SNS 4.3.17 LTSB bug fixes


SNMP Agent

Support references 84911 - 84990

A memory leak issue has been fixed in the SNMP agent. This regression appeared in SNS version 4.3.12.


Support references 84989 - 85015 - 85043

Memory leaks have been fixed in the disk monitoring mechanism.

High availability (HA)

Support reference 71538

An anomaly in the mechanism that retrieves HA information may prevent such information from being displayed in the firewall's web administration interface (Monitoring > System/High availability module). The mechanism has been optimized to reduce the frequency of this anomaly.

High availability (HA) - TPM

Support references 85030 - 85031

When the password of the TPM is changed on the active member of the cluster, it is now immediately applied to the passive member to avoid a situation in which unsynchronized TPM passwords would prevent the passive member from accessing the keys of certificates protected by its TPM.

High availability (HA) - Logs

Support reference 84458

When an HA link lost many packets, the message "HA link is down" would be wrongly indicated in logs even though the link was still operational. When this occurs, the message now indicated in logs is "HA link is faulty".

High availability (HA) - VLAN

Support reference 84710

A configuration in which the only active HA link passes through a VLAN interface would sometimes make the cluster unavailable. This regression, which first appeared in SNS version 4.3.3, has been fixed.


Support reference 84677

When an IPsec tunnel is created, selecting the All object for remote networks no longer wrongly includes IPv6 addresses when the IPv6 option has not been enabled on the firewall.


Support reference 84920

User certificates with neither the Extended Key Usage Client Auth nor Extended Key Usage ServerAuth extension were not evaluated by user access privilege rules (Configuration > Users > Access privileges module): the IPsec tunnel defined for this peer would be set up but the filter policy would block the peer and consider it invalid.
This issue was fixed by adding a UACForceCert configuration token: by assigning a value of 1 to it, the token forces the user access rules to evaluate such certificates.
This token can be configured with the CLI/Serverd command CONFIG.IPSEC.UPDATE UACForceCert=<0|1>

More information on the CONFIG.IPSEC.UPDATE command.

IPsec VPN through a dialup default gateway

Support reference 82369

When the default gateway is based on a PPPoE modem (dialup connection), IPsec tunnels set up through this default gateway now recover correctly after the dialup connection goes down temporarily and recovers.


Memory leak issues have been fixed in the monitoring management engine.


Support reference 84564

Whenever a listening port lower than 1024 was selected for the SSL VPN server, in particular port UDP/443, the SSL VPN server would no longer restart and no specific message in the web administration interface would indicate that this port could not be used.
Port UDP/443 can now be selected again for the SSL VPN server.

This regression appeared in SNS version 4.3.0.

DNS resolution of dynamic objects

Support reference 84889

In a configuration with several DNS servers defined, an issue in the DNS resolution mechanism for host objects with automatic/dynamic resolution and for FQDN objects was fixed when one of the DNS servers remained operational while the others were unreachable.


Bird dynamic routing

Support reference 83650

Bird dynamic routing has been optimized to improve the speed with which routes are forwarded from the Bird dynamic routing engine to the intrusion prevention engine to prevent latency issues during the transmission of network packets.

Bridge with two LACP link aggregates

Support reference 84552

When a bridge contains two LACP link aggregates, both aggregates now have the same MAC address as the bridge. In the case of clusters, this configuration will make it possible to prevent the passive member of the cluster from sending gratuitous ARP packets with the wrong MAC address.


SN1100, SN2100, SN3100, SNi20, SNi40 and SNxr1200 - CPU microcode

The microcode on Intel processors that equip SN1100, SN2100, SN3100, SNi20, SNi40 and SNxr1200 model firewalls has been updated.

Intrusion prevention engine

Purging intrusion prevention engine tables

The engine has been optimized to reduce the time required to purge certain intrusion prevention engine tables and prevent the risk of packets being rejected during this operation. This issue appeared in SNS version 4.3.7.

Web administration interface

Conversion to lowercase

Support reference 84964

An anomaly in the function that converts some configuration fields to lowercase would occasionally cause the web administration interface to freeze in the module in question. This anomaly has been fixed.

Removal of an authentication method

Support reference 84411

Removing an authentication method from the list of available methods now fully erases the configuration settings of this method.


Support reference 84895

Administrators with IDs that contain an "@" character can now create an object or add one to a group from the Logs view.

SNMP Agent

Support reference 84952

The values of the Location (sysLocation) and Contact (sysContact) fields in the Configuration of MIB-II information were not in quotes whenever they contained a space. This anomaly has been fixed.

VLAN interfaces

Support reference 83873

This sequence of actions:

  1. Create and rename the first VLAN.
  2. Do not apply configuration changes.
  3. Create and rename the second VLAN connected to the same physical interface.

No longer wrongly raises an error indicating that both VLANs have the same name.

Antivirus - Dashboard

After migrating a configuration to version 4.3.15 (or higher) without any filter rules that use the antivirus, the antivirus monitoring icon (Monitoring > Dashboard module) no longer remains orange by mistake with the message "Download in progress".

Filter - NAT

Support reference 84980

After a search in the logs of a filter rule (right-click on a rule and select the action Search in logs in the pop-up menu), the same operation on another filter rule no longer wrongly keeps the ID of the first rule as a search criterion.