SNS 4.7.6 bug fixes

NOTE
As announced in the version 4.6.7 release notes, the fix regarding the label length of a web service that is compatible with a traffic block rule (support reference 84722) has been removed. It will be reviewed and included in a future version.

System

High availability - Automatic backups

Support reference 84782

In high availability configurations where automatic configuration backups in Stormshield's cloud have been enabled, when the roles of firewalls in the cluster were regularly switched more often than the configured frequency of automatic backups (7 days by default), these backups would never be activated. This issue has been fixed.

High availability - Updating the passive firewall when the backup partition is being copied

Support reference 85390

The mechanism that updates the passive firewall in a cluster has been enhanced to better manage partition backups on it. With these improvements, backups will no longer be abruptly stopped, as this may corrupt the partitions on the passive firewall.

High availability - Updating the active firewall in command line

Support reference 84997

In high availability configurations, attempts to update the active firewall using the command SYSTEM UPDATE UPLOAD fwserial=active no longer fail, and no longer present the error "Source and destination firewalls are the same".

More information on the command SYSTEM UPDATE UPLOAD.

High availability - TOTP authentication

Support reference 85575

In high availability configurations, the database of users who have completed their TOTP enrollment can now be effectively synchronized once again. This regression appeared in SNS version 4.7.1 EA.

VLAN in a link aggregate

The network configuration checker no longer takes into account the case used in names of VLANs that are part of an aggregate. Case sensitivity used to prevent the network configuration from being reloaded.

Running an automatic update and system backup simultaneously on the backup partition

Support reference 84744

When an automatic update (autoupdate) was run at the same time as a system backup on the backup partition (dumproot), the system backup could fail, especially when the firewall was managed via SMC.

Improvements have been made to prevent this situation. Now:

  • When a dumproot is in progress, the autoupdate mechanism is put on active standby and will start only when the dumproot ends,
  • When an autoupdate is in progress, the dumproot will not launch and generates a system event.

IPsec VPN

Support reference 85603

When a traffic endpoint has an IP address found in the network of a tunnel's destination hosts, attempting to set up such an IPsec tunnel no longer causes the firewall to freeze unexpectedly. This regression appeared in SNS version 4.7.3.

IPsec VPN - Diffusion Restreinte (DR) mode

Support reference 85507

For configurations in DR mode, if a peer in a site-to-site tunnel has enabled the Do not initiate the tunnel (Responder only) option, the tunnel will no longer be prevented from setting up correctly.

Static multicast routing in VLANs

Support reference 85562

An issue regarding random static disruptions to routed multicast traffic in VLANs has been fixed.

Deployments via SMC - Competing access

Support reference 84003

Issues regarding competing access have been fixed so that attempts to deploy configurations via SMC will no longer be unexpectedly blocked.

GRETAP

Support reference 85384

In configurations that use CPU load balancing for encryption on SN-M-Series-520 and SN-M-Series-720 model firewalls, an issue regarding packets being rejected in a GRETAP tunnel's key renegotiation phase has been fixed.

Intrusion prevention engine

SD-WAN

Support reference 85436

When a static route uses a router object with gateways that are all attached to protected interfaces, gateways in such router objects are now correctly switched in the table of protected addresses in the intrusion prevention engine.

Web administration interface

SMC - Removal of TPM protection

Support reference 85594

TPM protection can now be removed from the key used in communications with the SMC server via the firewall's web administration interface.