SNS 4.6.0 bug fixes

System

Network interfaces - routing

Support reference 84706

When the network configuration is reloaded, the routes attached to the interfaces configured in DHCP no longer disappear for several seconds. This regression appeared in SNS version 4.3.

IPsec VPN

In configurations where IPsec tunnels go through a PPPoE (dialup) modem, the IPsec tunnel manager would no longer restart after the dialup was reloaded or after the firewall restarted
This regression, which first appeared in SNS version 4.3, has been fixed.

SN160(W) - SN210(W) - SN310 firewalls

Support reference 84725

Some client MAC addresses with the prefix 6c:a1:00 no longer produce corrupted ARP replies from SN160(W), SN210(W) and SN310 model firewalls. This regression appeared in SNS version 4.5.

Authentication

Support reference 84358

When users enter the wrong password for connections via the SSL VPN client or on the captive portal, the firewall no longer wrongly generates the error "LDAP unreachable Bind error" in the alarm log file.

Authentication - TOTP

Support reference 84660

When the default listening port of the web administration interface (TCP/443) is changed, it is now correctly reflected in the link that appears in the window to connect to the firewall, and which leads to the TOTP enrollment page.

RADIUS authentication - Configuration with a backup RADIUS server

Support reference 84555

Under certain circumstances, a double RADIUS authentication request would be sent simultaneously to the main RADIUS server and backup RADIUS server. This anomaly, which would cause the immediate rejection of the authentication attempt, has been fixed.

High availability - Configurations containing several hundred VLANs

Support reference 84522

In some high availability configurations containing several hundred VLANs, requests to show the high availability status will no longer cause abnormally excessive CPU consumption.

DMA remapping (DMAR) on SN1100 firewalls

The DMAR mechanism was optimized to improve performance and allow core dump files to be obtained for the purpose of analysis when issues arise on the firewall.

IPFIX collector - Firewall interface numbers

Support reference 78226

The firewall interface numbers that the IPFIX collector retrieves now match the numbers retrieved in SNMP tables.

Intrusion prevention engine

TLS 1.3 protocol

Support reference 84674

To avoid mistakenly blocking certain streams of TLS 1.3 traffic, the mechanism that analyzes TLS 1.3 certificates on SSL servers is now automatically disabled when a firewall is migrated from a version lower than SNS 4.3 to a version higher than or equal to SNS 4.6.0. It is also disabled by default in the incoming SSL analysis profile SSL_00 for firewalls in factory configuration in version 4.6.0 or higher.

The mechanism that analyzes TLS 1.3 certificates on SSL servers can be enabled again once its effects are assessed in Configuration > Application protection > Protocols > SSL.