SNS 4.3.25 LTSB bug fixes

System

SSL proxy

Support reference 73331

The SSL proxy now accepts the "_" character in FQDN names for the SNI (Server Name Indication) extension.

SSL VPN

Support reference 85485

In SSL VPN connections with certificate authentication, HTML tags or quote characters (") in the user name are now correctly processed.

Support reference 84391

The option to prevent users from setting up more than one SSL tunnel (option that can be enabled using the CLI/Serverd command CONFIG OPENVPN UPDATE ForceOneTunnelPerUser=1) did not function when the presented user name included its domain name (e.g., john.doe@acme.com). This anomaly has been fixed.

More information on the command CONFIG OPENVPN UPDATE.

EVA on Microsoft Azure

Support reference 85325

The file integrity verification mechanism has been adapted to no longer wrongly raise alarms for EVAs deployed on the Microsoft Azure platform. These alarms, which affected in particular the host's boot loader or libraries specific to this platform, disrupted how Microsoft Azure managed and backed up virtual machines.

Disk access

Support references 84495 - 84933 - 85038 - 85081 - 85213 - 84626 - 85197

Improvements have been made to restrict the number of times the disk is accessed. In some cases, when the disk is accessed too often, SN160(W), SN210(W) and SN310 model firewalls would unexpectedly restart.

High availability - SCTP associations

Support reference 82047

When SCTP associations were not synchronized when the filter policy was reloaded on the active firewall, it could create an inconsistency within the cluster: SCTP connections that were deleted on the active firewall when the filter policy was reloaded were still considered active on the passive firewall. This issue has been fixed.

Certificate Check

Support reference 85206

The mechanism that retrieves and verifies TLS server certificates now takes into account the trusted CAs added by the administrator account. These CAs are stored in a different directory from the one used for storing downloaded CAs.

URL/SSL filtering - Extended Web Control (EWC) - Miscellaneous category

URLs that have been recognized by the URL category provider in the EWC solution, and which do not belong to any predefined category, are now classified under the Miscellaneous category, and no longer under Unknown.

URL/SSL filtering - Extended Web Control (EWC) - Warning messages

Improvements have been made in cases when an unknown URL category was used in the configuration of the SNS firewall after the migration of a security policy to the new EWC URL database:

  • Warning messages no longer appear in the menu on the left, in front of the names of the Filter - NAT, URL filtering and SSL filtering modules, when the unknown categories are in a disabled rule or in an inactive policy,
  • In warning messages, the output from the CLI/Serverd command MONITOR MISC now indicates the unknown categories and the policy in question.

SNMP agent

Support reference 83679

An error was fixed in the value returned by the OID 1.3.6.1.2.1.1.7. This value is now 76, corresponding to a device that provides services on OSI layers 3, 4 and 7. Previously, the value returned was 72.

GRETAP

Support reference 85417

An anomaly in the formatting of outgoing GRETAP packets (several extra bytes at the beginning of the packet) was fixed. This anomaly, which appeared in version 4.3.16 LTSB, made GRETAP network captures more difficult to analyze but did not in any way affect the proper operation of GRETAP communications.

Authentication - brute force attacks

Support reference 81350

When the brute force attack protection mechanism is activated, the alarm generated no longer contains a destination address that is systematically 0.0.0.0. This regression appeared in SNS version 4.1.1.

Dashboard - Health indicators

Support reference 85392

The health indicator of certificates found in the Dashboard module no longer wrongly raises alarms when a CA has a lifetime longer than 68 years. This problem persists on SN160(W), SN210(W) and SN310 model firewalls.

Intrusion prevention engine

TCP connections - Proxy

Support references 84867 - 85385

At the end of a TCP packet exchange, if the server or client ignores the connection shutdown packet that the peer sends, the firewall's intrusion prevention engine will stop wrongly sends ACK or FIN/ACK packets in loop.

SMTP protocol

Support reference 84220

SMTP connections that are initiated by a client that sent a STARTTLS command before the EHLO command will no longer be wrongly blocked when they generate the "Invalid SMTP protocol" alarm.

SMTP - UTF-8 support

Support reference 83791

The SMTP protocol analysis engine no longer wrongly blocks UTF-8 characters in SMTP traffic when the server specifically allows them through the option SMTPUTF8.

Vulnerability management

Support reference 85526

The size of the cache that contains vulnerabilities detected on the firewall's client hosts has been increased to prevent the intrusion prevention engine from consuming too much CPU when the cache is full. The size of this cache has therefore been increased from 128 to 2048 possible entries.

Web administration interface

Filtering - Authentication rule - Web objects

Support reference 85447

When an authentication rule has been defined in the filter policy, web objects can no longer be created or edited directly from this rule. This operation would make the web administration interface unstable.

Certificates and PKI

Support reference 85388

The use of certification authorities (CAs) with names that contain an apostrophe can now be verified.

IPsec VPN

Support reference 85442

After importing a CA and several identities that it has signed, only the certificate of the first imported identity could be used to create an IPsec peer. Attempts to select another imported certificate would fail. This issue has been fixed.

Host object with automatic DNS resolution

Support reference 85515

The "/" character is no longer allowed at the end of the name of host objects that have been configured in automatic DNS resolution.

Objects

Support references 84588 - 84719

Objects used in the firewall's configuration can no longer be forcibly deleted, to avoid generating inconsistencies in the configuration.