SNS 4.3.24 LTSB bug fixes

System

Proxies

Support references 85428 - 85495 - 85491

Issues regarding proxies that were unexpectedly blocked when configurations were reloaded have been corrected.

Network captures with tcpdump on a usbus interface

Support references 85083 - 85313

Launching a network capture with tcpdump on a usbus interface no longer causes the firewall to unexpectedly restart.

Elastic Virtual Appliances (EVA)

Support reference 85273

On an EVA virtual firewall, limiting the number of CPUs when hyperthreading is enabled no longer causes the firewall to restart unexpectedly.

QoS

Support reference 85019

Due to an issue that occurs when a CBQ queue used as an acknowledgment queue (ACK) in a filter rule is deleted, the firewall may sometimes unexpectedly restart. This issue has been fixed.

Switching to a lower SNS version

Support reference 85247

When a firewall switches to a lower SNS version without being reset to its factory configuration (defaultconfig), attempts to display the list of available alarms no longer cause the intrusion prevention engine and the command-based configuration server (serverd) to unexpectedly restart.

NAT

Support reference 84819

An issue has been fixed in the NAT manager. This issue would wrongly fill the table of translated ports used for traffic that requires child connections (e.g. FTP, RTSP and others). As a result, this would prevent child connections from being created, and disrupt the traffic in question.

Filter - NAT

Support references 85357 - 85376

In filter rules that use a set of network objects, one of which is linked to a disabled DHCP-configured interface, restarting the firewall will no longer wrongly enable the "(1) Block all" filter rule. This regression appeared in SNS version 4.3.21.

Support reference 85239

In a situation such as the following:

  • The firewall has a bridge that groups several interfaces. On this bridge:
    • Traffic from one of the bridge interfaces to an interface outside the bridge is allowed by a filter rule in Firewall mode,
    • Traffic from another bridge interface to the same interface outside the bridge is blocked by another filter rule.
  • A connection has been established between a client host and the server through the first rule,
  • An infected host or an intrusion probe located on the same interface as the server sent a reset packet with the same references as the established connection (source/destination addresses and source/destination ports).

The packet from the infected host or intrusion probe was rightly blocked, but the source interface of the client host was wrongly modified and its established connection with the server was shut down. This issue has been fixed.

Connection to the web administration interface with the admin account

Support references 85266 - 85309 - 85349 - 85437 - 85494

Under certain circumstances, attempts to connect to the web administration interface with the admin account would fail and cause the command-based configuration server (serverd) to unexpectedly restart. This issue has been fixed.

High availability (HA)

Support references 77890 - 83274

On a high availability firewall that has switched roles several times in the cluster, some packets would take the wrong return route while presenting the IP address of the right return route. This issue, which caused the shutdown of the traffic in question, has been fixed.

High availability - Synchronization of certificate revocation lists (CRL)

CRLs that were retrieved on the active firewall are now synchronized with the passive firewall once again. This regression appeared in SNS version 4.3.23 LTSB and raised an alarm whenever a CRL on the passive firewall expired.

E-mail alerts

Support references 84511 - 82823

When e-mails are sent by the firewall via an encrypted connection with an SMTP server over TLS, reloading the configuration of the e-mail sending service would wrongly cause a switch to unencrypted mode, which could result in a connection failure between the firewall and the SMTP server. This issue has been fixed.

Memory leaks

Support reference 85363

Memory leak issues have been fixed in the firewall's configuration engine and its SNMP agent management engine.

IPsec VPN

Support reference 85439

Packets that were encrypted in the first IPsec tunnel were no longer allowed to then pass through a second tunnel that was set up via virtual IPSec interfaces. This regression, which first appeared in SNS v4, has been fixed.

IPsec monitoring

Support reference 85399

Monitoring of SAs (Security Associations) no longer fails when the peer contains an IP address range.

Internal LDAP directory

Support reference 84495

The command that makes it possible to monitor changes to the configuration, used in particular by the SMC server, no longer causes the internal LDAP directory manager to restart.

DHCP interface

Support reference 85305

When the media speed of a DHCP-configured interface is manually modified, it no longer loses its IP address.

BIRD dynamic routing - BGP and MD5 authentication

Support reference 85373

In a BIRD dynamic routing configuration that uses BGP with MD5 authentication, the absence of a source address for the BGP configuration now results in a warning message prompting the administrator to enter a source address in the BIRD configuration. This prevents a malfunction of the BGP session in question. This regression appeared in SNS version 4.3.21 LTSB.

Listening port on the web administration interface

Support reference 85450

Attempts to change the listening port on the web administration interface (TCP/443 by default) no longer result in a system error in the firewall's configuration engine, and are now correctly applied.

SSO agent management

Support references 85430 - 85443

A memory leak issue has been fixed in the SSO agent manager.

Log management service - TCP Syslog

Support reference 85297 - 85396

The firewall's log management service no longer stops when its configuration is modified and the connection between the TCP Syslog server and the firewall is unreliable or unstable.

Intrusion prevention engine

IPS analysis - Alarms

Support reference 85210

Packets that raise one of the alarms occurring before the filter inspection would still pass through the firewall despite the presence of a filter rule configured to block the corresponding network traffic. This issue has been fixed.

Refer to the list of alarms occurring before the filter inspection in the Stormshield knowledge base (authentication required).

LDAP protocol

Support reference 84561

The LDAP protocol analysis engine now correctly manages GSSAPI authentication packets, which no longer wrongly generate "Bad LDAP protocol" (ldap_tcp:427 error) alarms.

Web administration interface

DHCP server and log partition operations

Support reference 84501

Enabling the DHCP server on the firewall no longer prevents maintenance operations on the log partition via the web administration interface (unmounting/mounting, formating, etc.).