Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Version 4.5.2 bug fixes
IPsec VPN - Router objects
Support reference 82369
In configurations where IPsec VPN tunnels were set up through a router object, switching from one gateway to another within this router object could prevent some IPsec VPN tunnels from being automatically set up again. This regression, which first appeared in SNS version 4.2, has been fixed.
Quality of Service (QoS)
Issues relating to packet loss in traffic shapers configured with low bandwidth have been fixed.
Whenever traffic went through a default QoS queue, return packets would not take the same queue. This issue, which caused packet loss, has been fixed.
The maximum length allowed for queue names in the CLI/Serverd command CONFIG OBJECT QOS QID REMOVE has been raised from 20 to 32 characters. Using this command therefore no longer causes issues when handling strings with names that exceed 20 characters.
The parallel processing of priority-based queues (PRIQ) no longer blocks other such queues when one of them saturates an interface.
Disabling then enabling QoS again with the command sfctl (sfctl -q 0 && sfctl -q 1) no longer prevents QoS queues from being processed.
Qualité de service (QoS) - Monitoring
Support reference 84509
In configurations that have more than 32 interfaces (physical, VLAN, etc.), the command used while monitoring QoS could cause the SNS firewall to freeze. This regression, which first appeared in SNS version 4.3, has been fixed.
The TOTP database is now included in the backed up items.
Whenever an LDAP domain name exceeds 30 characters, the enrollment QR code and TOTP information now appear correctly in the authentication portal.
Static routing and IPsec VPN tunnels
Support reference 84367
In configurations with a static route that passes through the IPsec interface, reloading the filter policy would disconnect traffic passing through the IPsec VPN tunnel. This regression, which first appeared in SNS version 4.3, has been fixed.
SSL traffic towards the SNS firewall
Support reference 84264
As TLS 1.2 is the lowest protocol version that can be used for SSL traffic towards the SNS firewall, the configuration tokens corresponding to SSL v3, TLS v1.0 and TLS v1.1 have been removed from the configuration file of the SSL protocol so that they cannot be used.
Support reference 84524
In configurations that contain an SSL decryption rule and an SSL filter rule set to “Do not decrypt”, the proxy of the SNS firewall could wrongly exclude one of the TLS extensions negotiated between the client and the proxy. This issue, which made it impossible to set up connections corresponding to this TLS extension, has been fixed.
Removal of a network interface alias
Support reference 79663
Checks have been added to prevent interface aliases from being deleted when they are used in the configuration of the SNS firewall.
High availability (HA) - Synchronization
Support reference 83721
Anomalies that may cause excessive memory consumption have been fixed in the mechanism that synchronizes the HA configuration.
USB devices/4G modems - Huawei E3372h-320
Support reference 84253
Fixes have been included to support version 10 of the firmware on Huawei E3372h-320 USB devices/4G modems.
SNMP agent - link aggregation
Support reference 82991
When a physical link was lost in an aggregate, "aggregate link down" SNMP traps could sometimes get lost, and were not re-sent over the other physical links in the aggregate. This issue has been fixed.
Intrusion prevention engine
Support reference 84292
An issue regarding the HTTP protocol analysis, which would cause the SNS firewall to freeze, has been fixed.
Number of protected hosts
Support reference 84537
An issue regarding the maximum number of protected hosts, which would arise when an SNS firewall was updated to version 4.3.7 or higher, has been fixed.