SNS 4.0.3 bug fixes

System

IPsec VPN (IKEv1)

Support reference 75824

Whenever a remote peer switched to its backup peer (designated as the “Backup configuration”), the IKE daemon would sometimes restart unexpectedly and shut down open IPsec tunnels. This anomaly has been fixed.

GRETAP and IPsec

Support reference 76066

The system command ennetwork -f no longer makes the firewall reboot in loop in configurations containing GRETAP interfaces that communicate through IPsec tunnels.

SSL VPN

A new certificate, with which Java JAR compiled files can be signed, has been installed and replaces the former certificate due to expire soon (05/24/2020).

SN910 model firewalls

Support reference 76528

After a upgrade of the firewall from an SNS 3.9.x version to an SNS 4.0.x version, the ports of IX interfaces were no longer in the right order on SN910 firewalls equipped with an IX card.

An automatic mechanism has been set up to restore the order of ports.

Daemon shutdown time

Support reference 74990

In some rare cases, a daemon would shut down after a certain duration and prevent the firewall from completing its update. This duration has been shortened to allow the firewall update to run properly.

Network

Wi-Fi network

Support references 73816 - 75634 - 75958

Devices that use Intel Wireless-N 7260 or Qualcomm Atheros AR6004 802.11a/b/g/n Wi-Fi cards would occasionally encounter connectivity issues on the firewall’s Wi-Fi. This anomaly has been fixed.

Intrusion prevention

TDS protocol

The analysis of the Status field in TDS (Tabular Data Stream) packets no longer wrongly raises the alarm "TDS: invalid protocol" (alarm tds:423).

NB-CIFS protocol

The analysis of NB-CIFS traffic from Microsoft Windows hosts no longer wrongly raises the alarm "Invalid NBSS/SMB2 protocol" (alarm nb-cifs:157).

LDAP protocol

Authentication via SASL (Simple Authentication and Security Layer) now supports the NTLMSSP protocol, and therefore no longer generates errors when analyzing LDAP traffic that uses this protocol.

NTP

NTP packets that present a zero origin timestamp no longer wrongly raise the alarm "NTP: invalid value" (alarm ntp:451).

DNS protocol

Support references 72754 - 74272

The DNS protocol analysis has been modified to reduce the number of false positives from the "DNS id spoofing" alarm (alarm dns:38).

Web administration interface

Access to private data (logs)

To get back full access to logs (private data), click directly on the message “Logs: Restricted access” in the upper banner.

Directory configuration

Support reference 76069

When an external LDAP directory is set as the default directory, the name of this directory is no longer wrongly replaced with NaN when its parameters are modified.

Interfaces

Support reference 76497

The IP addresses of interfaces 11 and up were replicated on the second interface of the firewall, displaying wrong information as a result. This anomaly has been fixed.

Authentication

During the configuration of the RADIUS authentication method, the “Pre-shared key” fields were not applied. This anomaly has been fixed.