SNS 4.3.20 LTSB bug fixes

System

IPsec VPN

Support references 82578 - 84680

The management of resources used for IPsec VPN has been improved to reduce entries such as "job load of XXX exceeds limit of YY" in VPN IPsec logs.

Network interfaces

Support reference 85117

The two alternative renegotiation mechanisms of the IKE security associations (reauthentication and rekeying mechanisms) are no longer wrongly launched one after the other. This regression, which would sometimes cause packet loss in configurations in Diffusion Restreinte (DR) mode, appeared in SNS version 4.2.0.

Support references 84983 - 85133 - 85253

The mechanism that reloads rules in the IPsec VPN policy has been enhanced to limit the risk of the firewall's routing engine unexpectedly shutting down when some configurations remain unchanged.

SSL VPN

Support reference 85229

Users who belong to many groups from the LDAP directory can set up SSL VPN tunnels again. This regression appeared in SNS version 4.3.18.

Support reference 84841

Editing the SSL VPN configuration on a firewall with an SSL VPN tunnel that has already been set up would sometimes prevent the tunnel manager from restarting. This issue, which occasionally prevented SSL VPN tunnels from setting up after the configuration was edited, has been fixed.

Filter - NAT

Support reference 84495

The mechanism that reloads filter and NAT rules has been optimized to prevent unnecessary access to the configuration, which can corrupt the list of filter and NAT policies.

Support reference 84734

If the filter policy contains two block rules to and from a MAC address, which are placed before the rule that allows the SSL VPN tunnel, traffic passing through the SSL VPN tunnel will no longer be wrongly blocked.

Certificates and PKI

Support references 76892 - 85114

When a certificate signing request (CSR) is created using the CLI/Serverd command PKI REQUEST CREATE, and if Subject Alternative Names (SAN) or User Principal Names (UPN) are specified (IP addresses, FQDNs, etc.), they are now correctly applied and appear in the CSR and signed certificate.

Certificates and PKI - IPsec - Diffusion Restreinte (DR) mode

Support reference 84942

In a configuration with a trust chain such as: Certification authority (certificate signed in RSA) -> Sub certification authority (certificate signed in ECDSA or ECSDSA on an ECP 256 or BP 256 curve) used as a trust anchor -> Certificate (signed in ECDSA or ECSDSA on an ECP 256 or BP 256 curve), IPsec tunnels in DR mode would wrongly refuse to set up. This issue has been fixed to comply with reference RFCs for Diffusion Restreinte (DR) mode.

System – SNi20

Support references 84870 - 85037

Watchdog, which monitors the firewall's hardware activity, would wrongly be activated before the system's software monitoring mechanism when watchdog was set to its default value of 120 seconds. This issue has been fixed.

Monitoring memory on SN310 firewalls

Support references 85022 - 85155

An anomaly in the management of memory monitoring data could wrongly raise an alert on memory usage and a change in the status of the corresponding health indicator in the Dashboard on SN310 firewalls. This anomaly has been fixed.

IPsec tunnel monitoring

Support reference 84776

Refreshing the IPsec tunnel monitoring screen no longer causes the system error Command processing failed.

Default route - DHCP - IPv6

Support reference 85124

In a configuration such as the following:

  • The firewall's default gateway is learned via DHCP,
  • IPv6 is enabled on the firewall.

Any changes (name, protection status, etc.) made to an interface with a DHCP address range no longer cause the firewall’s default route to be deleted.

Logs - Syslog - IPFIX

Support references 84493 - 84876

In configurations that send logs via UDP/syslog or IPFIX without specifying the firewall IP address that must be used for such operations, and when a high volume of logs is sent, an issue with competing access would occasionally cause the firewall's network to be lost. This would then require the firewall to be restarted. This issue has been fixed.

Updating the firewall via the web administration interface

Support reference 84962

An issue occurring when the firewall is updated via the web administration interface could cause the interface to suddenly freeze and prevent the firewall from being updated. This issue has been fixed.

BIRD dynamic routing

Support reference 85249

In a configuration that uses the BGP protocol with TCP-MD5 authentication, reloading the BGP configuration no longer prevents BGP sessions from being renegotiated. This regression appeared in SNS version 4.3.18.

Support reference 85221

In configurations that use the BGP protocol with TCP-MD5 authentication, the "setkey no" directive, which no longer functions, is automatically replaced with its equivalent "setkey yes" in the bird/bird6 configuration file when the firewall is updated to SNS version 4.3.20 or higher. The presence of the previous directive prevented authenticated BGP sessions from being opened after the firewall is updated. This regression appeared in SNS version 4.3.18.

Intrusion prevention engine

High availability - SCTP associations and TCP/UDP connections

Support reference 84792

In high availability configurations, following a double switch (active - passive - active), dates on which SCTP associations and TCP/UDP connections are made are no longer incorrect.

Web administration interface

URL filtering / SSL filtering / SMTP filtering

Support reference 85164

In URL filtering, SSL filtering or SMTP filtering modules, deleting the first filter rule no longer desynchronizes the IDs of the other rules in the policy.

VLAN interfaces

Support reference 85226

When a user attempts to delete a VLAN when Bird dynamic routing is enabled, this will once again display the window indicating that this operation is not allowed, and that dynamic routing must be disabled beforehand. This regression appeared in SNS version 4.0.1.