SNS 4.3.17 LTSB bug fixes
System
SNMP Agent
Support references 84911 - 84990
A memory leak issue has been fixed in the SNMP agent. This regression appeared in SNS version 4.3.12.
Monitoring
Support references 84989 - 85015 - 85043
Memory leaks have been fixed in the disk monitoring mechanism.
High availability (HA)
Support reference 71538
An anomaly in the mechanism that retrieves HA information may prevent such information from being displayed in the firewall's web administration interface (Monitoring > System/High availability module). The mechanism has been optimized to reduce the frequency of this anomaly.
High availability (HA) - TPM
Support references 85030 - 85031
When the password of the TPM is changed on the active member of the cluster, it is now immediately applied to the passive member to avoid a situation in which unsynchronized TPM passwords would prevent the passive member from accessing the keys of certificates protected by its TPM.
High availability (HA) - Logs
Support reference 84458
When an HA link lost many packets, the message "HA link is down" would be wrongly indicated in logs even though the link was still operational. When this occurs, the message now indicated in logs is "HA link is faulty".
High availability (HA) - VLAN
Support reference 84710
A configuration in which the only active HA link passes through a VLAN interface would sometimes make the cluster unavailable. This regression, which first appeared in SNS version 4.3.3, has been fixed.
IPsec VPN
Support reference 84677
When an IPsec tunnel is created, selecting the All object for remote networks no longer wrongly includes IPv6 addresses when the IPv6 option has not been enabled on the firewall.
IPsec VPN IKEv2
Support reference 84920
User certificates with neither the Extended Key Usage Client Auth nor Extended Key Usage ServerAuth extension were not evaluated by user access privilege rules (Configuration > Users > Access privileges module): the IPsec tunnel defined for this peer would be set up but the filter policy would block the peer and consider it invalid.
This issue was fixed by adding a UACForceCert configuration token: by assigning a value of 1 to it, the token forces the user access rules to evaluate such certificates.
This token can be configured with the CLI/Serverd command CONFIG.IPSEC.UPDATE UACForceCert=<0|1>
More information on the CONFIG.IPSEC.UPDATE command.
IPsec VPN through a dialup default gateway
Support reference 82369
When the default gateway is based on a PPPoE modem (dialup connection), IPsec tunnels set up through this default gateway now recover correctly after the dialup connection goes down temporarily and recovers.
Monitoring
Memory leak issues have been fixed in the monitoring management engine.
SSL VPN
Support reference 84564
Whenever a listening port lower than 1024 was selected for the SSL VPN server, in particular port UDP/443, the SSL VPN server would no longer restart and no specific message in the web administration interface would indicate that this port could not be used.
Port UDP/443 can now be selected again for the SSL VPN server.
This regression appeared in SNS version 4.3.0.
DNS resolution of dynamic objects
Support reference 84889
In a configuration with several DNS servers defined, an issue in the DNS resolution mechanism for host objects with automatic/dynamic resolution and for FQDN objects was fixed when one of the DNS servers remained operational while the others were unreachable.
Network
Bird dynamic routing
Support reference 83650
Bird dynamic routing has been optimized to improve the speed with which routes are forwarded from the Bird dynamic routing engine to the intrusion prevention engine to prevent latency issues during the transmission of network packets.
Bridge with two LACP link aggregates
Support reference 84552
When a bridge contains two LACP link aggregates, both aggregates now have the same MAC address as the bridge. In the case of clusters, this configuration will make it possible to prevent the passive member of the cluster from sending gratuitous ARP packets with the wrong MAC address.
Hardware
SN1100, SN2100, SN3100, SNi20, SNi40 and SNxr1200 - CPU microcode
The microcode on Intel processors that equip SN1100, SN2100, SN3100, SNi20, SNi40 and SNxr1200 model firewalls has been updated.
Intrusion prevention engine
Purging intrusion prevention engine tables
The engine has been optimized to reduce the time required to purge certain intrusion prevention engine tables and prevent the risk of packets being rejected during this operation. This issue appeared in SNS version 4.3.7.
Web administration interface
Conversion to lowercase
Support reference 84964
An anomaly in the function that converts some configuration fields to lowercase would occasionally cause the web administration interface to freeze in the module in question. This anomaly has been fixed.
Removal of an authentication method
Support reference 84411
Removing an authentication method from the list of available methods now fully erases the configuration settings of this method.
Logs
Support reference 84895
Administrators with IDs that contain an "@" character can now create an object or add one to a group from the Logs view.
SNMP Agent
Support reference 84952
The values of the Location (sysLocation) and Contact (sysContact) fields in the Configuration of MIB-II information were not in quotes whenever they contained a space. This anomaly has been fixed.
VLAN interfaces
Support reference 83873
This sequence of actions:
- Create and rename the first VLAN.
- Do not apply configuration changes.
- Create and rename the second VLAN connected to the same physical interface.
No longer wrongly raises an error indicating that both VLANs have the same name.
Antivirus - Dashboard
After migrating a configuration to version 4.3.15 (or higher) without any filter rules that use the antivirus, the antivirus monitoring icon (Monitoring > Dashboard module) no longer remains orange by mistake with the message "Download in progress".
Filter - NAT
Support reference 84980
After a search in the logs of a filter rule (right-click on a rule and select the action Search in logs in the pop-up menu), the same operation on another filter rule no longer wrongly keeps the ID of the first rule as a search criterion.