Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Version 4.0.3 bug fixes
IPsec VPN (IKEv1)
Support reference 75824
Whenever a remote peer switched to its backup peer (designated as the “Backup configuration”), the IKE daemon would sometimes restart unexpectedly and shut down open IPsec tunnels. This anomaly has been fixed.
GRETAP and IPsec
Support reference 76066
The system command ennetwork -f no longer makes the firewall reboot in loop in configurations containing GRETAP interfaces that communicate through IPsec tunnels.
A new certificate, with which Java JAR compiled files can be signed, has been installed and replaces the former certificate due to expire soon (05/24/2020).
SN910 model firewalls
Support reference 76528
After a upgrade of the firewall from an SNS 3.9.x version to an SNS 4.0.x version, the ports of IX interfaces were no longer in the right order on SN910 firewalls equipped with an IX card.
An automatic mechanism has been set up to restore the order of ports.
Daemon shutdown time
Support reference 74990
In some rare cases, a daemon would shut down after a certain duration and prevent the firewall from completing its update. This duration has been shortened to allow the firewall update to run properly.
Support references 73816 - 75634 - 75958
Devices that use Intel Wireless-N 7260 or Qualcomm Atheros AR6004 802.11a/b/g/n Wi-Fi cards would occasionally encounter connectivity issues on the firewall’s Wi-Fi. This anomaly has been fixed.
The analysis of the Status field in TDS (Tabular Data Stream) packets no longer wrongly raises the alarm "TDS: invalid protocol" (alarm tds:423).
The analysis of NB-CIFS traffic from Microsoft Windows hosts no longer wrongly raises the alarm "Invalid NBSS/SMB2 protocol" (alarm nb-cifs:157).
Authentication via SASL (Simple Authentication and Security Layer) now supports the NTLMSSP protocol, and therefore no longer generates errors when analyzing LDAP traffic that uses this protocol.
NTP packets that present a zero origin timestamp no longer wrongly raise the alarm "NTP: invalid value" (alarm ntp:451).
Support references 72754 - 74272
The DNS protocol analysis has been modified to reduce the number of false positives from the "DNS id spoofing" alarm (alarm dns:38).
Web administration interface
Access to private data (logs)
To get back full access to logs (private data), click directly on the message “Logs: Restricted access” in the upper banner.
Support reference 76069
When an external LDAP directory is set as the default directory, the name of this directory is no longer wrongly replaced with NaN when its parameters are modified.
Support reference 76497
The IP addresses of interfaces 11 and up were replicated on the second interface of the firewall, displaying wrong information as a result. This anomaly has been fixed.
During the configuration of the RADIUS authentication method, the “Pre-shared key” fields were not applied. This anomaly has been fixed.