SNS 4.3.18 LTSB bug fixes

NOTE
The fix added in version 4.3.17 LTSB regarding memory leaks in the monitoring management engine has been removed. It will be reviewed and included in a future version.

System

IPsec VPN

Support reference 84823

The half_open_timeout can now be customized with the CLI / Serverd command CONFIG IPSEC UPDATE HalfOpenTimeout=<value> (30 seconds by default).

This parameter sets the timeout after which incomplete IKE associations are deleted (for example, a pending IPsec client authentication).

IPsec VPN - IKEv1 - Authentication by certificate and XAuth

Support reference 84775

When an IPsec IKEv1 tunnel with certificate and XAuth authentication is set up, the groups of the users are now correctly recorded in the tables of the intrusion prevention engine. The use of groups in filtering rules works properly again. This regression appeared in version SNS 4.2.

Certificates and PKI

Support reference 80053

The custom attributes set when a sub-certification authority (organization, organizational unit and state) or server identity (organization, organizational unit and location) is created are no longer wrongly replaced by the parent authority's attributes when they are different.

SN2100 and SN3100 firewall models - Updating firmware on SSD disks

To prevent SSD disks from potentially malfunctioning on SN2100 and SN3100 model firewalls, firmware update of such disks is automatically applied when the firewall is updated to SNS version 4.3.18 LTSB or higher. Reminder: this update had already been applied since SNS version 3.4.15 to the firewall models listed in the section Version 4.3.15 bug fixes.

SSH connection over the firewall

Support reference 85106

Adding an SSH banner would cause an error in the configuration of the firewall's SSH server. This anomaly has been fixed.

Filter - NAT

The use of the comparison mathematical operator "different from" ( icon or "!=") in a filter rule would result in the wrong address range being generated for the rule in question.

sfctl command

Support reference 84362

Changing the size of the window that displays the results of the sfctl -T command while data is being refreshed no longer causes segmentation errors that cause the sfctl -T command to stop functioning.

Intrusion prevention engine

High availability - SCTP protocol

Support reference 85130

An issue was fixed in the bulk update mechanism in established SCTP associations. This issue occurred after the passive firewall was restarted.