SNS 4.3.10 bug fixes

System

IPsec VPN - Router objects

Support reference 82369

In configurations where IPsec VPN tunnels were set up through a router object, switching from one gateway to another within this router object could prevent some IPsec VPN tunnels from being automatically set up again. This regression, which first appeared in SNS version 4.2, has been fixed.

Quality of Service (QoS)

Issues relating to packet loss in traffic shapers configured with low bandwidth have been fixed.

Whenever traffic went through a default QoS queue, return packets would not take the same queue. This issue, which caused packet loss, has been fixed.

The maximum length allowed for queue names in the CLI/Serverd command CONFIG OBJECT QOS QID REMOVE has been raised from 20 to 32 characters. Using this command therefore no longer causes issues when handling strings with names that exceed 20 characters.

The parallel processing of priority-based queues (PRIQ) no longer blocks other such queues when one of them saturates an interface.

Disabling then enabling QoS again with the command sfctl (sfctl -q 0 && sfctl -q 1) no longer prevents QoS queues from being processed.

Qualité de service (QoS) - Monitoring

Support reference 84509

In configurations that have more than 32 interfaces (physical, VLAN, etc.), the command used while monitoring QoS could cause the SNS firewall to freeze. This regression, which first appeared in SNS version 4.3, has been fixed.

Static routing and IPsec VPN tunnels

Support reference 84367

In configurations with a static route that passes through the IPsec interface, reloading the filter policy would disconnect traffic passing through the IPsec VPN tunnel. This regression, which first appeared in SNS version 4.3, has been fixed.

SSL traffic towards the SNS firewall

Support reference 84264

As TLS 1.2 is the lowest protocol version that can be used for SSL traffic towards the SNS firewall, the configuration tokens corresponding to SSL v3, TLS v1.0 and TLS v1.1 have been removed from the configuration file of the SSL protocol so that they cannot be used.

SSL proxy

Support reference 84524

In configurations that contain an SSL decryption rule and an SSL filter rule set to “Do not decrypt”, the proxy of the SNS firewall could wrongly exclude one of the TLS extensions negotiated between the client and the proxy. This issue, which made it impossible to set up connections corresponding to this TLS extension, has been fixed.

Admin account passwords containing UTF-8 characters

Support references 81324 - 80974 - 82761 - 84322 - 84503

Whenever the password of the admin account contained UTF-8 characters (e.g., the € character), it could no longer be changed in the web administration interface. This regression, which first appeared in SNS version 4.1, has been fixed.

Removal of a network interface alias

Support reference 79663

Checks have been added to prevent interface aliases from being deleted when they are used in the configuration of the SNS firewall.

High availability (HA) - Synchronization

Support reference 83721

Anomalies that may cause excessive memory consumption have been fixed in the mechanism that synchronizes the HA configuration.

USB devices/4G modems - Huawei E3372h-320

Support reference 84253

Fixes have been included to support version 10 of the firmware on Huawei E3372h-320 USB devices/4G modems.

Logs

Support reference 82287

The size of the log processing queue and the memory allocated to this process have been increased to minimize the risk of losing logs when the SNS firewall handles a high volume of traffic.

SNMP agent - link aggregation

Support reference 82991

When a physical link was lost in an aggregate, "aggregate link down" SNMP traps could sometimes get lost, and were not re-sent over the other physical links in the aggregate. This issue has been fixed.

Intrusion prevention engine

HTTP protocol

Support reference 84292

An issue regarding the HTTP protocol analysis, which would cause the SNS firewall to freeze, has been fixed.

Maximum number of protected hosts

Support reference 84537

An issue regarding the maximum number of protected hosts, which would arise when an SNS firewall was updated to version 4.3.7 or higher, has been fixed.

Competing access

Support reference 84486

An issue with competing access between two mechanisms on the intrusion prevention engine, which could cause the SNS firewall to freeze and disconnect its network access, has been fixed.