SNS 4.6.7 bug fixes

System

Network interfaces

Support reference 85117

The two alternative renegotiation mechanisms of the IKE security associations (reauthentication and rekeying mechanisms) are no longer wrongly launched one after the other. This regression, which would sometimes cause packet loss in configurations in Diffusion Restreinte (DR) mode, appeared in SNS version 4.2.0.

SSL VPN

Support reference 84841

Editing the SSL VPN configuration on a firewall with an SSL VPN tunnel that has already been set up would sometimes prevent the tunnel manager from restarting. This issue, which occasionally prevented SSL VPN tunnels from setting up after the configuration was edited, has been fixed.

Certificates and PKI

Support references 76892 - 85114

When a certificate signing request (CSR) is created using the CLI/Serverd command PKI REQUEST CREATE, and if Subject Alternative Names (SAN) or User Principal Names (UPN) are specified (IP addresses, FQDNs, etc.), they are now correctly applied and appear in the CSR and signed certificate.

Certificates and PKI - IPsec - Diffusion Restreinte (DR) mode

Support reference 84942

In a configuration with a trust chain such as: Certification authority (certificate signed in RSA) -> Sub certification authority (certificate signed in ECDSA or ECSDSA on an ECP 256 or BP 256 curve) used as a trust anchor -> Certificate (signed in ECDSA or ECSDSA on an ECP 256 or BP 256 curve), IPsec tunnels in DR mode would wrongly refuse to set up. This issue has been fixed to comply with reference RFCs for Diffusion Restreinte (DR) mode.

System – SNi20

Support references 84870 - 85037

Watchdog, which monitors the firewall's hardware activity, would wrongly be activated before the system's software monitoring mechanism when watchdog was set to its default value of 120 seconds. This issue has been fixed.

IPsec tunnel monitoring

Support reference 84776

Refreshing the IPsec tunnel monitoring screen no longer causes the system error Command processing failed.

Monitoring memory on SN310 firewalls

Support references 85022 - 85155

An anomaly in the management of memory monitoring data could wrongly raise an alert on memory usage and a change in the status of the corresponding health indicator in the Dashboard on SN310 firewalls. This anomaly has been fixed.

Filter - NAT

Support reference 84495

The mechanism that reloads filter and NAT rules has been optimized to prevent unnecessary access to the configuration, which can corrupt the list of filter and NAT policies.

Support reference 84734

If the filter policy contains two block rules to and from a MAC address, which are placed before the rule that allows the SSL VPN tunnel, traffic passing through the SSL VPN tunnel will no longer be wrongly blocked.

Logs - Syslog - IPFIX

Support references 84493 - 84876

In configurations that send logs via UDP/syslog or IPFIX without specifying the firewall IP address that must be used for such operations, and when a high volume of logs is sent, an issue with competing access would occasionally cause the firewall's network to be lost. This would then require the firewall to be restarted. This issue has been fixed.

Updating the firewall via the web administration interface

Support reference 84962

An issue occurring when the firewall is updated via the web administration interface could cause the interface to suddenly freeze and prevent the firewall from being updated. This issue has been fixed.

BIRD dynamic routing

Support reference 85221

In configurations that use the BGP protocol with TCP-MD5 authentication, the "setkey no" directive, which no longer functions, is automatically replaced with its equivalent "setkey yes" in the bird/bird6 configuration file when the firewall is updated to SNS version 4.6.7 or higher.

Intrusion prevention engine

High availability - SCTP protocol

Support reference 85118

SCTP associations are now correctly synchronized when the corresponding SCTP traffic follows a filter rule that has an IP address as its destination.

Purging intrusion prevention engine tables

The engine has been optimized to reduce the time required to purge certain intrusion prevention engine tables and prevent the risk of packets being rejected during this operation. This issue appeared in SNS version 4.5.0.

Filter - NAT

Support references 84667 - 84955 - 84957 - 85004 - 85061 - 85072 - 85131 - 85132 - 85133 - 85142 - 85157 - 85173

When the filter policy is reloaded after a rule that contains address translation is edited, the firewall will no longer unexpectedly freeze.

Filtering and NAT - Web services

Support reference 84722

The block action now functions in a filter rule that uses a web service with a name that is exactly 20 characters long.

Web administration interface

URL filtering / SSL filtering / SMTP filtering

Support reference 85164

In URL filtering, SSL filtering or SMTP filtering modules, deleting the first filter rule no longer desynchronizes the IDs of the other rules in the policy.

VLAN interfaces

Support reference 85226

When a user attempts to delete a VLAN when Bird dynamic routing is enabled, this will once again display the window indicating that this operation is not allowed, and that dynamic routing must be disabled beforehand. This regression appeared in SNS version 4.0.1.