SNS 4.3.25 LTSB bug fixes
System
SSL proxy
Support reference 73331
The SSL proxy now accepts the "_" character in FQDN names for the SNI (Server Name Indication) extension.
SSL VPN
Support reference 85485
In SSL VPN connections with certificate authentication, HTML tags or quote characters (") in the user name are now correctly processed.
Support reference 84391
The option to prevent users from setting up more than one SSL tunnel (option that can be enabled using the CLI/Serverd command CONFIG OPENVPN UPDATE ForceOneTunnelPerUser=1) did not function when the presented user name included its domain name (e.g., john.doe@acme.com). This anomaly has been fixed.
More information on the command CONFIG OPENVPN UPDATE.
EVA on Microsoft Azure
Support reference 85325
The file integrity verification mechanism has been adapted to no longer wrongly raise alarms for EVAs deployed on the Microsoft Azure platform. These alarms, which affected in particular the host's boot loader or libraries specific to this platform, disrupted how Microsoft Azure managed and backed up virtual machines.
Disk access
Support references 84495 - 84933 - 85038 - 85081 - 85213 - 84626 - 85197
Improvements have been made to restrict the number of times the disk is accessed. In some cases, when the disk is accessed too often, SN160(W), SN210(W) and SN310 model firewalls would unexpectedly restart.
High availability - SCTP associations
Support reference 82047
When SCTP associations were not synchronized when the filter policy was reloaded on the active firewall, it could create an inconsistency within the cluster: SCTP connections that were deleted on the active firewall when the filter policy was reloaded were still considered active on the passive firewall. This issue has been fixed.
Certificate Check
Support reference 85206
The mechanism that retrieves and verifies TLS server certificates now takes into account the trusted CAs added by the administrator account. These CAs are stored in a different directory from the one used for storing downloaded CAs.
URL/SSL filtering - Extended Web Control (EWC) - Miscellaneous category
URLs that have been recognized by the URL category provider in the EWC solution, and which do not belong to any predefined category, are now classified under the Miscellaneous category, and no longer under Unknown.
URL/SSL filtering - Extended Web Control (EWC) - Warning messages
Improvements have been made in cases when an unknown URL category was used in the configuration of the SNS firewall after the migration of a security policy to the new EWC URL database:
- Warning messages no longer appear in the menu on the left, in front of the names of the Filter - NAT, URL filtering and SSL filtering modules, when the unknown categories are in a disabled rule or in an inactive policy,
- In warning messages, the output from the CLI/Serverd command MONITOR MISC now indicates the unknown categories and the policy in question.
SNMP agent
Support reference 83679
An error was fixed in the value returned by the OID 1.3.6.1.2.1.1.7. This value is now 76, corresponding to a device that provides services on OSI layers 3, 4 and 7. Previously, the value returned was 72.
GRETAP
Support reference 85417
An anomaly in the formatting of outgoing GRETAP packets (several extra bytes at the beginning of the packet) was fixed. This anomaly, which appeared in version 4.3.16 LTSB, made GRETAP network captures more difficult to analyze but did not in any way affect the proper operation of GRETAP communications.
Authentication - brute force attacks
Support reference 81350
When the brute force attack protection mechanism is activated, the alarm generated no longer contains a destination address that is systematically 0.0.0.0. This regression appeared in SNS version 4.1.1.
Dashboard - Health indicators
Support reference 85392
The health indicator of certificates found in the Dashboard module no longer wrongly raises alarms when a CA has a lifetime longer than 68 years. This problem persists on SN160(W), SN210(W) and SN310 model firewalls.
Intrusion prevention engine
TCP connections - Proxy
Support references 84867 - 85385
At the end of a TCP packet exchange, if the server or client ignores the connection shutdown packet that the peer sends, the firewall's intrusion prevention engine will stop wrongly sends ACK or FIN/ACK packets in loop.
SMTP protocol
Support reference 84220
SMTP connections that are initiated by a client that sent a STARTTLS command before the EHLO command will no longer be wrongly blocked when they generate the "Invalid SMTP protocol" alarm.
SMTP - UTF-8 support
Support reference 83791
The SMTP protocol analysis engine no longer wrongly blocks UTF-8 characters in SMTP traffic when the server specifically allows them through the option SMTPUTF8.
Vulnerability management
Support reference 85526
The size of the cache that contains vulnerabilities detected on the firewall's client hosts has been increased to prevent the intrusion prevention engine from consuming too much CPU when the cache is full. The size of this cache has therefore been increased from 128 to 2048 possible entries.
Web administration interface
Filtering - Authentication rule - Web objects
Support reference 85447
When an authentication rule has been defined in the filter policy, web objects can no longer be created or edited directly from this rule. This operation would make the web administration interface unstable.
Certificates and PKI
Support reference 85388
The use of certification authorities (CAs) with names that contain an apostrophe can now be verified.
IPsec VPN
Support reference 85442
After importing a CA and several identities that it has signed, only the certificate of the first imported identity could be used to create an IPsec peer. Attempts to select another imported certificate would fail. This issue has been fixed.
Host object with automatic DNS resolution
Support reference 85515
The "/" character is no longer allowed at the end of the name of host objects that have been configured in automatic DNS resolution.
Objects
Support references 84588 - 84719
Objects used in the firewall's configuration can no longer be forcibly deleted, to avoid generating inconsistencies in the configuration.