
MMS protocol - IDS mode
The IDS mode applied to a filter rule that affects MMS traffic wrongly behaved like the IPS mode and blocked triggering packets instead of raising only the relevant alarms.
NTP protocol
The "NTP: KoD denied" (alarm ntp:456) alarm is no longer raised by mistake for legitimate NTP traffic when an NTP KoD (Kiss'o'Death) packet is not found in the whitelist and is set to the IP address of the NTP server.
SIP protocol
In a filter rule of incoming SIP traffic, with the option Redirect incoming SIP calls (UDP) enabled (internal SIP server), OPTIONS requests that serve to request the capacity of the SIP server are no longer blocked by mistake. This regression appeared in SNS version 4.0.3.
Ethernet protocols
The analysis profile "(0)" was always applied for the analysis of Ethernet protocols (Profinet IO, Profinet RT, IEC 61850, etc.) and other profiles were ignored. This issue has been fixed.
TCP-UDP protocol
An anomaly in the management of the connection counter on the TCP-UDP protocol analysis engine has been fixed.
ARP requests while reloading the configuration of the intrusion prevention engine
Support reference 84272
An issue with competing access relating to ARP requests sent while reloading the configuration of the intrusion prevention engine would occasionally end up freezing the firewall unexpectedly. This issue has been fixed.
Web administration interface
Directory configuration
Support reference 82849
Choosing None in the backup LDAP server selection field no longer causes the system error "Invalid backup host".
IPsec VPN
Support reference 83017
The Inactive value can no longer be assigned to DPD (Dead Peer Detection) mode when an IPsec peer is being created or modified. This value was in fact no longer supported and caused a system error "Argument error Command: CONFIG IPSEC PEER UPDATE dpd_mode=off".
URL/SSL/SMTP filtering
Support reference 83587
Modifying a URL/SSL/SMTP filter rule by dragging and dropping no longer activated the Apply button, even though the changes were applied. This anomaly has been fixed.
VLAN interfaces
Support reference 83873
Creating a VLAN, renaming it without having saved changes to the configuration beforehand, then creating another VLAN on the same physical interface and renaming the second VLAN, would cause an error indicating that both VLANs had the same name. This anomaly has been fixed.
Authentication - Microsoft Active Directory
Support reference 52539
Whenever the request to display users in an external Microsoft Active Directory exceeded the MaxSizeLimit parameter set on the Microsoft Active Directory server, the system error message No user found is no longer shown by mistake: the firewall now shows the maximum number of users that can be retrieved and shows a message indicating that the maximum number of retrievable users has been reached.
Searches in logs
Support reference 77587
Optimizations have been implemented to reduce the search time in logs.
SSL VPN domain name
Support reference 74996
The DNS Domain name field meant for clients of the SSL VPN service would wrongly reject the "_” character. This anomaly has been fixed.
Filtering
Support reference 80794
Whenever a rule that uses the ICMP protocol as a filtering criterion was cloned, and its copy was modified by replacing ICMP with another protocol, and the copy was in turn cloned in a third rule, the third rule would wrongly contain references to the ICMP protocol of the original rule. This inappropriate behavior, which prevented the filter policy from being enabled and caused an error “This rule contains a filter on ICMP messages, but ICMP is not the defined protocol”, has been fixed.
Network objects - MAC address range
Support reference 77968
During the creation of a MAC address network object, the use of condensed notation (without separators such as ":" or "-", e.g., 01af3b54c89c) is accepted and no longer raises the error message "Invalid MAC address".
System monitoring
Support reference 81041
The system monitoring mechanism would wrongly and systematically send the command to verify the synchronization of the cluster, even when HA was not enabled on the firewall. This anomaly, which displayed the error message "200 HA not initialized" every minute in the panel that displays message at the bottom of each configuration module, has been fixed.