SNS 4.6.4 bug fixes

System

SNMP Agent

Support references 84911 - 84990

A memory leak issue has been fixed in the SNMP agent. This regression appeared in SNS versions 4.5.4 and 4.3.12.

Monitoring

Support references 84989 - 85015 - 85043

Memory leaks have been fixed in the disk monitoring mechanism.

High availability (HA)

Support reference 71538

An anomaly in the mechanism that retrieves HA information may prevent such information from being displayed in the firewall's web administration interface (Monitoring > System/High availability module). The mechanism has been optimized to reduce the frequency of this anomaly.

High availability (HA) - VLAN

Support reference 84710

A configuration in which the only active HA link passes through a VLAN interface would sometimes make the cluster unavailable. This regression, which first appeared in SNS versions 4.3.3 and 4.4.0, has been fixed.

IPsec VPN

Support reference 84677

When an IPsec tunnel is created, selecting the All object for remote networks no longer wrongly includes IPv6 addresses when the IPv6 option has not been enabled on the firewall.

IPsec VPN through a dialup default gateway

Support reference 82369

When the default gateway is based on a PPPoE modem (dialup connection), IPsec tunnels set up through this default gateway now recover correctly after the dialup connection goes down temporarily and recovers.

IPsec VPN IKEv2

Support reference 84920

User certificates with neither the Extended Key Usage Client Auth nor Extended Key Usage ServerAuth extension were not evaluated by user access privilege rules (Configuration > Users > Access privileges module): the IPsec tunnel defined for this peer would be set up but the filter policy would block the peer and consider it invalid.
This issue was fixed by adding a UACForceCert configuration token: by assigning a value of 1 to it, the token forces the user access rules to evaluate such certificates.
This token can be configured with the CLI/Serverd command CONFIG.IPSEC.UPDATE UACForceCert=<0|1>

More information on the CONFIG.IPSEC.UPDATE command.

Monitoring

Memory leak issues have been fixed in the monitoring management engine.

SSL VPN

Support reference 84564

Whenever a listening port lower than 1024 was selected for the SSL VPN server, in particular port UDP/443, the SSL VPN server would no longer restart and no specific message in the web administration interface would indicate that this port could not be used.
Port UDP/443 can now be selected again for the SSL VPN server.

This regression appeared in SNS version 4.3.0.

DNS resolution of dynamic objects

Support reference 84889

In a configuration with several DNS servers defined, an issue in the DNS resolution mechanism for host objects with automatic/dynamic resolution and for FQDN objects was fixed when one of the DNS servers remained operational while the others were unreachable.

Hardware

SN1100, SN2100, SN3100, SNi20, SNi40 and SNxr1200 - CPU microcode

The microcode on Intel processors that equip SN1100, SN2100, SN3100, SNi20, SNi40 and SNxr1200 model firewalls has been updated.

Intrusion prevention engine

ICMPv6 protocol

An anomaly that wrongly raised the 'Invalid ICMP message" alarm (icmp:67), when this alarm was associated with the Pass action, has been fixed in the ICMPv6 protocol analysis engine.

Web administration interface

Conversion to lowercase

Support reference 84964

An anomaly in the function that converts some configuration fields to lowercase would occasionally cause the web administration interface to freeze in the module in question. This anomaly has been fixed.

Logs

Support reference 84895

Administrators with IDs that contain an "@" character can now create an object or add one to a group from the Logs view.

SNMP Agent

Support reference 84952

The values of the Location (sysLocation) and Contact (sysContact) fields in the Configuration of MIB-II information were not in quotes whenever they contained a space. This anomaly has been fixed.