Version 4.5.2 bug fixes

System

IPsec VPN - Router objects

Support reference 82369

In configurations where IPsec VPN tunnels were set up through a router object, switching from one gateway to another within this router object could prevent some IPsec VPN tunnels from being automatically set up again. This regression, which first appeared in SNS version 4.2, has been fixed.

Quality of Service (QoS)

Issues relating to packet loss in traffic shapers configured with low bandwidth have been fixed.

Whenever traffic went through a default QoS queue, return packets would not take the same queue. This issue, which caused packet loss, has been fixed.

The maximum length allowed for queue names in the CLI/Serverd command CONFIG OBJECT QOS QID REMOVE has been raised from 20 to 32 characters. Using this command therefore no longer causes issues when handling strings with names that exceed 20 characters.

The parallel processing of priority-based queues (PRIQ) no longer blocks other such queues when one of them saturates an interface.

Disabling then enabling QoS again with the command sfctl (sfctl -q 0 && sfctl -q 1) no longer prevents QoS queues from being processed.

Qualité de service (QoS) - Monitoring

Support reference 84509

In configurations that have more than 32 interfaces (physical, VLAN, etc.), the command used while monitoring QoS could cause the SNS firewall to freeze. This regression, which first appeared in SNS version 4.3, has been fixed.

Configuration backups

The TOTP database is now included in the backed up items.

TOTP authentication

Whenever an LDAP domain name exceeds 30 characters, the enrollment QR code and TOTP information now appear correctly in the authentication portal.

Static routing and IPsec VPN tunnels

Support reference 84367

In configurations with a static route that passes through the IPsec interface, reloading the filter policy would disconnect traffic passing through the IPsec VPN tunnel. This regression, which first appeared in SNS version 4.3, has been fixed.

SSL traffic towards the SNS firewall

Support reference 84264

As TLS 1.2 is the lowest protocol version that can be used for SSL traffic towards the SNS firewall, the configuration tokens corresponding to SSL v3, TLS v1.0 and TLS v1.1 have been removed from the configuration file of the SSL protocol so that they cannot be used.

SSL proxy

Support reference 84524

In configurations that contain an SSL decryption rule and an SSL filter rule set to “Do not decrypt”, the proxy of the SNS firewall could wrongly exclude one of the TLS extensions negotiated between the client and the proxy. This issue, which made it impossible to set up connections corresponding to this TLS extension, has been fixed.

Removal of a network interface alias

Support reference 79663

Checks have been added to prevent interface aliases from being deleted when they are used in the configuration of the SNS firewall.

High availability (HA) - Synchronization

Support reference 83721

Anomalies that may cause excessive memory consumption have been fixed in the mechanism that synchronizes the HA configuration.

USB devices/4G modems - Huawei E3372h-320

Support reference 84253

Fixes have been included to support version 10 of the firmware on Huawei E3372h-320 USB devices/4G modems.

SNMP agent - link aggregation

Support reference 82991

When a physical link was lost in an aggregate, "aggregate link down" SNMP traps could sometimes get lost, and were not re-sent over the other physical links in the aggregate. This issue has been fixed.

Intrusion prevention engine

HTTP protocol

Support reference 84292

An issue regarding the HTTP protocol analysis, which would cause the SNS firewall to freeze, has been fixed.

Number of protected hosts

Support reference 84537

An issue regarding the maximum number of protected hosts, which would arise when an SNS firewall was updated to version 4.3.7 or higher, has been fixed.