SNS 4.2.4 bug fixes
System
SSL VPN
Support reference 78163
The browser language is now taken into account in the Stormshield SSL VPN client’s download link presented by the captive portal of the firewall that hosts this service.
Support reference 79149
Additional controls have been implemented to display an error when the Available networks field is defined by a group that contains an IP address range. Such configurations prevented the SSL VPN service from running.
Support reference 73463
The SSL VPN management engine now runs correctly with the AES-GCM encryption suites (128-, 192- or 256-bit keys) recommended by the ANSSI (French network and information security agency).
Proxies
Support reference 81624
In configurations that use multi-user authentication, the application of "img-src https://*" CSP (content-security-policy) directives would sometimes cause the proxy service to unexpectedly restart. This issue has been fixed.
Support references 79257 - 79144
In configurations that use the explicit HTTP proxy or SMTP proxy without protocol analysis, and when a client connection sent the FIN flag immediately after sending the CONNECT flag, the proxy would keep the log of this closed connection in memory by mistake. An accumulation of such connection logs would then consume an excessive amount of firewall memory. This issue has been fixed.
SSL proxy
Support reference 77207
The SSL proxy would sometimes restart when all of the following conditions occurred:
- An SSL filter policy applied a “Pass without decrypting” action when a CN could not be categorized,
- A connection matched this rule (“Pass without decrypting”) because the classification of the CN failed.
-
A simultaneous connection to the same website was classified with the action “Block without decrypting”.
This issue has been fixed.
System events
Support reference 80426
System event no. 19 "LDAP unreachable" is activated when there are issues accessing an LDAP directory defined in the firewall configuration.
Automatic CRL verification
Support reference 82035
An anomaly during the automatic verification of CRL distribution points (CRLDP) listed in a sub-authority has been fixed. This anomaly would wrongly generate the alarm ‘The CRL published on the distribution point is invalid”.
Automatic verification of CRLs and external proxy
Support reference 81259
The verification of CRLs through an external proxy would occasionally not function because the port to reach the proxy was not correctly applied. This issue has been fixed.
Retrieving firmware updates and external proxy
Support references 79538 - 81331
The automatic retrieval of firmware through an external proxy would occasionally not function because the proxy was not applied. This issue has been fixed.
IPsec VPN
Support reference 77960
When IPsec VPN was used together with Path MTU Discovery (PMTUD), the Don't Fragment (DF) bit was not included in ESP packets and therefore prevented PMTUD from being used. This configuration is now supported.
Support references 81013 - 81002
When the phase 1 lifetime of a tunnel lapses, the user is no longer deleted by mistake from the firewall’s authentication tables if the other tunnels used by this user are still active.
Support reference 77477
IPsec configurations which included a NAT rule that applies to packets going to the tunnel and a QoS rule for traffic passing through this tunnel would flood the firewall’s memory and make the cluster unstable in a high availability configuration. This issue has been fixed.
IPsec VPN - Diffusion Restreinte (DR) mode
On firewalls configured in Diffusion Restreinte (DR) mode, DR encryption profiles now allow only the use of 256-bit keys for AES-GCM and AES-CTR.
An error in the implementation of ECDSA based on Brainpool 256 elliptic curves prevented IPsec tunnels in DR mode from being set up with the TheGreenBow IPsec VPN client implementing DR mode. This error has been fixed.
WARNING
Fixing this error in fact makes it impossible to set up IPsec tunnels in DR mode based on ECDSA and Brainpool 256 elliptic curves between a firewall in version SNS 4.2.1 or SNS 4.2.2 and a firewall in version SNS 4.2.4 or higher.
External LDAP directory
Support reference 81531
After an external LDAP directory was created and made accessible via a secure connection, enabling the option Check the certificate against a Certification Authority and selecting a trusted CA no longer cause an internal error on the firewall.
LDAP directory - Backup server
Support reference 80428
In an LDAP(S) configuration defined with a backup server, when:
- The firewall switched to the backup LDAP(S) server because the main server stopped responding, and
- The backup server also does not respond,
The firewall will then immediately attempt to connect to the main server again without waiting for the 10-minute timeout defined in factory settings.
IP address reputation and geolocation service
Support reference 81048
In some cases, the IP address reputation and geolocation service would unexpectedly shut down after competing access that occurs when a configuration is reloaded. Even when it was automatically restarted, service could still be disrupted. This issue has been fixed.
Support references 77326 - 77980 - 79673 - 74614 - 80572 - 80624 - 79664 - 79589
An anomaly relating to the IP address reputation and geolocation service would sometimes result in memory corruption, which would cause the firewall to unexpectedly restart. This issue has been fixed.
Initial configuration via USB key
Support reference 80866
In an initial configuration via USB key, when an additional .CSV configuration file was imported into the installation sequence, the command entered in the last line of the file was not executed. This issue has been fixed.
Captive portal
Support reference 79386
Closing the logout page of the captive portal would log the user out again, regardless of the browser used.
Authentication service
Support reference 81423
An issue during communication with an external LDAP server configured on the firewall (network issue, partial response from the server, etc.) would cause the firewall's authentication service to freeze, logging out users and preventing them from logging back in. This issue has been fixed.
SNMP agent
Support reference 81710
A memory leak issue in the management of the SNMP agent queue has been fixed.
Support references 81573 - 81588 - 81529
When the firewall receives an SNMP request, the response address that the SNMP agent uses is correct again and corresponds to the IP address of the firewall queried during this SNMP request.
Support references 82734 - 82735
Syntax errors have been corrected in STORMSHIELD-VPNSP-MIB, STORMSHIELD-VPNSA-MIB, STORMSHIELD-VPNIKESA-MIB and STORMSHIELD-ALARM-MIB MIB files.
Certificates
Support reference 82110
An anomaly in how empty OCSP fields are managed would wrongly generate the error message "XSS Protection" when the properties of the certificate in question were displayed. This anomaly has been fixed.
Hardware bypass - SNi20 model firewalls
Support reference 82241
The hardware bypass mechanism could be non-functional on some SNi20 firewalls. This problem has been fixed.
Network
Static routing and IPsec VPN
Support reference 80862
In policy-based IPsec VPN configurations (non-VTI), whenever a static route was created for the remote network via the IPsec interface, traffic was not encrypted and sent to this network as it was supposed to be. This issue has been fixed.
Multicast routing - Address translation
Support reference 80359
Multicast network traffic packets are no longer duplicated if multicast routing is applied after a destination NAT rule is applied to this traffic.
Bridge - MAC addresses
Support reference 80652
On interfaces attached to a bridge, when a network device is moved and the network traffic that it generates is no longer linked to the same physical interface, the firewall automatically maps the MAC address of the device to the new interface once a Gratuitous ARP request is received from the new device.
This switch was not correctly applied whenever the MAC address was different after the network device was moved This anomaly has been fixed.
Intrusion prevention
FastPath mechanism
Support reference 82078
The combination of NAT and the insertion of inappropriate routes into the tables of the intrusion prevention engine could cause inadequate use of the FastPath mechanism, causing the firewall to freeze. This issue has been fixed.
Hardware
The Intel update utility in the microcode of Intel network cards would occasionally fail to recognize additional cards installed on SN6100 firewalls. This anomaly has been fixed.
Monitoring
IPsec tunnels
Support reference 82043
Mobile IPsec tunnels set up and defined in Config mode now appear in the IPsec tunnel monitoring module.
Web administration interface
High availability
Support reference 80888
Changes to the minimum duration of connections that must be synchronized are now correctly applied (High availability > Advanced properties).