SNS version 4.8.7 bug fixes
System
Proxy
Support reference 85644
Previously, an issue would prevent proxy connections from being purged, causing them to saturate. When a proxy connection ends, it will now be automatically purged after 10 seconds.
TLS proxy
Support reference 85895/85961
When sessions are cached in the TLS proxy, they would sometimes cause an unexpected shutdown of the proxy, or excessive memory consumption. This issue has been fixed.
SSL VPN portal
Support reference 85899
The SSL VPN portal can now be accessed again when a single server is configured. This regression appeared in SNS version 4.8.0.
OpenVPN
Support reference 85690
Previously, when OpenVPN searched for a certification authority (CA) group, it used a temporary path, which could cause an error while restarting. OpenVPN now uses a permanent path.
Support reference 85842
Previously, temporary files found in the folder /var/tmp/Openvpn/ were not deleted, which could eventually prevent VPN tunnels from being set up, as the maximum number of files in a folder was reached. Such files are now deleted.
IPsec VPN
Support reference 85831
The maximum number of tasks handled by the IPsec VPN tunnel manager is valid only when Denial of Service (DoS) protection is enabled. In addition, the engine no longer needs to be restarted when the limit is reached.
Support reference 85717
When IPsec VPN tunnels that use virtual interfaces (VTIs) were deployed through SMC, they were negotiated before the end of the deployment, and were not operational. This issue has been fixed.
Certificates and PKI
The firewall now correctly verifies the content of the basicConstraints extension in a certification authority's (CA) certificate.
You can configure whether to import a CA for which this extension does not have a value, by using the StrictCACheck configuration token found in the ConfigFiles > system file. When the value of this token is set to 0, this means that such CAs can be imported.
Support reference 85968
Length of the additional alarm message of the l_alarm log
Support reference 85621
The maximum number of characters for the additional alarm message of l_alarm logs is now 512 characters. Ellipses are now added to the end of messages if they are truncated.
LDAPS server
Support reference 85766
Global host objects can now be used to configure an LDAPS server.
Access port to the firewall’s web administration server
Support reference 85510
Now, when the access port to the firewall’s web administration server is changed:
-
For ports below 1024 that used to be above 1024,
-
For ports above 1024 that used to be below 1024,
New configured ports will only be taken into account after firewall is restarted. A message in the upper banner in the form of a notification will indicate that the firewall must be restarted in order to apply the new configuration.
Bypass
Support reference 85358
The suspension of the connection when a firewall is powered up again with bypass mode enabled now lasts six seconds or less.
Filter - NAT
Support reference 85713
Previously, some operational filter policies in SNS 3.11 versions would stop loading in SNS version 4.8, thereby blocking traffic that passed through the firewall. The filter policy will now load, but a warning message will appear in the confirmation of the configuration in Configuration > Security policy > Filter - NAT.
Support reference 85677
When IPv6 is enabled, an error in the filter rule optimization mechanism would occasionally make some filter rules non-operational. This issue has been fixed.
PKI
Support reference 85798
The DN of certificates created with the command PKI EST QUERY and the DN of certificates created with the commands PKI CERTIFICATE CREATE, PKI REQUEST CREATE and PKI CA CREATE are now encoded with the same encoding, which improves compatibility with special characters and third-party PKI programs.
Backup server
Support reference 86010
The name of the object that is used as the backup server can now contain up to 255 characters.
High availability (HA)
Support reference 85781/85949
Using the firewall's administration interface in a high availability cluster now no longer causes the configuration synchronization icon to blink unexpectedly. This regression appeared in SNS version 4.8.1.
High availability - Switch optimisation
Support reference 85773
Now, when Reboot all interfaces during switchover (except HA interfaces) is selected, only bridged interfaces will restart.
TPM
Support reference 85600
TPM-equipped firewalls that are managed by SMC now no longer lose their communications with SMC when a connecting package is re-imported.
TPM health indicator
Support reference 86012
The TPM health indicator is operational once again. This regression appeared in SNS version 4.8.5.
Memory leaks
Support reference 86009
On firewalls that are managed by SMC, a memory leak issue has been fixed. This regression appeared in SNS version 4.8.4.
Multicast routing
Support reference 85614
Previously, firewalls that received multicast traffic from a PIM router used as a RP, and which lost the connection with this router, would no longer forward traffic after reconnecting to the router. This issue has been fixed.
Virtual Pay As You Go (PAYG) machines
Support reference 85987
Since SNS version 4.8.0, virtual PAYG machines with expired licenses could no longer set up more than 1,000 connections, even after renewing their licenses. This issue has been fixed.
Intrusion prevention engine
Black list
Support reference 85782
The maximum number of blacklisted IP addresses is now applied, and can no longer be exceeded.
IPS connections
Support reference 85716/85718
When one or several sub-networks are used, the intrusion prevention system no longer blocks IPS connections when the protocol alarm "Packet for destination on the same interface" (ip:95) is set to Allow.
DCERPC protocol
Support reference 85661
Previously, when connections that were launched with the DCERPC protocol failed, the intrusion prevention system would not correctly release ports. This issue has been fixed.
Hosts
Previously, the maximum number of reserved hosts and the number of hosts in general were the same, which could affect the firewall's performance. This issue has been fixed.
Broadcast mode
Support reference 85763
The management of fragmented packets that are sent over a bridge in broadcast mode has been improved to prevent any further blocking.
Web administration interface
Inspection profile
Inspection profiles can now be renamed, copied and edited in the General configuration tab in Configuration > Application protection > Inspection profiles.
In addition, a Profiles tab gives an overview of the profiles and protocols that are associated with them.
Protocols - Filtering in the Sandboxing tab
The filtering feature in the Sandboxing tab for HTTP/SMTP/POP3 and IMAP protocols, and in the SSL protocol's certification authority grid, is now operational once again. This regression appeared in SNS version 4.8.0.
Network traffic
Support reference 85937
IP addresses can be blacklisted once again, by right-clicking on them in Monitoring > Network traffic.
Printing information on temporary accounts
Support reference 85946/85962
The contents of the temporary account information print page can now be read again. This regression appeared in SNS version 4.8.0.
SSL VPN portal
Support reference 85920
Now, when Access only to application servers in Configuration > VPN > SSL VPN portal is selected, the SSL VPN remains enabled. This regression appeared in SNS version 4.8.0.
Static DHCP interface
Support reference 85534
DHCP interfaces can no longer be made static when a DNS name object or associated Firewall_ifname_router object is used in a filter or NAT rule, as this would result in preventing the firewall from loading a filter or NAT policy.