Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Version 4.0.1 bug fixes
IPsec VPN (IKEV1 + IKEv2)
Support reference 73584
In configurations that use both IKEv1 and IKEv2 peers, as UID (LDAP) and CertNID fields used for authentication are applied, user privilege verifications for IPsec tunnel setup are no longer ignored.
Support reference 72290
On firewalls that host IKEv1 and IKEv2 peers, groups belonging to users who set up mobile IKEv1 tunnels with certificate authentication and XAUTH are now taken into account.
Automatic backups - Cloud Backup
Support reference 73218
Configurations backed up in Cloud Backup can now be restored again.
System - Time zone
Support reference 69833
The Europe/Moscow time zone on the system has been updated to fix a time difference of one hour.
For firewalls equipped with IXL cards:
- Fiber 4x10Gbps and 2x40Gbps network extension modules for SN2100, SN3100 and SN6100 models,
- 4x10G BASE-T modules for SN710, SN910, SN2000, SN2100, SN3000, SN3100 and SN6100 models.
- Fiber 10Gbps onboard ports on SN6100 models.
Support reference 73005
An issue with latency, which could affect firewalls connected using an IXL card on third-party equipment, has been fixed.
Support reference 72957
To prevent some negotiation issues relating to the automatic detection of media speed, the available values for IXL network cards can now be selected in the Network > Interfaces module.
Filter - NAT
The fields Force source packets in IPsec, Force return packets in IPsec and Synchronize this connection between firewalls (HA) were added to the CSV export file in filter and NAT rules.
When an alias is added to an existing network interface, firewalls in a HA cluster are no more switched.
High availability - IPsec VPN
Support reference 74860
As the SAD's (Security Association Database) anti-replay counters are sent to the passive firewall, sequence numbers are incremented in line with the high availability (HA) mechanism's operating mode.
Whenever the passive firewall detected IPsec traffic in HA configurations (e.g. monitoring frames from virtual IPsec interfaces), it would also send incremented sequence numbers to the active firewall.
As a result of these successive increments, sequence numbers would quickly reach the maximum values allowed. This would then wrongly activate IPsec anti-replay protection and block traffic going through tunnels. This issue has been fixed.
High availability and monitoring
Support reference 73615
A vulnerability to memory leaks has been fixed in high availability configurations with monitoring enabled.
Initial configuration via USB key
Support reference 73923
Firmware can now be updated again via USB key.
Authentication by certificate
A content check has been applied to some parameters used in the creation of cookies.
Support reference 74730
When the firewall is restarted, an anomaly occurs when the report database is enabled, causing several error messages to appear in the console:
checkdb: Missing database file: /var/db/reports/reports.db
enreport: checkdb: Unable to restore the reports database
enreport: Unable to mount the reports database.
This anomaly has been fixed.
Serial port - File editors
Support reference 72653
A display bug that occurred during the use of Joe / Jmacs editors via serial link has been fixed.
Support reference 73591
Enabling verbose mode on the intrusion prevention engine that analyzes some protocols (DCE RPC, Oracle, etc.) no longer causes the firewall to suddenly reboot.
Web administration interface
Support references 73316 - 73201
In the Network > Routing module, the IPsec interface can now be selected again during the definition of a static route.
Support reference 73404
Accented characters in the comments of network objects no longer prevent the pages of the web administration interface from loading correctly.
DHCP - Server
Support reference 73071
A warning message now appears to indicate that IP address reservations can no longer be added while a display filter is enabled.
DHCP - Relay
Support reference 72951
If network interfaces were specified to relay DHCP requests, they were replaced with the default value (automatic) after quitting and displaying the DHCP module again. This anomaly has been fixed.
Support references 68883 - 72034 - 72125 - 73404
A bug during the conversion of special characters to UTF-8 (e.g. Asian or accented characters) generated XML errors and prevented affected modules, such as filtering and NAT, from being displayed. This anomaly has been fixed.
Certificates and PKI
Support reference 74111
CRLs containing several thousand revoked certificates would fail to display correctly on some firewall models. This issue has been fixed; now only the first 1000 items are displayed.
Support reference 74337
During the configuration of the SNMPv3 server, both encryption algorithm buttons would always stay active even after they have been selected. This anomaly has been fixed.
Support reference 71166
The firewall would not take into account the information entered in the Allowed UNIT IDs table (Application protection > Protocols > Industrial protocols > Modbus > General settings). The same information would also not appear in the table after quitting the module.