SNS 4.7.2 EA bug fixes

System

IPsec VPN

Support references 84572 - 84708 - 85270 - 85272

When the subject of a certificate from a trusted CA contains a non-ASCII encoded character, this no longer prevents the setup of IPsec tunnels based on this CA.

IPsec VPN - Verification of peer certificate revocation (CRL)

Support reference 82506

Deploying a VPN topology, on which the CRLRequired parameter is enabled, from an SMC server no longer overwrites the CA's certificate revocation list (CRL) on the SNS firewall.

Multi-user SSH authentication - SCP command

Support reference 84848

Accounts that have been declared as firewall administrators with the "Console (SSH)” permission can once again run the SCP command in SSH. This issue did not affect the "admin" account.

Extended Web Control (EWC) URL classification and SSL filtering

Support reference 85374

Following several attempts to access the same prohibited URL, the block page that appears, and the log relating to the SSL protocol would wrongly indicate the default category instead of the category to which the URL belongs. This anomaly has been fixed.

SNi40 industrial firewalls

Support reference 85078

On SNi40 firewalls with bypass configured in Safety mode, the bypass active mode could wrongly appear as Safety mode. This issue has been fixed.

SN-S-Series-320 and SN-M-Series-520 model firewalls

The maximum number of HTTP/FTP/SMTP/POP3 connections allowed on SN-S-Series-320 and SN-M-Series-520 model firewalls was wrong and will be fixed when the firewall is updated to version 4.7.2 or higher.

IPsec load balancing on CPUs - SN510, SN2000, SN2100 and SN3100 model firewalls

An issue with competing access in the IPsec encryption load balancing mechanism on CPUs has been fixed on SN510, SN2000, SN2100 and SN3100 model firewalls. Reminder: IPsec encryption load balancing can be configured using the CLI/Serverd command CONFIG IPSEC CRYPTOLB UPDATE.

Proxies

Support references 85041 - 85048 - 85260 - 85286 - 85314

Proxies no longer freeze when an SSL decryption rule encounters certificates with the following characteristics:

  • Certificates with a blank Subject field,
  • Certificates signed by a certification authority that the proxy has not recognized as trusted (e.g., self-signed certificates).

And the action associated with the SSL protocol analysis of Unknown certificates is set to Delegate to user.

Support reference 85254

Issues with memory leaks on proxies have been fixed.

IPsec tunnel monitoring

Support reference 85318

In IPsec tunnel monitoring, an anomaly that caused tunnels set up with peers in Responder-only mode to appear as bypass policies has been fixed.

SSL VPN

Support reference 84612

Checks have been added to prohibit ping argument values greater than half of the pingrestart argument value in the CLI/Serverd command CONFIG OPENVPN UPDATE. Such a configuration would prevent the SSL VPN client from setting up a tunnel again after a disconnection, and would require the SSL VPN service to be restarted on the client workstation.

More information on the command CONFIG OPENVPN UPDATE

CLI/SSH commands

Support reference 85110

The help returned from the command sfctl --help -F now specifies the existence of the token assoc.

NTP client service

The NTP client service no longer stops functioning on firewalls that have over 1024 interfaces.

SD-WAN

Inconsistencies in the measurement unit used for calculations and the display of gateway unavailability rate have been fixed.

Routing

Support reference 85320

By updating to version 4.7.2 EA a firewall on which the default route was defined with a loopback object (e.g., the localhost object with the IP address 127.0.0.1), this object would automatically be replaced with the blackhole object. This ensures the compatibility of the routing configured earlier.

Intrusion prevention engine

ICMP request

Support references 84197 - 85387

On firewalls with:

  • A server behind a protected interface,

  • Two separate Internet access links.

Following a request from an unprotected network to the server, if the server did not listen on the requested port, type 3 ICMP packets that it sent would always take the default route. Packets now take the configured return route.

NTP protocol

Support reference 85077

Verifications of the NTP field reference_timestamp would wrongly raise a 451 alarm in the NTP plugin. As this verification was unnecessary, it has been removed.

High availability

Support reference 84766

During a switch in the cluster, an anomaly in the processing of some established TCP/UDP connections could cause the cluster to become unstable. This anomaly has been fixed.

Web administration interface

IPsec VPN

Support reference 85312

The presence of a space in the name of a mobile IPsec VPN configuration prevents the IPsec policy from reloading and makes it inoperational. The firewall's web administration interface and the CLI/Serverd command CONFIG IPSEC POLICY MOBILE UPDATE now prohibit spaces from being entered in the names of mobile IPSsec policies.

Support reference 85334

The names of IPsec VPN rules can no longer be deleted, as rules with a blank name field prevent the IPsec policy from fully reloading.

SMTP filtering

Support reference 85347

The web administration interface no longer wrongly prohibits the definition of several rules that reference the same sender for different recipients. This regression appeared in version 4.0.

High availability - monitoring

Support reference 85398

The versions of the firmware installed on the main and backup partitions of the passive cluster member are now correctly displayed.