SNS 4.7.9 bug fixes

System

GRE/GRETAP encapsulation in an IPsec tunnel

Support reference 85626

GRE/GRETAP packets can once again be encapsulated in an IPsec tunnel. This regression appeared in SNS version 4.7.3.

Configuration

Support reference 85434

The number of IP addresses defined on an interface can no longer exceed the limit allowed on the firewall. Do note that previously, excess IP addresses were not enabled, but no error message was displayed when the configuration was validated. This anomaly has been fixed.

When a firewall with a defective disk is updated, the configuration file folder will no longer be deleted, as this would make the firewall unreachable.

SD-WAN

Priority calculations have been revised to prevent issues with gateways being too frequently switched. As such, there is no longer any status scale between downgraded gateways. The gateway selection mechanism now follows these rules:

  • Active gateways take priority over downgraded gateways,
  • Main gateways take priority over backup gateways.

System report (sysinfo)

Support reference 85593

Information regarding verbose mode being enabled is now correctly reported in the system report.

IP reputation - Storage devices

Support references 84495 - 84933 - 85038 - 85081 - 85213

The mechanism that opens IP reputation metadata files has been modified to restrict the number of times the storage device can be accessed. In some cases, when the disk is accessed too often, the firewall would unexpectedly restart.

Host reputation

Support reference 85635

An issue with access privileges, which prevented the host reputation manager from functioning correctly, has been fixed. This regression appeared in SNS version 4.7.

Intel interfaces using the igc kernel module

Support reference 85486

When a VLAN is configured on an interface that uses the igc kernel module, and the interface is included in a bridge with the option Keep initial routing/Keep VLAN IDs enabled, packets from other crossing VLANs will no longer be wrongly rejected.

This applies to the following firewall models and firewalls equipped with these network modules:

  • Firewalls: SN-S-Series-220, SN-S-Series-320, SN-M-Series-520, SN-M-Series-720 and SN-M-Series-920.
  • Modules: NA-EX-CARD-8x2_5G-C (8 x 2.5 Gb copper Ethernet) and NC-1-8x2_5G-C (8 x 2.5 Gb copper Ethernet).

Telemetry

A memory leak issue has been fixed in the telemetry manager.

An issue with competing access, which could cause the telemetry manager to shut down unexpectedly, has been fixed.

Authentication – TS Agent

Support reference 85401

Authentication through the TS Agent method would logically fail for users whose logins contained a space (prohibited character), but no error message would appear to indicate the issue. An alarm is now raised when this occurs. The list of prohibited characters is also provided in addition to information about the alarm.

SN160(W)/SN210(W)/SN310 model firewalls

Support references 84495 - 84933 - 85038 - 85081 - 85213

Changes have been made to the mechanism that calculates Security and System indicators, in order to reduce the number of times disks are accessed. The mechanism would previously cause SN160(W)/SN210(W)/SN310 model firewalls to unexpectedly restart.

Syslog - TLS 1.3

Support reference 85579

When logs are sent via syslog by using TLS 1.3, the operation would no longer fail when the certificate that was used for authentication was signed by a subordinate CA.

IPsec VPN - Certificate-based authentication

Support reference 85607

After the IPsec tunnel manager was updated, the firewall would wrongly interpret the SerialNumber as the Surname, thereby preventing IPsec tunnels from being set up. This issue has been fixed.

IPsec VPN in DR mode - UDP encapsulation and dynamic NAT

Support reference 85629

Tunnels configured in DR mode, on which UDP encapsulation has been enabled, and the source port of one peer's traffic is translated (dynamic NAT), can now be correctly set up: the remote firewall detects the need to encapsulate the traffic in UDP.

Automatic backups - Custom server

On firewalls that use automatic configuration backups to a custom server that was authenticated with a certificate, clicking on Check usage in Objects > Certificates and PKI after having selected this certificate now correctly indicates that this certificate is being used in the firewall configuration. Likewise, this certificate cannot be deleted without raising an error.

Quality of Service (QoS)

Support reference 85590

An issue that could cause the firewall to freeze when a QoS queue was deleted has been fixed.

Virtual EVA firewalls deployed on the Linux KVM hypervisor

Support reference 85635

On virtual EVA firewalls deployed on the Linux KVM hypervisor, the firewall now correctly applies the status of a disconnected interface in the hypervisor's configuration. This issue distorted the calculation of the high availability (HA) quality factor.

Support reference 85722

When a virtual machine is suddenly shut down while being configured on a KVM hypervisor, it no longer corrupts some of its configuration files.

Filtering and NAT - Web services

Support reference 85539

When a custom web service with a name that is exactly 20 characters long is used in a filter rule, the rule would not function.

A warning message will then appear in the Messages widget on the Dashboard. The message indicates the filter policy and rule number that caused the error.

To work around the issue:

  1. Change the name of the web service (to fewer than 20 characters) in the CSV import file that was initially used,
  2. Import this file once again in Objects > Web services > Import custom services tab,
  3. Modify the filter rule to use the new name of the web service.

Network

BIRD dynamic routing

Support reference 85322

Issues that occurred while adding a default route on a protected interface, or when an interface switches from public to protected with a default route added by BIRD, have been fixed.

These issues would wrongly add the network 0.0.0.0/0 or 0.0.0.0/32 to the table of protected addresses. This would then wrongly raise an alarm regarding an IP spoofing attempt, which could cause legitimate traffic to be dropped.

Web administration interface

Captive portal

Support reference 84750

The interface sslvpn_udp can now be selected in the captive portal's profiles. Its absence prevented users who presented from this interface from accessing the captive portal.