SNS 4.5.3 bug fixes

System

High availability - IPsec VPN

Support references 84273 - 84460

An issue regarding the synchronization of Security Associations (SA) during a switch in a cluster, which could cause IPsec VPN tunnels to malfunction, has been fixed.

High availability (HA) - Synchronization

Support reference 84340

The HA synchronization mechanism no longer causes errors when it does not detect the file relating to the backtracking mechanism for configurations deployed via SMC.

Authentication - TOTP

Unselecting the checkbox for authentication via TOTP on the captive portal (Users > Authentication menu) would wrongly disable the TOTP enrollment page on the captive portal, even though this page is necessary for other modules that potentially use TOTP (e.g., SSL VPN, web administration interface, SSH/Console or IPsec/Xauth). This anomaly has been fixed.

IPsec VPN

Support reference 84568

A parameter was missing from the keepalive option when the command to reload an IPsec policy was called. This anomaly caused system event 52 "The event returned an unhandled error code: IPSEC_KEEPALIVE_30->4" but would not prevent IPsec VPN tunnels from being set up anyway.
This regression, which first appeared in SNS version 4.3.8, has been fixed.

Support reference 84569

When a keepalive packet is successfully sent, it no longer wrongly raises system event 52 "The event returned an unhandled error code: IPSEC_KEEPALIVE_30->4". This regression appeared in SNS version 4.3.8.

Support references 82578 - 84680

Issues with competing access, which caused instability in IPsec tunnels, have been fixed. These issues prevented effective tunnel monitoring, and generated entries such as "job load of XXX exceeds limit of YY" in IPsec VPN logs.

IPsec VPN through a dialup default gateway

Support reference 84631

When the default gateway is based on a PPPoE modem (dialup connection), IPsec tunnels set up through this default gateway now recover correctly after the dialup connection goes down temporarily and recovers.

Dynamic NAT and DHCP for outgoing interfaces

Support reference 83297

When filter rules were reloaded in the intrusion prevention engine, if there was among them a dynamic NAT rule associated with the use of DHCP to define the addresses of outgoing interfaces, it would cause the firewall to freeze. This issue has been fixed.

Custom web services

Support reference 84496

Under certain conditions, custom web services that contained a wildcard (*) in their FQDN could fail to be correctly applied in block filter rules. This anomaly has been fixed.

In large databases of custom web services, imports of custom web services would be disrupted and a warning message would appear when the partition designated to receive the custom service database reaches 95% of its capacity.

Log management mechanism

Support references 84605 - 84577

Issues regarding memory leaks in the log management mechanism, which could cause it to shut down unexpectedly, have been fixed.

Static routing - IPsec VPN

Support reference 84507

When filter rules are reloaded after a static route used by an IPsec tunnel is changed, the firewall's static route engine no longer runs the risk of shutting down unexpectedly.

Bird dynamic routing

Support reference 84337

Networks declared in Bird dynamic routing are once again classified correctly as protected networks in the intrusion prevention engine, and no longer wrongly raise an alarm regarding an IP spoofing attempt. This regression appeared in SNS version 4.3.

SSL VPN

Support reference 84610

The inactive=<seconds> function on the SSL VPN can now be correctly applied by using the CLI/Serverd command CONFIG OPENVPN UPDATE.

Intrusion prevention engine

Reloading the network configuration

Support references 84522 - 84198

The mechanism that reloads the network configuration (especially when no changes are made to the configuration) has been optimized to shorten reloading time, and reduce associated CPU consumption and the duration of the firewall's downtime during such operations.

IEC61850 MMS protocol - IDS mode

The IDS inspection mode applied to a filter rule that affects IEC61850 MMS traffic no longer wrongly behaves like the IPS inspection level, and no longer blocks triggering packets instead of raising only the relevant alarms.

HTTP protocol

Support reference 82824

Following a PUT or POST request sent by the client, and when the HTTP server sends back a response other than the message "100 Continue", the HTTP protocol analysis engine no longer raises the block alarm "Additional data at end of reply" (http:150) by mistake.

TLS protocol - Verification of server certificates

Support reference 84244

The mechanism that verifies server certificates has been optimized - when several requests regarding the verification of the same server certificate are received at almost the same time, only one internal request will be sent to avoid saturating the mechanism's queue, and avoid potentially causing the mechanism to freeze for several tens of seconds.

Web administration interface

HTML tags in log messages

Support reference 84494

When the web administration interface detects HTML tags in error messages associated with certain log entries, it no longer wrongly displays the error message "XSS protection: HTML tag found in following commands".

Filtering with QoS - HTML tags in warning messages

The warning message that appears after enabling or disabling a filter rule that refers to a deleted QoS queue contained HTML tags by mistake. This anomaly has been fixed.

Certificates and PKI

Support reference 84470

Attempts to generate the CRL of a sub-certification authority no longer wrongly require the root certification authority's private key and no longer causes a system error.

Certificates and PKI - CRL distribution points (CRLDP)

Support reference 84618

When CRDLPs were added (Objects > Certificates and PKI > Certificate profiles tab of the selected CA) the option to Enable regular retrieval of certificate revocation lists (CRL) was no longer offered. This anomaly, which could prevent certificate-based IPsec tunnels from being set up, has been fixed.