SNS 4.8.1 EA bug fixes

System

IPsec VPN

A mechanism that verifies and restricts the number of requests to set up IPsec tunnels has been added to avoid saturating the queue.

SSL VPN

Support reference 84391

The option to prevent users from setting up more than one SSL tunnel (option that can be enabled using the CLI/Serverd command CONFIG OPENVPN UPDATE ForceOneTunnelPerUser=1) did not function when the presented user name included its domain name (e.g., john.doe@acme.com). This anomaly has been fixed.

More information on the command CONFIG OPENVPN UPDATE.

Authentication policy

Support references 79493 - 84414 - 84713

The Block action has been removed from the choice of values allowed for the default authentication method:

  • Choosing this value would wrongly block users during authentication on the SSL VPN when Internet was selected as the source object in the SSL VPN authentication rule.
  • Choosing this value together with an authentication rule that specified the use of the default authentication method would not block corresponding authentication traffic,
  • Choosing this value without setting any specific authentication rule in the authentication policy would wrongly allow authentication on the firewall via SSH.

Dashboard - Health indicators

Support reference 85392

The health indicator of certificates found in the Dashboard module no longer wrongly raises alarms when a CA has a lifetime longer than 68 years. This behavior persists on SN160(W), SN210(W) and SN310 firewall models.

High availability

Support reference 84512

In high availability configurations, when users view web administration interface modules without making any changes, the icon indicating the need to synchronize the configuration between members of the cluster no longer appears by mistake.

SN-S-Series-220/320 and SN-M-Series-520 firewalls - Starting on 4G modems and USB keys

When a user's network configuration does not make any reference to a 4G modem/USB key, starting SN-S-Series-220/320 or SN-M-Series-520 model firewalls with a 4G modem/USB key connected to one of the the firewall's USB ports will no longer fail while the startup partition is being selected.

SD-WAN monitoring

Support reference 84874

Router objects used in static routes are now effectively monitored.

Web services

Support references 84662 - 84444

When custom web services are imported from a CSV file, quotation marks framing a comment in the source file are no longer supported.

Dynamic DNS

Support references 84480 - 85395

Performing the following actions in this sequence now correctly enables the dynamic DNS service on the firewall:

  1. Configure a dynamic DNS profile.
  2. Apply changes.
  3. Enable the profile.
  4. Apply changes.

Running a firewall shutdown/restart command and system backup simultaneously on the backup partition

When a shutdown (HALT)/restart(REBOOT) command was run at the same time as a system backup on the backup partition (dumproot), the system backup could fail, and even corrupt the backup partition.

Improvements have been made to prevent this situation. Now:

  • When a dumproot is in progress, the firewall's shutdown/reboot mechanism is put on active standby and will start only when the dumproot ends,
  • When a shutdown/restart command is launched on the firewall, dumproot will not launch and generates a system event.

Virtual firewalls - Prohibiting a downgrade to an earlier firmware version

On virtual firewalls, the configuration token that makes it possible to prohibit downgrades to an earlier firmware version is now correctly applied.

This function can be managed exclusively through the CLI/Serverd command:

SYSTEM UPDATE DOWNGRADE state=<on|off>

More information on the command SYSTEM UPDATE DOWNGRADE.

CLI/serverd commands - CONFIG LDAP UPDATE HELP

Support reference 85301

The CLI/serverd command CONFIG LDAP UPDATE HELP no longer wrongly references the realbindaddr parameter instead of bindaddr.

More information on the command CONFIG LDAP UPDATE.

Logs

Support reference 84831

When the log manager is unavailable, it no longer wrongly causes the intrusion prevention engine to freeze temporarily.

CRL verification

Support reference 85402

The mechanism that verifies CRLs now correctly performs DNS requests again when three or more DNS servers are specified on the firewall. Do note, however, that this anomaly did not apply to CRL downloads.

SNMPv3 traps - securityName

Support reference 85435

When an SNMPv3 trap for the securityName event is configured with values containing spaces, the Error in format serverd error is no longer returned.

IPFIX collector - Network connection logs

Support reference 85054

Network connection logs were not sent to the IPFIX collector whenever they originated from a filter policy rule with Firewall as its inspection level. This issue has been fixed.

Network

GRE/GRETAP

Support references 84395 - 76800

GRE/GRETAP tunnels based on an outgoing interface that has been configured in DHCP are now set up correctly after the firewall has been restarted, or when this source interface changes its IP address.

BIRD version 1 dynamic routing

Support reference 85322

Issues that occurred while adding a default route on a protected interface, or when an interface with a default route added by BIRD is changed from public to protected, have been fixed.
These issues would wrongly add the network 0.0.0.0/0 or 0.0.0.0/32 to the table of protected addresses. This would then wrongly raise an alarm regarding an IP spoofing attempt, which could cause legitimate traffic to be dropped.

Elastic Virtual Appliances (EVA)

Hypervisor based on Qemu 8.1 and higher versions

Support reference 76697

EVAs in SNS version 4.7 and higher are now correctly deployed on hypervisors that are based on Qemu 8.1 and higher versions.

Web administration interface

Changing the super-administrator password (admin account)

Support reference 85581

When the admin account password is being changed through the web administration interface, quotation marks are once again not accepted. A regression that allowed these characters appeared in SNS version 4.7.1 EA.

External LDAP - Showing the list of users

Support reference 85287

When an external directory held more than 1000 users, the list of users would not appear in the Users module on the SNS firewall. This issue has been fixed, and the directory's first 500 users now appear by default in the list of users.

Filter - NAT

Support reference 76697

Changes to an interface’s IP address are now correctly applied in the tooltip showing this object's properties in the Filtering and NAT module.

IPsec VPN monitoring

Support reference 85292

After these operations have been performed:

  1. Create and apply a filter on the columns of the IPsec VPN monitoring module.
  2. Quit the module and go back to it.

The filter is shown as being active, and is now correctly applied.

Audit logs

Support reference 85292

In Logs - Audit logs > All logs, log type can now be added as a filter criterion.

In the details of a log, scrolling over the flag of a source or destination country now correctly displays the "Country name (Country code)" information.

DHCP IPv6 address

Support reference 85336

When an interface in IPv6 is configured via DHCP, all tooltips that are supposed to specify this address no longer wrongly show the interface's IPv4 address.

IPv6 address - Monitoring users connected via the TS agent method

When IPv6 is disabled on the SNS firewall, the module that monitors users connected via the TS agent method no longer wrongly presents in the IP address column the IPv6 address of the host associated with the user known to the Windows server.

Gateways in a router object

Support reference 85211

Changes to the name of a gateway belonging to router object are now correctly applied in the list of gateways that make up the router object.

Authentication - Radius

Support reference 85128

In the configuration of the Radius authentication method, the icon located at the end of the Pre-shared key field on the server and backup server (if any) was partially hidden. This anomaly has been fixed.