SNS 4.2.1 bug fixes
System
Configuration backups - Trusted Platform Module (TPM)
Support reference 79671
During the backup of a configuration with the privatekeys parameter set to none (this parameter can only be modified via CLI/Serverd command: CONFIG BACKUP), private keys stored in ondisk mode on the TPM are no longer wrongly decrypted.
Support reference 79671
Multiple configuration backups can no longer be launched simultaneously or too close apart, so private keys stored in ondisk mode on the TPM will no longer be wrongly decrypted.
High availability
The option Reboot all interfaces during switchover (except HA interfaces) has been optimized in high availability configurations. It informs third-party network connection devices (switches, etc.) any time members of the cluster switch roles. This option is no longer enabled on link aggregates when the option Enable link aggregation when the firewall is passive is selected.
Find out moreThe errors that occur when the passive member of the cluster is updated are now correctly shown in the firewall’s web administration interface.
High availability - SSH keys
When a high availability configuration generated in version 4.2 switches to an earlier SNS version (after resetting the firewall to its factory configuration), the cluster’s SSH keys are now deleted correctly.
High availability - LDAP directory
Support reference 78461
An anomaly during the synchronization of LDAP data, due to errors in managing the special character “\” when it is used in the password to access the directory, made this LDAP directory inoperable. This anomaly has been fixed.
High availability - Synchronizing objects
Support reference 77441
The mechanism that synchronizes objects between members of the cluster would stop operating whenever the DNS server that resolved FQDN objects did not accept TCP-based DNS requests. This anomaly has been fixed.
Proxies
Support reference 79204
Issues with memory leaks on proxies have been fixed.
Support references 79957 - 80108 - 79952
Configurations that use multi-user authentication would sometimes fail to fully load web pages that embed CSP (content-security-policy) directives. This anomaly has been fixed.
Support reference 79858
An issue with competing access when saving new connections via the proxy has been fixed. This issue would cause the firewall to unexpectedly shut down and switch the roles of the members in a high availability configuration.
SMTP proxy
Support reference 78196
The proxy would sometimes restart unexpectedly after queuing e-mails and receiving an SMTP 421 error from the server. This anomaly has been fixed.
Support reference 77586
When the SMTP proxy is enabled together with SSL decryption of outgoing traffic and antivirus analysis on SMTP traffic (with the action Pass without analyzing for the options When the antivirus analysis fails and When data collection fails in the SMTP protocol analysis settings), the same events will no longer be wrongly logged multiple times in the l_smtp file.
HTTP proxy
Support reference 79584
In configurations that meet all the following conditions:
- HTTP proxy is used,
- Kaspersky antivirus is enabled,
- URL filtering is enabled.
Sending several HTTP requests through an internet browser within the same TCP connection (pipelining) no longer causes the proxy to suddenly restart.
SNMP agent
Support references 77226 - 78235
The OID "SNMPv2-MIB::sysObjectID.0", which made it possible to identify the type of device queried, presented the default net-snmp value instead of the Stormshield value. This anomaly has been fixed.
Support references 77787 - 78693 - 77779 - 78164 - 78967
Excessive memory consumption issues that caused the SNMP agent service to unexpectedly shut down have been fixed.
Support reference 78761
SNMP informRequest messages are now considered valid SNMP requests and no longer raise the blocking alarm “Invalid HTTP protocol” (snmp:388).
Directory configuration
Support references 70940 - 71329 - 75280 - 77783
The maximum length of the character string the represents the subject of the certificate that was imported to allow the SSL connection to the internal LDAP directory has been raised from 128 to 256 characters.
IPsec VPN
Support references 78593 - 73609
In IPsec topologies deployed via SMC, peer certificates were not displayed in the firewall’s IPsec configuration.
As such, the administrator would sometimes select a certificate again for the peer, making the IPsec configuration ineffective. This issue has been fixed.
IPsec VPN - Implicit filter rules
Support reference 77096
The implicit “Allow ISAKMP (UDP port 500) and the ESP protocol for IPsec VPN peers” filter rule now allows IPsec traffic initialized by internal loopback interfaces.
IPsec VPN - Peer names
Peer names longer than 44 characters no longer prevent the setup of the IPsec tunnels concerned.
Host reputation
Support reference 77080
Invalid objects in the list of hosts whose reputations are monitored no longer cause a system error during attempts to reload the proxy.
Filtering and NAT
Support reference 78647
Exporting NAT/filter rules in CSV format would wrongly generate the "Any" value for the "#nat_to_target" field in the export file, in cases where filter rules were not associated with any NAT rules. This anomaly would then prevent such CSV files from being imported into SMC if the filter rules concerned had a “Block” rule.
Support reference 76700
When there were configuration errors in the filter policy, the firewall would not load any filter rules (including implicit rules) when it restarted and blocked all traffic as a result. This issue, which required access to the firewall in serial console/VGA in order to enable a working policy, has been fixed.
Support reference 79526
Whenever a group contained 128 or more objects with at least one that had a forced MAC address, rules that used this group would no longer be applied when traffic matched them. This anomaly has been fixed.
Support references 79533 - 79636 - 80412 - 80376
When a time object was enabled or disabled, the re-evaluation of connections that match the filter rule containing this time object no longer cause the firewall to unexpectedly restart.
Support reference 79311
NAT rules that specified a destination IP address and/or destination port for the traffic after translation no longer functioned through an IPsec tunnel. This anomaly has been fixed.
SSL VPN
During attempts to set up an SSL VPN tunnel with a firewall on which stealth mode was disabled, the firewall no longer wrongly ignores the first packet sent by the SSL VPN client, and the tunnel can be set up correctly.
SSL VPN tunnel monitoring
Support reference 77801
Names of users connected via SSL VPN were displayed in plaintext in these tunnels’ monitoring module, even when the connected administrator did not have privileges to access personal data. This anomaly has been fixed.
Authentication - Temporary accounts
Support reference 79296
When the security policy on the firewall required passwords longer than 8 characters, adding, changing or deleting the authentication method for temporary accounts no longer generates a system error.
Certificates and PKI
The Certificate Revocation Lists (CRLs) entered in certificates are now downloaded together with those specified in the CAs.
Initial configuration via USB key
Support reference 75370
When several devices, such as USB keys and SD cards, are connected, only the USB key will now be taken into account.
Intrusion prevention
SSL protocol
Support reference 77817
An error in the declaration of the ExtensionLength SSL protocol analysis field would wrongly raise “Invalid SSL packet” blocking alarms (ssl alarm:118) for legitimate Client Hello SSL packets. This anomaly has been fixed.
SMB v2 protocol
Support reference 78216
An anomaly in the SMB protocol analysis engine would wrongly raise the "Invalid NBSS/SMB2 protocol" alarm (nb-cifs alarm:157), blocking legitimate SMBv2 traffic as a result. This anomaly has been fixed.
SMB - CIFS protocol
Support references 77484 - 77166
Anomalies in the SMB - CIFS protocol analysis would wrongly raise the "Invalid NBSS/SMB protocol" blocking alarm (nb-cifs alarm:158) during legitimate access to shared Microsoft Windows disk resources. These anomalies have been fixed.
DNS protocol
Support reference 77256
An anomaly in the DNS protocol analysis would wrongly raise the “Possible DNS rebinding attack” blocking alarm (dns alarm:154) when a DNS server responded with an external IP address consisting of its IPv6 address concatenated with its IPv4 address (IPv4 - IPv6 mapping). This anomaly has been fixed.
SMTP protocol
Support reference 77661
In a configuration such as the following:
- The intrusion prevention engine analyzes SMTP protocol,
- Antivirus analysis is enabled for SMTP traffic,
- Kaspersky antivirus is used on the firewall,
- A Maximum size for antivirus and sandboxing analysis (KB) has been configured.
When e-mails containing attachments that exceed the defined size are analyzed, the blocking alarm “Invalid SMTP protocol” (smtp alarm:121) is no longer wrongly raised.
FastPath mode
Support references 76810 - 77932
An issue with competing access when connection statistics were injected into the intrusion prevention engine has been fixed. This issue could cause significant CPU consumption and network packets to unexpectedly be rejected over IX interfaces (2x10Gbps and 4x10Gbps fiber modules).
Hardware
Configuration via USB key
Support references 79645 - 79283
Whenever a firewall is configured via USB key, an information message now appears in the console and a waiting period of two minutes is initiated when the USB key needs to be removed to continue ongoing operations (firmware updates, connecting a firewall to a cluster, etc.). Removing the USB key suspends the counter.
This mechanism makes it possible to prevent key decryption errors on firewalls equipped with a TPM (SN3100 and SNi20).
Virtual machines
Serial numbers of VPAYG firewalls
Support reference 76157
The high availability monitoring mechanism did not recognize serial numbers of VPAYG firewalls (serial number of the firewall, to which an extension such as "-XXXXXXXX” is added). This anomaly has been fixed.
EVA firewalls deployed over VMWare with 10Gb/s interfaces
Support reference 76546
For firewalls deployed in a VMWare infrastructure, the maximum throughput displayed for 10Gb/s interfaces that use the vmxnet3 driver is no longer wrongly limited to 10Mb/s.
Web administration interface
Interfaces
Support reference 77682
Whenever a parent GRETAP interface of a VLAN was deleted, the VLAN would be hidden from the list of interfaces even though it was still defined in the firewall configuration. This operation now leaves the VLAN visible at the root of the list of available interfaces.
Support reference 77014
The system now correctly detects the connection status of USB/Ethernet (4G) interfaces and displays it in the Configuration > Network > Interfaces module.
Interfaces - Modem configuration profiles
Administrator accounts in read-only mode could not display the configuration profiles of modems. This anomaly has been fixed.
Interfaces - GRETAP
Support reference 78800
The correct MTU is now assigned to GRETAP interfaces when they are created (1462 bytes, instead of 1500 as in the four previous versions).
Protocols
Support reference 78157
After the profile name of a protocol analysis is edited, and the configuration module is changed, the Edit menu is no longer empty when the user goes back to the edited protocol analysis module.
Protocols - BACnet/IP
The service with a confirmedTextMessage confirmation would wrongly appear twice in the Remote Device Management group (IDs 19 and 20). ID 20 is now correctly assigned to the reinitializeDevice service.
Automatic backups - Custom server
Support reference 78018
The port defined during the creation of the custom backup server appears correctly again in the URL shown in the configuration module.
Do note that the anomaly affected only the display.
Authentication - Radius method
Support reference 76824
During access to the configuration of the Radius server, if the pre-shared key field was accidentally erased, a blank pre-shared key would be entered instead of the previous value. This issue has been fixed and the firewall now refuses empty values for this field.
URL filtering - SSL filtering
Support reference 77458
The results of a URL categorization (URL filtering and SSL filtering modules) are no longer continuously displayed at the bottom of the screen when a module is changed.
Support reference 79017
Modifying several SSL filter rules or URL filter rules at the same time would generate an abnormally high number of system commands. This anomaly has been fixed.
Web objects
Support reference 76327
Immediately after a new URL or certificate category is created, clicking on the column to sort contents:
- No longer creates system errors if no other categories were selected during the creation operation,
- Does not wrongly show the contents of another category if it was selected during the creation operation.
Web objects - Object groups
Support reference 76325
The search field for groups of categories is no longer case-sensitive.
IPsec VPN
Support reference 74210
When an IPsec rule separator is added to a policy that contains more than one page of rules, the user is no longer sent back to the first page of the IPsec policy every time.
Support references 74966 - 75821
Double-clicking on an IPsec rule separator correctly opens it in edit mode, and the modification of the separator is fully functional again.
Support reference 75810
When a peer is created or modified, switching from certificate authentication to pre-shared key authentication, followed by a switch back to certificate authentication without reloading the configuration page, no longer causes system errors due to the detection of the certificate initially selected.
Support references 77246 - 77264 - 77274
When a peer with a configuration that contained errors (indicated by a message in the Checking the policy field) was created or modified, it could still be validated anyway. This anomaly, which caused an error while reloading the IPsec VPN configuration, has been fixed.
Support reference 77443
Creating, modifying or deleting a pre-shared key from the table of pre-shared keys for mobile tunnels (Configuration > IPsec VPN module > Identification tab) no longer creates a key conflict or prevents the setup of IPsec tunnels that use such keys.
IPsec VPN - Peers
Additional controls have been added to better manage the duplication, renaming or deletion of peers in the process of modification (changes not saved).
Certificates and PKI
Support reference 78965
After an external CA was imported into the PKI (this operation can only be performed in command line), it could no longer be declared as the default CA (for the SSL proxy for example), or selected when an identity was created (user, server, etc.). This anomaly has been fixed.
Aliases can now be entered (Subject Alternative Name field) when a server identity is created. The latest versions of web browsers sometimes require this field.
Captive portal
Support reference 78805
During the redirection to the authentication page, the Password field was selected by default instead of the User name field if it was empty. This anomaly has been fixed.
Filtering and NAT - Geolocation and public IP address reputation
Support reference 80980
When a geographic group or a public IP address reputation group is used in a filter/NAT rule, the tool tip that appears when the user scrolls over the group no longer wrongly displays “Object not found”.