SNS 4.3.18 LTSB bug fixes
NOTE
The fix added in version 4.3.17 LTSB regarding memory leaks in the monitoring management engine has been removed. It will be reviewed and included in a future version.
System
IPsec VPN
Support reference 84823
The half_open_timeout can now be customized with the CLI / Serverd command CONFIG IPSEC UPDATE HalfOpenTimeout=<value> (30 seconds by default).
This parameter sets the timeout after which incomplete IKE associations are deleted (for example, a pending IPsec client authentication).
IPsec VPN - IKEv1 - Authentication by certificate and XAuth
Support reference 84775
When an IPsec IKEv1 tunnel with certificate and XAuth authentication is set up, the groups of the users are now correctly recorded in the tables of the intrusion prevention engine. The use of groups in filtering rules works properly again. This regression appeared in version SNS 4.2.
Certificates and PKI
Support reference 80053
The custom attributes set when a sub-certification authority (organization, organizational unit and state) or server identity (organization, organizational unit and location) is created are no longer wrongly replaced by the parent authority's attributes when they are different.
SN2100 and SN3100 firewall models - Updating firmware on SSD disks
To prevent SSD disks from potentially malfunctioning on SN2100 and SN3100 model firewalls, firmware update of such disks is automatically applied when the firewall is updated to SNS version 4.3.18 LTSB or higher. Reminder: this update had already been applied since SNS version 3.4.15 to the firewall models listed in the section Version 4.3.15 bug fixes.
SSH connection over the firewall
Support reference 85106
Adding an SSH banner would cause an error in the configuration of the firewall's SSH server. This anomaly has been fixed.
Filter - NAT
The use of the comparison mathematical operator "different from" ( icon or "!=") in a filter rule would result in the wrong address range being generated for the rule in question.
sfctl command
Support reference 84362
Changing the size of the window that displays the results of the sfctl -T command while data is being refreshed no longer causes segmentation errors that cause the sfctl -T command to stop functioning.
Intrusion prevention engine
High availability - SCTP protocol
Support reference 85130
An issue was fixed in the bulk update mechanism in established SCTP associations. This issue occurred after the passive firewall was restarted.