SNS 4.4.1 bug fixes

System

SSH connection to a cluster

Administrators connected to the active member of the cluster in SSH with their own account (other than the admin account) were forced to enter the password of the admin account if they also wanted to connect to the passive member of the cluster in SSH. This anomaly has been fixed.

HTTP requests

Support reference 83085

After a component was changed in SNS version 4.1.1, the User-Agent and Connection: close headers were no longer found in HTTP requests, which could prevent CRLs from being automatically retrieved. This issue has been fixed.

SSL proxy

Support reference 73331

The SSL proxy now accepts the "_" character in FQDN names for the SNI (Server Name Indication) extension.

CLI/serverd commands

The help returned from the command CONFIG IPSEC PEER NEW HELP now indicates a range of correct values for the token ikedscp (<0-63> instead of the previous wrong value of <0-56>).

The help returned from the command CONFIG COMMUNICATION SYSLOG PROFILE UPDATE HELP now specifies the existence of the token LogRouterStat.

Hardware management - SN160(W), SN210(W) and SN310 model firewalls

Support references 82933 - 84307

When a SN160(W), SN210(W) or SN310 model firewall is powered down, an anomaly in the order in which the hardware management mechanisms were shut down prevented the Online LED from switching off. This anomaly, which could give the false impression that the firewall has not been correctly shut down, has been fixed.

Filter - NAT

Support reference 82534

An anomaly while exporting NAT rules in a CSV file has been fixed: the export now factors in the contents of the Protocol column.

Support reference 79079

An SSL VPN interface (TCP/UDP) can now be selected directly as the source interface in a filter rule.

IPsec VPN and GRE

Support reference 82051

ESP -> GRE -> ESP double encapsulation (encapsulation of an IPsec tunnel in a GRE tunnel, which is in turn encapsulated in an IPsec tunnel) is operational once again. This regression appeared in SNS version 4.1.

Limiting the duration of remote administrator sessions

The function allowing the super-administrator to limit the maximum idle timeout allowed for administrator accounts on the firewall is operational once again (regression appeared in SNS version 4.2).

HTTP proxy

Support reference 80100

Changing the ICAP configuration (in particular disabling this configuration) of an HTTP protocol analysis profile while a connection involving ICAP is in progress no longer makes the proxy suddenly freeze.

Inactive Ethernet interface with a forced MAC address and attached VLAN

Support reference 80970

When forcing the MAC address of an Ethernet interface that is parent to a VLAN, the VLAN would not inherit the forced MAC address. This anomaly has been fixed.

Console mode and serial port enabled

Support reference 82054

On firewalls with an enabled console mode and serial port display configuration, connecting a keyboard and monitor was exceptionally mandatory in order to restart in single user mode (e.g., to change the password of the admin account). This issue has been fixed.

Logs

Support reference 82287

The size of the log processing queue and the memory allocated to this process have been increased to minimize the risk of losing logs when the firewall handles a high volume of traffic.

Intrusion prevention

MMS protocol - IDS mode

The IDS mode applied to a filter rule that affects MMS traffic wrongly behaved like the IPS mode and blocked triggering packets instead of raising only the relevant alarms.

NTP protocol

The "NTP: KoD denied" (alarm ntp:456) alarm is no longer raised by mistake for legitimate NTP traffic when an NTP KoD (Kiss'o'Death) packet is not found in the whitelist and is set to the IP address of the NTP server.

SIP protocol

In a filter rule of incoming SIP traffic, with the option Redirect incoming SIP calls (UDP) enabled (internal SIP server), OPTIONS requests that serve to request the capacity of the SIP server are no longer blocked by mistake. This regression appeared in SNS version 4.0.3.

Ethernet protocols

The analysis profile "(0)" was always applied for the analysis of Ethernet protocols (Profinet IO, Profinet RT, IEC 61850, etc.) and other profiles were ignored. This issue has been fixed.

TCP-UDP protocol

An anomaly in the management of the connection counter on the TCP-UDP protocol analysis engine has been fixed.

ARP requests while reloading the configuration of the intrusion prevention engine

Support reference 84272

An issue with competing access relating to ARP requests sent while reloading the configuration of the intrusion prevention engine would occasionally end up freezing the firewall unexpectedly. This issue has been fixed.

Web administration interface

Directory configuration

Support reference 82849

Choosing None in the backup LDAP server selection field no longer causes the system error "Invalid backup host".

IPsec VPN

Support reference 83017

The Inactive value can no longer be assigned to DPD (Dead Peer Detection) mode when an IPsec peer is being created or modified. This value was in fact no longer supported and caused a system error "Argument error Command: CONFIG IPSEC PEER UPDATE dpd_mode=off".

URL/SSL/SMTP filtering

Support reference 83587

Modifying a URL/SSL/SMTP filter rule by dragging and dropping no longer activated the Apply button, even though the changes were applied. This anomaly has been fixed.

VLAN interfaces

Support reference 83873

Creating a VLAN, renaming it without having saved changes to the configuration beforehand, then creating another VLAN on the same physical interface and renaming the second VLAN, would cause an error indicating that both VLANs had the same name. This anomaly has been fixed.

Authentication - Microsoft Active Directory

Support reference 52539

Whenever the request to display users in an external Microsoft Active Directory exceeded the MaxSizeLimit parameter set on the Microsoft Active Directory server, the system error message No user found is no longer shown by mistake: the firewall now shows the maximum number of users that can be retrieved and shows a message indicating that the maximum number of retrievable users has been reached.

Searches in logs

Support reference 77587

Optimizations have been implemented to reduce the search time in logs.

SSL VPN domain name

Support reference 74996

The DNS Domain name field meant for clients of the SSL VPN service would wrongly reject the "_” character. This anomaly has been fixed.

Filtering

Support reference 80794

Whenever a rule that uses the ICMP protocol as a filtering criterion was cloned, and its copy was modified by replacing ICMP with another protocol, and the copy was in turn cloned in a third rule, the third rule would wrongly contain references to the ICMP protocol of the original rule. This inappropriate behavior, which prevented the filter policy from being enabled and caused an error “This rule contains a filter on ICMP messages, but ICMP is not the defined protocol”, has been fixed.

Network objects - MAC address range

Support reference 77968

During the creation of a MAC address network object, the use of condensed notation (without separators such as ":" or "-", e.g., 01af3b54c89c) is accepted and no longer raises the error message "Invalid MAC address".

System monitoring

Support reference 81041

The system monitoring mechanism would wrongly and systematically send the command to verify the synchronization of the cluster, even when HA was not enabled on the firewall. This anomaly, which displayed the error message "200 HA not initialized" every minute in the panel that displays message at the bottom of each configuration module, has been fixed.