Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Version 4.3.15 bug fixes
Dynamic NAT and DHCP for outgoing interfaces
Support reference 83297
When filter rules were reloaded in the intrusion prevention engine, if there was among them a dynamic NAT rule associated with the use of DHCP to define the addresses of outgoing interfaces, it would cause the firewall to freeze. This issue has been fixed.
Updating firmware on SSD disks
Support reference 84295
To prevent SSD disks from potentially malfunctioning, a firmware update of such disks is automatically applied when the following firewall models are updated to SNS version 4.3.15:
- SN510, SN710 and SN910 equipped with a 256 GB Innodisk SSD 3TE7,
- SN1100 equipped with a 512 GB Innodisk SSD 3TE7,
- SN3000 with the BIG DATA option (equipped with a 1 TB Innodisk SSD 3TE7).
Updates - Static routing
Support reference 84716
When an SNS 4.3 version is updated from a configuration that contains a static route based on a nonexistent route, routes will no longer stop being reloaded after this faulty route is processed: the routes that follow will be correctly inserted again in the routing tables.
This regression appeared in SNS version 4.3.
The maximum length allowed for the name of a QoS queue that the intrusion prevention engine uses for detections is now the same as for standard QoS queues (31 characters maximum).
Deleting QoS queues
Checks have been added to prevent QoS queues from being deleted when they are used in the firewall configuration.
Hardware management - SN160(W), SN210(W) and SN310 model firewalls
Support references 82933 - 84307
When a SN160(W), SN210(W) or SN310 model firewall is powered down, an anomaly in the order in which the hardware management mechanisms were shut down prevented the Online LED from switching off. This anomaly, which could give the false impression that the firewall has not been correctly shut down, has been fixed.
Inactive Ethernet interface with a forced MAC address and attached VLAN
Support reference 80970
When forcing the MAC address of an Ethernet interface that is parent to a VLAN, the VLAN would not inherit the forced MAC address. This anomaly has been fixed.
Network interfaces - routing
Support reference 84706
When the network configuration is reloaded, the routes attached to the interfaces configured in DHCP no longer disappear for several seconds. This regression appeared in SNS version 4.3.
High availability - SNMPv3
Support reference 84500
SNMP parameters (including AuthoritativeEngineID in SNMPv3) are now automatically synchronized as soon as a cluster is created and every time roles are switched in this cluster. The purpose of this synchronization is to stop causing errors on some SNMP monitoring tools.
High availability - Configurations containing several hundred VLANs
Support reference 84522
In some high availability configurations containing several hundred VLANs, requests to show the high availability status will no longer cause abnormally excessive CPU consumption.
Processing of fragmented packets
Support reference 83882
In configurations that handle a high volume of traffic, an issue with buffer management during the processing of fragmented packets has been fixed. This issue caused the firewall to freeze unexpectedly.
Renaming nested object groups
Support reference 81223
Attempts to rename a group included in a group, which is itself included in another group, would fail and cause the system error "The object is included in one or several group(s)". Since the new name of the group was not applied in the object database, any filter rule using the renamed group would then become invalid. This issue has been fixed.
System report (sysinfo)
Support references 84211 - 84210
Checks to confirm whether verbose mode has been enabled/disabled for BIRD, BIRD6 and the global VPN policy have been added to the system report generator (accessible from Configuration > Maintenance > Configuration tab).
TLS connection to a syslog server
Support reference 84831
In the SSL negotiation phase, there is now an idle timeout for when the firewall attempts to connect to a syslog server in TLS. With this addition, the firewall's log management mechanism will no longer freeze unexpectedly when the syslog server fails to respond during the SSL negotiation phase.
The new Advanced antivirus license can now be effectively enabled on firewalls that have always used ClamAV; the system message "Not available with this license" no longer appears by mistake.
Support reference 84611
A configuration token RemoteFetch has been added to the CLI/Serverd command CONFIG IPSEC UPDATE. When this token is set to "0", you can simultaneously:
- Disable the retrieval of remote CRLs on the IPsec tunnel manager when a tunnel is being set up, and
- Disable the OCSP mechanism in the IPsec tunnel manager.
This will prevent an unnecessary wait of several seconds for IPsec tunnels to set up when there are no CRL distribution points (CRLDPs) or none have been configured.
Support reference 82578 - 84680
Issues with competing access, which caused instability in IPsec tunnels, have been fixed. These issues prevented effective tunnel monitoring, and generated entries such as "job load of XXX exceeds limit of YY" in IPsec VPN logs.
In configurations where IPsec tunnels go through a PPPoE (dialup) modem, the IPsec tunnel manager would no longer restart after the dialup was reloaded or after the firewall restarted
This regression, which first appeared in SNS version 4.3, has been fixed.
DHCP - Default route
Support reference 84545
When the firewall obtains an IP address for one of its interfaces via a DHCP server that uses the option routers x.x.x.x, the firewall no longer loses its default route if the relevant DHCP lease expires and is not renewed (due to an unreachable DHCP server, for example).
Support reference 84358
Whenever a user enters the wrong password during attempts to connect to the captive portal or via SSL VPN Client, the system event "LDAP unreachable Bind error" will no longer be generated.
RADIUS authentication - Configuration with a backup RADIUS server
Support reference 84555
Under certain circumstances, a double RADIUS authentication request would be sent simultaneously to the main RADIUS server and backup RADIUS server. This anomaly, which would cause the immediate rejection of the authentication attempt, has been fixed.
SSL certificate authentication
Support reference 80325
Adding the SSL certificate authentication method with the option Enable searching in several LDAP directories, and applying this change, then deleting the same authentication method, no longer blocks the connection to the firewall's web administration interface or the captive portal.
IPFIX collector - Firewall interface numbers
Support reference 78226
The firewall interface numbers that the IPFIX collector retrieves now match the numbers retrieved in SNMP tables.
Intrusion prevention engine
Maximum number of protected hosts
Support reference 84794
An issue with applying the change made in SNS version 4.3.10 regarding the maximum number of protected hosts has been fixed. So when the firewall is updated to SNS version 4.3.15, it will automatically be restarted a second time if the configuration requires it.
SIP and network address translation (NAT)
Support reference 68822
In a configuration that uses NAT for SIP connections within a rule in firewall mode, when the firewall receives a second INVITE request for a connection that has already been set up, NAT will no longer malfunction and the established SIP connection will no longer shut down unexpectedly.
TLS 1.3 protocol
Support reference 84674
To avoid mistakenly blocking certain streams of TLS 1.3 traffic, the mechanism that analyzes TLS 1.3 certificates on SSL servers is now automatically disabled when a firewall is migrated from a version lower than SNS 4.3 to a version higher than or equal to SNS 4.3.15. It is also disabled by default in the incoming SSL analysis profile SSL_00 for firewalls in factory configuration in version 4.3.15 or higher.
The mechanism that analyzes TLS 1.3 certificates on SSL servers can be enabled again once its effects are assessed in Configuration > Application protection > Protocols > SSL.
Reloading the network configuration
Support references 84522 - 84198
The mechanism that reloads the network configuration (especially when no changes are made to the configuration) has been optimized to shorten reloading time, and reduce associated CPU consumption and the duration of the firewall's downtime during such operations.
Web administration interface
Filtering with QoS - HTML tags in warning messages
The warning message that appears after enabling or disabling a filter rule that refers to a deleted QoS queue contained HTML tags by mistake. This anomaly has been fixed.