SNS 4.7.1 EA bug fixes

System

IPsec VPN

Support references 84983 - 85133 - 85253

The mechanism that reloads rules in the IPsec VPN policy has been enhanced to limit the risk of the firewall's routing engine unexpectedly shutting down when some configurations remain unchanged.

sysinfo command

Support reference 84415

The system diagnostic command sysinfo no longer wrongly calls up some deleted binary files. This measure is implemented as part of hardening the operating system.

Multi-user SSH authentication

Support references 84532 - 84847

When the SSH key of the admin account was saved on the firewall, no other administrators could connect to the firewall via SSH. This regression, which first appeared in SNS version 4.3.3, has been fixed.

Authentication - brute force attacks

Support reference 81350

When the brute force attack protection mechanism is activated, the alarm generated no longer contains a destination address that is systematically 0.0.0.0. This regression appeared in SNS version 4.1.1.

RADIUS authentication

Support reference 84162

When administrators connected via a Radius method, no other entries would be generated in the authentication log file. This anomaly has been fixed.

Support references 84484 - 84497

The default maximum response time for Radius requests can now be raised to 600 seconds. This value can be modified by using the CLI/Serverd command CONFIG.AUTH.RADIUS.

More information about the CLI/Serverd command CONFIG.AUTH.RADIUS.

TOTP authentication and SSH access to the firewall

Support reference 84947

TOTP authentication was not applied to console connections via SSH to the firewall when the TOTP authentication rule specified an authentication source other than the object any.

Custom web services

The icon indicating the use of a custom web service in the firewall's configuration no longer wrongly appears in green when the service belongs to a group, but is not used.

Static routing

Support references 85213 - 85027 - 85218

An anomaly in the mechanism that reloads IPsec policies has been fixed to prevent potential failures while loading static routes.

Dynamic multicast routing

The dynamic Rendez-vous Point (RP) election mechanism has been optimized for architectures in which several firewalls are candidates for RP election with multicast address ranges that overlap.

High availability (HA) - SNMPv3

Support reference 81702

SNMPv3 parameters EngineBoots and EngineTime are now automatically synchronized as soon as a cluster is created and every time roles are switched in this cluster. The purpose of this synchronization is to stop causing errors on some SNMP monitoring tools.

Object database - Imports

Support reference 83327

After databases were imported via a CSV file, imported objects would not immediately appear in the firewall's local database even after the screen was refreshed. Users needed to disconnect and re-connect to the web administration interface to make these objects appear. This anomaly has been fixed.

Filter - NAT

The use of the comparison mathematical operator "different from" ( icon or "!=") in a filter rule would result in the wrong address range being generated for the rule in question.

Default route - DHCP - IPv6

Support reference 85124

In a configuration such as the following:

  • The firewall's default gateway is learned via DHCP,
  • IPv6 is enabled on the firewall.

Any changes (name, protection status, etc.) made to an interface with a DHCP address range no longer cause the firewall’s default route to be deleted.

SD-WAN

Support references 84839 - 85165

If no changes have been made, the firewall no longer wrongly generates a “Remote host unreachable” log entry for every static route when its network configuration is being reloaded.

Captive authentication portal and SSL VPN

Support reference 84801

The configuration of the captive portal on the listening port that is reserved and used by the SSL VPN (sslvpn port) now raises an error indicating that this port is reserved.

Intrusion prevention engine

OPC UA protocol

A verification of the authentication token of the OPC UA command CreateSessionRequest has been removed. This verification would wrongly block legitimate OPC UA traffic.

DCERPC protocol

UUIDs belonging to the "[MS-WMI]: Windows Management Instrumentation Remote Protocol" class have been added to the list of known UUIDs in the DCERPC protocol analysis engine to stop wrongly raising the block alarm "DCERPC unknown UUID" (alarm nb-cifs:310).

These UUIDs are:

  • '027947E1-D731-11CE-A357-000000000001':'IEnumWbemClassObject',
  • '9556DC99-828C-11CF-A37E-00AA003240C7':'IWbemServices',
  • 'F309AD18-D86A-11D0-A075-00C04FB68820':'IWbemLevel1Login'.

Analysis of TCP options

Support reference 83234

The activation of the alarm "Misplaced TCP option" (tcpudp:58), when its action is set to pass, no longer wrongly stops the analysis of the options that follow the TCP packet and no longer raises the alarm "Wrong TCP sequence number" (tcpudp:16).

LDAP protocol

Support reference 83800

The alarm "Possible attack on capacity" (alarm ip:91) is no longer wrongly raised when a CRL larger than 128 KB is downloaded via an LDAP request.

TLS v1.3 protocol

Support references 84244 - 84761 - 84780- 84783 - 84784 - 84785 - 84786 - 84787 - 84788 - 84789 - 84791 - 84796 - 84799 - 84805 - 84806 - 84845

An issue in the TLS v1.3 protocol analysis engine has been fixed. This regression, which appeared in SNS version 4.5.3, could cause the firewall to freeze.

Filtering - Web services

Support reference 84721

Using in two separate filter rules two web services with names in which only the last character differed would wrongly cause the consistency checker to detect an overlap of these filter rules. This anomaly has been fixed.

High availability - SCTP associations and TCP/UDP connections

Support reference 84792

In high availability configurations, following a double switch (active - passive - active), dates on which SCTP associations and TCP/UDP connections are made are no longer incorrect.

High availability - SCTP protocol

If the properties of source and destination hosts that are part of an SCTP association are not available when the association is synchronized among members of the cluster, the SCTP association in question will no longer be deleted but a new attempt to synchronize this association will be scheduled.

Network

8-port RJ45 module

Support references 82270 - 85269

When an unexpected freeze on the 8-port RJ45 network module is detected, the firewall will be automatically restarted to allow this module to reconnect to the network.

Web administration interface

Administrators with restricted access privileges

Verifications have been added to prevent administrators authenticated with restricted privileges from displaying modules that are ordinarily not allowed, by directly entering a URL that contains the name of the module in question.

Telemetry

Administrators other than the super administrator (admin account) can no longer enable or disable telemetry.

Configuration of the firewall via SSH

In System > ConfigurationFirewall administration tab, the fields relating to Remote SSH access (requires 'admin' account) are now all grayed out for any connected administrator that is not the super administrator (admin account).

Authentication policy

Multiple rules could no longer be dragged and dropped simultaneously in the authentication policy grid. This regression, which first appeared in SNS version 4.1, has been fixed.

Double-clicking on either the Source or Methods (assess by order) column of an authentication rule for which the method was set to "Prohibit" no longer wrongly replaces the "Prohibit" value with "Default method".

DHCP relay - Google Chrome

Support reference 84593

In the configuration module of a DHCP relay (DHCP > DHCP relay module), if an administrator connected to the firewall's web administration interface via Google Chrome makes changes to the IP address used to relay DHCP queries, the changes are now applied. When the module is changed, the value of the address is no longer reset to "automatic".

Preferences - Log display

Support reference 84956

The values selected for the fields Number of lines displayed per page and Minimum number of characters to start searching in the Preferences module are now correctly interpreted and no longer prevent logs from being displayed. This regression appeared in SNS version 4.4.

Objects

Support references 84588 - 84719

Objects used in the firewall's configuration can no longer be forcibly deleted, to avoid generating inconsistencies in the configuration.

Antivirus

Support reference 85330

If a license containing only ClamAV as the antivirus engine is installed on the firewall, the Antivirus module now appears correctly and the message "No access" no longer appears.