SNS 4.7.5 bug fixes

System

SSL VPN

Support reference 85485

In SSL VPN connections with certificate authentication, HTML tags or quote characters (") in the user name are now correctly processed.

Support reference 85485

SSL VPN tunnel monitoring no longer displays lines of 'UNDEF" users, which correspond to connection attempts. Now, only established connections will be displayed in the monitoring module.

EVA on Microsoft Azure

Support reference 85325

The file integrity verification mechanism has been adapted to no longer wrongly raise alarms for EVAs deployed on the Microsoft Azure platform. These alarms, which affected in particular the host's boot loader or libraries specific to this platform, disrupted how Microsoft Azure managed and backed up virtual machines.

Disk access

Support references 84495 - 84933 - 85038 - 85081 - 85213 - 84626 - 85197

Improvements have been made to restrict the number of times the disk is accessed. In some cases, when the disk is accessed too often, SN160(W), SN210(W) and SN310 model firewalls would unexpectedly restart.

High availability - SCTP associations

Support reference 82047

When SCTP associations were not synchronized when the filter policy was reloaded on the active firewall, it could create an inconsistency within the cluster: SCTP connections that were deleted on the active firewall when the filter policy was reloaded were still considered active on the passive firewall. This issue has been fixed.

Certificate Check

Support reference 85206

The mechanism that retrieves and verifies TLS server certificates now takes into account the trusted CAs added by the administrator account. These CAs are stored in a different directory from the one used for storing downloaded CAs.

URL/SSL filtering - Extended Web Control (EWC) - Miscellaneous category

URLs that have been recognized by the URL category provider in the EWC solution, and which do not belong to any predefined category, are now classified under the Miscellaneous category, and no longer under Unknown.

URL/SSL filtering - Extended Web Control (EWC) - Warning messages

Improvements have been made in cases when an unknown URL category was used in the configuration of the SNS firewall after the migration of a security policy to the new EWC URL database:

  • Warning messages no longer appear in the menu on the left, in front of the names of the Filter - NAT, URL filtering and SSL filtering modules, when the unknown categories are in a disabled rule or in an inactive policy,
  • In warning messages, the output from the CLI/Serverd command MONITOR MISC now indicates the unknown categories and the policy in question.

SNMP agent

Support reference 83679

An error was fixed in the value returned by the OID 1.3.6.1.2.1.1.7. This value is now 76, corresponding to a device that provides services on OSI layers 3, 4 and 7. Previously, the value returned was 72.

GRETAP

Support reference 85417

An anomaly in the formatting of outgoing GRETAP packets (several extra bytes at the beginning of the packet) was fixed. This anomaly, which appeared in versions 4.3.16 LTSB and 4.6.1, made GRETAP network captures more difficult to analyze but did not in any way affect the proper operation of GRETAP communications.

Certificates and PKI - TPM

Support reference 85431

When a certificate that was initially protected by the TPM was renewed via EST or SCEP, the TPM protection would not be maintained. It will now be automatically applied after the renewal operation.

Authentication - TS agent

Support reference 85403

Users who were already authenticated via the TS Agent method were unable to connect to the firewall’s web administration interface. This issue has been fixed.

Intrusion prevention engine

TCP connections - Proxy

Support references 84867 - 85385

At the end of a TCP packet exchange, if the server or client ignores the connection shutdown packet that the peer sends, the firewall's intrusion prevention engine will stop wrongly sends ACK or FIN/ACK packets in loop.

SMTP protocol

Support reference 84220

SMTP connections that are initiated by a client that sent a STARTTLS command before the EHLO command will no longer be wrongly blocked when they generate the "Invalid SMTP protocol" alarm.

SMTP - UTF-8 support

Support reference 83791

The SMTP protocol analysis engine no longer wrongly blocks UTF-8 characters in SMTP traffic when the server specifically allows them through the option SMTPUTF8.

Vulnerability management

Support reference 85526

The size of the cache that contains vulnerabilities detected on the firewall's client hosts has been increased to prevent the intrusion prevention engine from consuming too much CPU when the cache is full. The size of this cache has therefore been increased from 128 to 2048 possible entries.

Web services

Support reference 85539

Whenever a web service with a name longer than 19 characters was used in a filter rule, the filter policy would not be applied and a warning in the dashboard would ask the administrator to correct the name of the service in question.

Web administration interface

Filtering - Authentication rule - Web objects

Support reference 85447

When an authentication rule has been defined in the filter policy, web objects can no longer be created or edited directly from this rule. This operation would make the web administration interface unstable.

Certificates and PKI

Support reference 85388

The use of certification authorities (CAs) with names that contain an apostrophe can now be verified.

IPsec VPN

Support reference 85442

After importing a CA and several identities that it has signed, only the certificate of the first imported identity could be used to create an IPsec peer. Attempts to select another imported certificate would fail. This issue has been fixed.

Host object with automatic DNS resolution

Support reference 85515

The "/" character is no longer allowed at the end of the name of host objects that have been configured in automatic DNS resolution.

Authentication - TOTP

Support reference 85473

Changing the Number of valid codes before and after current code no longer wrongly displays the window indicating that the TOTP database must be reinitialized and that the TOTP enrollment procedure has to be repeated for all users.