SNS 4.3.15 bug fixes

System

Dynamic NAT and DHCP for outgoing interfaces

Support reference 83297

When filter rules were reloaded in the intrusion prevention engine, if there was among them a dynamic NAT rule associated with the use of DHCP to define the addresses of outgoing interfaces, it would cause the firewall to freeze. This issue has been fixed.

Updating firmware on SSD disks

Support reference 84295

To prevent SSD disks from potentially malfunctioning, a firmware update of such disks is automatically applied when the following firewall models are updated to SNS version 4.3.15:

  • SN510, SN710 and SN910 equipped with a 256 GB Innodisk SSD 3TE7,
  • SN1100 equipped with a 512 GB Innodisk SSD 3TE7,
  • SN3000 with the BIG DATA option (equipped with a 1 TB Innodisk SSD 3TE7).

Updates - Static routing

Support reference 84716

When an SNS 4.3 version is updated from a configuration that contains a static route based on a nonexistent route, routes will no longer stop being reloaded after this faulty route is processed: the routes that follow will be correctly inserted again in the routing tables.
This regression appeared in SNS version 4.3.

QoS

The maximum length allowed for the name of a QoS queue that the intrusion prevention engine uses for detections is now the same as for standard QoS queues (31 characters maximum).

Deleting QoS queues

Checks have been added to prevent QoS queues from being deleted when they are used in the firewall configuration.

Hardware management - SN160(W), SN210(W) and SN310 model firewalls

Support references 82933 - 84307

When a SN160(W), SN210(W) or SN310 model firewall is powered down, an anomaly in the order in which the hardware management mechanisms were shut down prevented the Online LED from switching off. This anomaly, which could give the false impression that the firewall has not been correctly shut down, has been fixed.

Inactive Ethernet interface with a forced MAC address and attached VLAN

Support reference 80970

When forcing the MAC address of an Ethernet interface that is parent to a VLAN, the VLAN would not inherit the forced MAC address. This anomaly has been fixed.

Network interfaces - routing

Support reference 84706

When the network configuration is reloaded, the routes attached to the interfaces configured in DHCP no longer disappear for several seconds. This regression appeared in SNS version 4.3.

High availability - SNMPv3

Support reference 84500

SNMP parameters (including AuthoritativeEngineID in SNMPv3) are now automatically synchronized as soon as a cluster is created and every time roles are switched in this cluster. The purpose of this synchronization is to stop causing errors on some SNMP monitoring tools.

High availability - Configurations containing several hundred VLANs

Support reference 84522

In some high availability configurations containing several hundred VLANs, requests to show the high availability status will no longer cause abnormally excessive CPU consumption.

Processing of fragmented packets

Support reference 83882

In configurations that handle a high volume of traffic, an issue with buffer management during the processing of fragmented packets has been fixed. This issue caused the firewall to freeze unexpectedly.

Renaming nested object groups

Support reference 81223

Attempts to rename a group included in a group, which is itself included in another group, would fail and cause the system error "The object is included in one or several group(s)". Since the new name of the group was not applied in the object database, any filter rule using the renamed group would then become invalid. This issue has been fixed.

System report (sysinfo)

Support references 84211 - 84210

Checks to confirm whether verbose mode has been enabled/disabled for BIRD, BIRD6 and the global VPN policy have been added to the system report generator (accessible from Configuration > Maintenance Configuration tab).

TLS connection to a syslog server

Support reference 84831

In the SSL negotiation phase, there is now an idle timeout for when the firewall attempts to connect to a syslog server in TLS. With this addition, the firewall's log management mechanism will no longer freeze unexpectedly when the syslog server fails to respond during the SSL negotiation phase.

Advanced antivirus

The new Advanced antivirus license can now be effectively enabled on firewalls that have always used ClamAV; the system message "Not available with this license" no longer appears by mistake.

IPsec VPN

Support reference 84611

A configuration token RemoteFetch has been added to the CLI/Serverd command CONFIG IPSEC UPDATE. When this token is set to "0", you can simultaneously:

  • Disable the retrieval of remote CRLs on the IPsec tunnel manager when a tunnel is being set up, and
  • Disable the OCSP mechanism in the IPsec tunnel manager.

This will prevent an unnecessary wait of several seconds for IPsec tunnels to set up when there are no CRL distribution points (CRLDPs) or none have been configured.

More information about the CLI/Serverd command CONFIG IPSEC UPDATE.

Support reference 82578 - 84680

Issues with competing access, which caused instability in IPsec tunnels, have been fixed. These issues prevented effective tunnel monitoring, and generated entries such as "job load of XXX exceeds limit of YY" in IPsec VPN logs.

In configurations where IPsec tunnels go through a PPPoE (dialup) modem, the IPsec tunnel manager would no longer restart after the dialup was reloaded or after the firewall restarted
This regression, which first appeared in SNS version 4.3, has been fixed.

DHCP - Default route

Support reference 84545

When the firewall obtains an IP address for one of its interfaces via a DHCP server that uses the option routers x.x.x.x, the firewall no longer loses its default route if the relevant DHCP lease expires and is not renewed (due to an unreachable DHCP server, for example).

Authentication

Support reference 84358

Whenever a user enters the wrong password during attempts to connect to the captive portal or via SSL VPN Client, the system event "LDAP unreachable Bind error" will no longer be generated.

RADIUS authentication - Configuration with a backup RADIUS server

Support reference 84555

Under certain circumstances, a double RADIUS authentication request would be sent simultaneously to the main RADIUS server and backup RADIUS server. This anomaly, which would cause the immediate rejection of the authentication attempt, has been fixed.

SSL certificate authentication

Support reference 80325

Adding the SSL certificate authentication method with the option Enable searching in several LDAP directories, and applying this change, then deleting the same authentication method, no longer blocks the connection to the firewall's web administration interface or the captive portal.

IPFIX collector - Firewall interface numbers

Support reference 78226

The firewall interface numbers that the IPFIX collector retrieves now match the numbers retrieved in SNMP tables.

Intrusion prevention engine

Maximum number of protected hosts

Support reference 84794

An issue with applying the change made in SNS version 4.3.10 regarding the maximum number of protected hosts has been fixed. So when the firewall is updated to SNS version 4.3.15, it will automatically be restarted a second time if the configuration requires it.

SIP and network address translation (NAT)

Support reference 68822

In a configuration that uses NAT for SIP connections within a rule in firewall mode, when the firewall receives a second INVITE request for a connection that has already been set up, NAT will no longer malfunction and the established SIP connection will no longer shut down unexpectedly.

TLS 1.3 protocol

Support reference 84674

To avoid mistakenly blocking certain streams of TLS 1.3 traffic, the mechanism that analyzes TLS 1.3 certificates on SSL servers is now automatically disabled when a firewall is migrated from a version lower than SNS 4.3 to a version higher than or equal to SNS 4.3.15. It is also disabled by default in the incoming SSL analysis profile SSL_00 for firewalls in factory configuration in version 4.3.15 or higher.

The mechanism that analyzes TLS 1.3 certificates on SSL servers can be enabled again once its effects are assessed in Configuration > Application protection > Protocols > SSL.

Reloading the network configuration

Support references 84522 - 84198

The mechanism that reloads the network configuration (especially when no changes are made to the configuration) has been optimized to shorten reloading time, and reduce associated CPU consumption and the duration of the firewall's downtime during such operations.

Web administration interface

Filtering with QoS - HTML tags in warning messages

The warning message that appears after enabling or disabling a filter rule that refers to a deleted QoS queue contained HTML tags by mistake. This anomaly has been fixed.