SNS 4.6.1 bug fixes

System

TLS connection to a syslog server

Support reference 84831

In the SSL negotiation phase, there is now an idle timeout for when the firewall attempts to connect to a syslog server in TLS. With this addition, the firewall's log management mechanism will no longer freeze unexpectedly when the syslog server fails to respond during the SSL negotiation phase.

ARP requests to GRE interfaces

Support reference 84625

The firewall no longer sends ARP requests unnecessarily to interfaces that support GRE tunnels. This regression appeared in SNS version 4.4.

GRE tunnels

Support reference 75479

During advanced troubleshooting, packets captured via tcpdump over GRE interfaces were malformed. This issue has been fixed.

GRE interfaces

Support reference 84625

In configurations that use GRE interfaces when non-IP packets are present, memory leak issues would sometimes cause network traffic to freeze unexpectedly, which would then require the firewall to be restarted. This issue has been fixed.

IPsec VPN

Support reference 84611

A configuration token RemoteFetch has been added to the CLI/Serverd command CONFIG IPSEC UPDATE. When this token is set to "0", you can simultaneously:

  • Disable the retrieval of remote CRLs on the IPsec tunnel manager when a tunnel is being set up, and
  • Disable the OCSP mechanism in the IPsec tunnel manager.

This will prevent an unnecessary wait of several seconds for IPsec tunnels to set up when there are no CRL distribution points (CRLDPs) or none have been configured.

More information about the CLI/Serverd command CONFIG IPSEC UPDATE.

Authentication - TOTP

Support reference 84779

To change their passwords via the captive portal, enrolled users must now enter a TOTP.

Support reference 84808

User names are no longer case-sensitive in TOTP authentication.

SN SSL VPN Client and TOTP

Support reference 84689

During the initial connection using SN SSL VPN Client with TOTP authentication enabled, the TOTP field had to be left blank so that the configuration file could be automatically retrieved. The TOTP had to be entered only for the connections that followed. This issue has been fixed.

Advanced antivirus

The new Advanced antivirus license can now be effectively enabled on firewalls that have always used ClamAV; the system message "Not available with this license" no longer appears by mistake.

DHCP - Default route

Support reference 84545

When the firewall obtains an IP address for one of its interfaces via a DHCP server that uses the option routers x.x.x.x, the firewall no longer loses its default route if the relevant DHCP lease expires and is not renewed (due to an unreachable DHCP server, for example).