SNS version 4.8.7 bug fixes

System

Proxy

Support reference 85644

Previously, an issue would prevent proxy connections from being purged, causing them to saturate. When a proxy connection ends, it will now be automatically purged after 10 seconds.

TLS proxy

Support reference 85895/85961

When sessions are cached in the TLS proxy, they would sometimes cause an unexpected shutdown of the proxy, or excessive memory consumption. This issue has been fixed.

SSL VPN portal

Support reference 85899

The SSL VPN portal can now be accessed again when a single server is configured. This regression appeared in SNS version 4.8.0.

OpenVPN

Support reference 85690

Previously, when OpenVPN searched for a certification authority (CA) group, it used a temporary path, which could cause an error while restarting. OpenVPN now uses a permanent path.

Support reference 85842

Previously, temporary files found in the folder /var/tmp/Openvpn/ were not deleted, which could eventually prevent VPN tunnels from being set up, as the maximum number of files in a folder was reached. Such files are now deleted.

IPsec VPN

Support reference 85831

The maximum number of tasks handled by the IPsec VPN tunnel manager is valid only when Denial of Service (DoS) protection is enabled. In addition, the engine no longer needs to be restarted when the limit is reached.

Support reference 85717

When IPsec VPN tunnels that use virtual interfaces (VTIs) were deployed through SMC, they were negotiated before the end of the deployment, and were not operational. This issue has been fixed.

Certificates and PKI

The firewall now correctly verifies the content of the basicConstraints extension in a certification authority's (CA) certificate.

You can configure whether to import a CA for which this extension does not have a value, by using the StrictCACheck configuration token found in the ConfigFiles > system file. When the value of this token is set to 0, this means that such CAs can be imported.

Support reference 85968

Length of the additional alarm message of the l_alarm log

Support reference 85621

The maximum number of characters for the additional alarm message of l_alarm logs is now 512 characters. Ellipses are now added to the end of messages if they are truncated.

LDAPS server

Support reference 85766

Global host objects can now be used to configure an LDAPS server.

Access port to the firewall’s web administration server

Support reference 85510

Now, when the access port to the firewall’s web administration server is changed:

  • For ports below 1024 that used to be above 1024,

  • For ports above 1024 that used to be below 1024,

New configured ports will only be taken into account after firewall is restarted. A message in the upper banner in the form of a notification will indicate that the firewall must be restarted in order to apply the new configuration.

Bypass

Support reference 85358

The suspension of the connection when a firewall is powered up again with bypass mode enabled now lasts six seconds or less.

Filter - NAT

Support reference 85713

Previously, some operational filter policies in SNS 3.11 versions would stop loading in SNS version 4.8, thereby blocking traffic that passed through the firewall. The filter policy will now load, but a warning message will appear in the confirmation of the configuration in Configuration > Security policy > Filter - NAT.

Support reference 85677

When IPv6 is enabled, an error in the filter rule optimization mechanism would occasionally make some filter rules non-operational. This issue has been fixed.

PKI

Support reference 85798

The DN of certificates created with the command PKI EST QUERY and the DN of certificates created with the commands PKI CERTIFICATE CREATE, PKI REQUEST CREATE and PKI CA CREATE are now encoded with the same encoding, which improves compatibility with special characters and third-party PKI programs.

Backup server

Support reference 86010

The name of the object that is used as the backup server can now contain up to 255 characters.

High availability (HA)

Support reference 85781/85949

Using the firewall's administration interface in a high availability cluster now no longer causes the configuration synchronization icon to blink unexpectedly. This regression appeared in SNS version 4.8.1.

High availability - Switch optimisation

Support reference 85773

Now, when Reboot all interfaces during switchover (except HA interfaces) is selected, only bridged interfaces will restart.

TPM

Support reference 85600

TPM-equipped firewalls that are managed by SMC now no longer lose their communications with SMC when a connecting package is re-imported.

TPM health indicator

Support reference 86012

The TPM health indicator is operational once again. This regression appeared in SNS version 4.8.5.

Memory leaks

Support reference 86009

On firewalls that are managed by SMC, a memory leak issue has been fixed. This regression appeared in SNS version 4.8.4.

Multicast routing

Support reference 85614

Previously, firewalls that received multicast traffic from a PIM router used as a RP, and which lost the connection with this router, would no longer forward traffic after reconnecting to the router. This issue has been fixed.

Virtual Pay As You Go (PAYG) machines

Support reference 85987

Since SNS version 4.8.0, virtual PAYG machines with expired licenses could no longer set up more than 1,000 connections, even after renewing their licenses. This issue has been fixed.

Intrusion prevention engine

Black list

Support reference 85782

The maximum number of blacklisted IP addresses is now applied, and can no longer be exceeded.

IPS connections

Support reference 85716/85718

When one or several sub-networks are used, the intrusion prevention system no longer blocks IPS connections when the protocol alarm "Packet for destination on the same interface" (ip:95) is set to Allow.

DCERPC protocol

Support reference 85661

Previously, when connections that were launched with the DCERPC protocol failed, the intrusion prevention system would not correctly release ports. This issue has been fixed.

Hosts

Previously, the maximum number of reserved hosts and the number of hosts in general were the same, which could affect the firewall's performance. This issue has been fixed.

Broadcast mode

Support reference 85763

The management of fragmented packets that are sent over a bridge in broadcast mode has been improved to prevent any further blocking.

Web administration interface

Inspection profile

Inspection profiles can now be renamed, copied and edited in the General configuration tab in Configuration > Application protection > Inspection profiles.

In addition, a Profiles tab gives an overview of the profiles and protocols that are associated with them.

Protocols - Filtering in the Sandboxing tab

The filtering feature in the Sandboxing tab for HTTP/SMTP/POP3 and IMAP protocols, and in the SSL protocol's certification authority grid, is now operational once again. This regression appeared in SNS version 4.8.0.

Network traffic

Support reference 85937

IP addresses can be blacklisted once again, by right-clicking on them in Monitoring > Network traffic.

Printing information on temporary accounts

Support reference 85946/85962

The contents of the temporary account information print page can now be read again. This regression appeared in SNS version 4.8.0.

SSL VPN portal

Support reference 85920

Now, when Access only to application servers in Configuration > VPN > SSL VPN portal is selected, the SSL VPN remains enabled. This regression appeared in SNS version 4.8.0.

Static DHCP interface

Support reference 85534

DHCP interfaces can no longer be made static when a DNS name object or associated Firewall_ifname_router object is used in a filter or NAT rule, as this would result in preventing the firewall from loading a filter or NAT policy.