SNS 4.7.3 bug fixes
System
Proxies
Support references 85428 - 85495 - 85491
Issues regarding proxies that were unexpectedly blocked when configurations were reloaded have been corrected.
Network captures with tcpdump on a usbus interface
Support references 85083 - 85313
Launching a network capture with tcpdump on a usbus interface no longer causes the firewall to unexpectedly restart.
Elastic Virtual Appliances (EVA)
Support reference 85273
On an EVA virtual firewall, limiting the number of CPUs when hyperthreading is enabled no longer causes the firewall to restart unexpectedly.
QoS
Support reference 85019
Due to an issue that occurs when a CBQ queue used as an acknowledgment queue (ACK) in a filter rule is deleted, the firewall may sometimes unexpectedly restart. This issue has been fixed.
Switching to a lower SNS version
Support reference 85247
When a firewall switches to a lower SNS version without being reset to its factory configuration (defaultconfig), attempts to display the list of available alarms no longer cause the intrusion prevention engine and the command-based configuration server (serverd) to unexpectedly restart.
NAT
Support reference 84819
An issue has been fixed in the NAT manager. This issue would wrongly fill the table of translated ports used for traffic that requires child connections (e.g. FTP, RTSP and others). As a result, this would prevent child connections from being created, and disrupt the traffic in question.
Filter - NAT
Support references 85357 - 85376
In filter rules that use a set of network objects, one of which is linked to a disabled DHCP-configured interface, restarting the firewall will no longer wrongly enable the "(1) Block all" filter rule. This regression appeared in SNS version 4.7.0.
Support reference 85239
In a situation such as the following:
- The firewall has a bridge that groups several interfaces. On this bridge:
- Traffic from one of the bridge interfaces to an interface outside the bridge is allowed by a filter rule in Firewall mode,
- Traffic from another bridge interface to the same interface outside the bridge is blocked by another filter rule.
- A connection has been established between a client host and the server through the first rule,
- An infected host or an intrusion probe located on the same interface as the server sent a reset packet with the same references as the established connection (source/destination addresses and source/destination ports).
Although the packet from the infected host or intrusion probe was rightly blocked, the source interface of the client host was wrongly modified and its established connection with the server was shut down. This issue has been fixed.
Connection to the web administration interface with the admin account
Support references 85266 - 85309 - 85349 - 85437 - 85494
Under certain circumstances, attempts to connect to the web administration interface with the admin account would fail and cause the command-based configuration server (serverd) to unexpectedly restart. This issue has been fixed.
High availability (HA)
Support references 77890 - 83274
On a high availability firewall that has switched roles several times in the cluster, some packets would take the wrong return route while presenting the IP address of the right return route. This issue, which caused the shutdown of the traffic in question, has been fixed.
High availability - Synchronization of certificate revocation lists (CRL)
CRLs that were retrieved on the active firewall are now synchronized with the passive firewall once again. This regression appeared in SNS version 4.7.2 and raised an alarm whenever a CRL on the passive firewall expired.
E-mail alerts
Support references 84511 - 82823
When e-mails are sent by the firewall via an encrypted connection with an SMTP server over TLS, reloading the configuration of the e-mail sending service would wrongly cause a switch to unencrypted mode, which could result in a connection failure between the firewall and the SMTP server. This issue has been fixed.
Memory leaks
Support reference 85363
Memory leak issues have been fixed in the firewall's configuration engine and its SNMP agent management engine.
IPsec VPN
Packets that were encrypted in the first IPsec tunnel were no longer allowed to then pass through a second tunnel that was set up via virtual IPSec interfaces. This regression, which first appeared in SNS v4, has been fixed.
IPsec monitoring
Support reference 85399
Monitoring of SAs (security associations) no longer fails when the peer contains an IP address range.
Internal LDAP directory
Support reference 84495
Optimizations have been made to prevent the systematic reloading of the LDAP directory manager when some modifications are applied.
DHCP interface
Support reference 85305
When the media speed of a DHCP-configured interface is manually modified, it no longer loses its IP address.
BIRD dynamic routing - BGP and MD5 authentication
Support reference 85373
In a BIRD dynamic routing configuration that uses BGP with MD5 authentication, the absence of a source address for the BGP configuration now results in a warning message prompting the administrator to enter a source address in the BIRD configuration. This prevents a malfunction of the BGP session in question. This regression appeared in SNS versions 4.6.9 and 4.3.21 LTSB.
Listening port on the web administration interface
Support reference 85450
Attempts to change the listening port on the web administration interface (TCP/443 by default) no longer result in a system error in the firewall's configuration engine, and are now correctly applied.
IPsec VPN - IKEv1 - Certificate authentication and XAuth
Support reference 85283
During the setup of an IKEv1 IPsec tunnel with certificate authentication and XAuth, user groups are now correctly saved in the intrusion prevention engine's tables. Such groups can once again be used in filter rules. This regression appeared in SNS version 4.2.
Encryption/PKI
Support reference 85476
The CLI/Serverd command CONFIG FWADMIN PROTECT would wrongly allow the decryption of any TPM-protected private key without requiring the TPM password. This issue has been fixed.
Log management service - TCP Syslog
Support reference 85297 - 85396
The firewall's log management service no longer stops when its configuration is modified and the connection between the TCP Syslog server and the firewall is unreliable or unstable.
Intrusion prevention engine
IPS analysis - Alarms
Support reference 85210
Packets that raise one of the alarms occurring before the filter inspection would still pass through the firewall despite the presence of a filter rule configured to block the corresponding network traffic. This issue has been fixed.
Refer to the list of alarms occurring before the filter inspection in the Stormshield knowledge base (authentication required).
LDAP protocol
Support reference 84561
The LDAP protocol analysis engine now correctly manages GSSAPI authentication packets, which no longer wrongly generate "Bad LDAP protocol" (ldap_tcp:427 error) alarms.
Web administration interface
DHCP server and log partition operations
Support reference 84501
Enabling the DHCP server on the firewall no longer prevents maintenance operations on the log partition via the web administration interface (unmounting/mounting, formating, etc.).
IPsec VPN
Support reference 85423
In line with what was announced in SNS 4.7.1 release notes, the wizard that creates mobile IPsec VPN rules in config mode now makes it possible to select a network group as local resources.
Cluster creation wizard
Support reference 85405
If an interface included in a bridge or an interface without an IP address is present on the firewall, it no longer prevents the cluster creation wizard from launching.