Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Version 4.5.3 bug fixes
High availability - IPsec VPN
Support references 84273 - 84460
An issue regarding the synchronization of Security Associations (SA) during a switch in a cluster, which could cause IPsec VPN tunnels to malfunction, has been fixed.
High availability (HA) - Synchronization
Support reference 84340
The HA synchronization mechanism no longer causes errors when it does not detect the file relating to the backtracking mechanism for configurations deployed via SMC.
Authentication - TOTP
Unselecting the checkbox for authentication via TOTP on the captive portal (Users > Authentication menu) would wrongly disable the TOTP enrollment page on the captive portal, even though this page is necessary for other modules that potentially use TOTP (e.g., SSL VPN, web administration interface, SSH/Console or IPsec/Xauth). This anomaly has been fixed.
Support reference 84568
A parameter was missing from the keepalive option when the command to reload an IPsec policy was called. This anomaly caused system event 52 "The event returned an unhandled error code: IPSEC_KEEPALIVE_30->4" but would not prevent IPsec VPN tunnels from being set up anyway.
This regression, which first appeared in SNS version 4.3.8, has been fixed.
Support reference 84569
When a keepalive packet is successfully sent, it no longer wrongly raises system event 52 "The event returned an unhandled error code: IPSEC_KEEPALIVE_30->4". This regression appeared in SNS version 4.3.8.
Support references 82578 - 84680
Issues with competing access, which caused instability in IPsec tunnels, have been fixed. These issues prevented effective tunnel monitoring, and generated entries such as "job load of XXX exceeds limit of YY" in IPsec VPN logs.
IPsec VPN through a dialup default gateway
Support reference 84631
When the default gateway is based on a PPPoE modem (dialup connection), IPsec tunnels set up through this default gateway now recover correctly after the dialup connection goes down temporarily and recovers.
Dynamic NAT and DHCP for outgoing interfaces
Support reference 83297
When filter rules were reloaded in the intrusion prevention engine, if there was among them a dynamic NAT rule associated with the use of DHCP to define the addresses of outgoing interfaces, it would cause the firewall to freeze. This issue has been fixed.
Custom web services
Support reference 84496
Under certain conditions, custom web services that contained a wildcard (*) in their FQDN could fail to be correctly applied in block filter rules. This anomaly has been fixed.
In large databases of custom web services, imports of custom web services would be disrupted and a warning message would appear when the partition designated to receive the custom service database reaches 95% of its capacity.
Log management mechanism
Support references 84605 - 84577
Issues regarding memory leaks in the log management mechanism, which could cause it to shut down unexpectedly, have been fixed.
Static routing - IPsec VPN
Support reference 84507
When filter rules are reloaded after a static route used by an IPsec tunnel is changed, the firewall's static route engine no longer runs the risk of shutting down unexpectedly.
Bird dynamic routing
Support reference 84337
Networks declared in Bird dynamic routing are once again classified correctly as protected networks in the intrusion prevention engine, and no longer wrongly raise an alarm regarding an IP spoofing attempt. This regression appeared in SNS version 4.3.
Support reference 84610
The inactive=<seconds> function on the SSL VPN can now be correctly applied by using the CLI/Serverd command CONFIG OPENVPN UPDATE.
Intrusion prevention engine
Reloading the network configuration
Support references 84522 - 84198
The mechanism that reloads the network configuration (especially when no changes are made to the configuration) has been optimized to shorten reloading time, and reduce associated CPU consumption and the duration of the firewall's downtime during such operations.
IEC61850 MMS protocol - IDS mode
The IDS inspection mode applied to a filter rule that affects IEC61850 MMS traffic no longer wrongly behaves like the IPS inspection level, and no longer blocks triggering packets instead of raising only the relevant alarms.
Support reference 82824
Following a PUT or POST request sent by the client, and when the HTTP server sends back a response other than the message "100 Continue", the HTTP protocol analysis engine no longer raises the block alarm "Additional data at end of reply" (http:150) by mistake.
TLS protocol - Verification of server certificates
Support reference 84244
The mechanism that verifies server certificates has been optimized - when several requests regarding the verification of the same server certificate are received at almost the same time, only one internal request will be sent to avoid saturating the mechanism's queue, and avoid potentially causing the mechanism to freeze for several tens of seconds.
Web administration interface
HTML tags in log messages
Support reference 84494
When the web administration interface detects HTML tags in error messages associated with certain log entries, it no longer wrongly displays the error message "XSS protection: HTML tag found in following commands".
Filtering with QoS - HTML tags in warning messages
The warning message that appears after enabling or disabling a filter rule that refers to a deleted QoS queue contained HTML tags by mistake. This anomaly has been fixed.
Certificates and PKI
Support reference 84470
Attempts to generate the CRL of a sub-certification authority no longer wrongly require the root certification authority's private key and no longer causes a system error.
Certificates and PKI - CRL distribution points (CRLDP)
Support reference 84618
When CRDLPs were added (Objects > Certificates and PKI > Certificate profiles tab of the selected CA) the option to Enable regular retrieval of certificate revocation lists (CRL) was no longer offered. This anomaly, which could prevent certificate-based IPsec tunnels from being set up, has been fixed.