SNS 4.3.23 LTSB bug fixes

System

IPsec VPN

Support references 84572 - 84708 - 85270 - 85272

When the subject of a certificate from a trusted CA contains a non-ASCII encoded character, this no longer prevents the setup of IPsec tunnels based on this CA.

Multi-user SSH authentication - SCP command

Support reference 84848

Accounts that have been declared as firewall administrators with the "Console (SSH)” permission can once again run the SCP command in SSH. This issue did not affect the "admin" account.

VPN - Verification of peer certificate revocation (CRL)

Support reference 82506

Deploying a VPN topology, on which the CRLRequired parameter is enabled, from an SMC server no longer overwrites the CA's certificate revocation list (CRL) on the SNS firewall.

SN-S-Series-320 and SN-M-Series-520 model firewalls

The maximum number of HTTP/FTP/SMTP/POP3 connections allowed on SN-S-Series-320 and SN-M-Series-520 model firewalls was wrong and will be fixed when the firewall is updated to version 4.3.23 or higher.

Proxies

Support references 85041 - 85048 - 85260 - 85286 - 85314

Proxies no longer freeze when an SSL decryption rule encounters certificates with the following characteristics:

  • Certificates with a blank Subject field,
  • Certificates signed by a certification authority that the proxy has not recognized as trusted (e.g., self-signed certificates).

And the action associated with the SSL protocol analysis of Unknown certificates is set to Delegate to user.

Support reference 85254

Issues with memory leaks on proxies have been fixed.

IPsec tunnel monitoring

Support reference 85318

In IPsec tunnel monitoring, an anomaly that caused tunnels set up with peers in Responder-only mode to appear as bypass policies has been fixed.

SSL VPN

The following can no longer be selected for the SSL VPN server:

  • A TCP listening port below 1024,
  • A UDP listening port below 1024, except UDP/443.

CLI/SSH commands

Support reference 85110

The help returned from the command sfctl --help -F now specifies the existence of the token assoc.

NTP client service

The NTP client service no longer stops functioning on firewalls that have over 1024 interfaces.

Routing

Support reference 85320

By updating to version 4.3.23 LTSB a firewall on which the default route was defined with a loopback object (e.g., the localhost object with the IP address 127.0.0.1), this object would automatically be replaced with the blackhole object. This ensures the compatibility of the routing configured earlier.

Intrusion prevention engine

ICMP request

Support references 84197 - 85387

On firewalls with:

  • A server behind a protected interface,

  • Two separate Internet access links.

Following a request from an unprotected network to the server, if the server did not listen on the requested port, type 3 ICMP packets that it sent would always take the default route. Packets now take the configured return route.

NTP protocol

Support reference 85077

Verifications of the NTP field reference_timestamp would wrongly raise a 451 alarm in the NTP plugin. As this verification was unnecessary, it has been removed.

High availability

Support reference 84766

During a switch in the cluster, an anomaly in the processing of some established TCP/UDP connections could cause the cluster to become unstable. This anomaly has been fixed.

Web administration interface

IPsec VPN

Support reference 85312

The presence of a space in the name of a mobile IPsec VPN configuration prevents the IPsec policy from reloading and makes it inoperational. The firewall's web administration interface and the CLI/Serverd command CONFIG IPSEC POLICY MOBILE UPDATE now prohibit spaces from being entered in the names of mobile IPSsec policies.

For more information on the syntax of this command, please refer to the CLI SERVERD Commands Reference Guide.

Support reference 85334

The names of IPsec VPN rules can no longer be deleted, as rules with a blank name field prevent the IPsec policy from fully reloading.

SMTP filtering

Support reference 85347

The web administration interface no longer wrongly prohibits the definition of several rules that reference the same sender for different recipients. This regression appeared in version 4.0.

High availability - monitoring

Support reference 85398

The versions of the firmware installed on the main and backup partitions of the passive cluster member are now correctly displayed.