SNS 4.3.26 LTSB bug fixes

System

High availability - Automatic backups

Support reference 84782

In high availability configurations where automatic configuration backups in Stormshield's cloud have been enabled, when the roles of firewalls in the cluster were regularly switched more often than the configured frequency of automatic backups (7 days by default), these backups would never be activated. This issue has been fixed.

High availability - Updating the passive firewall when the backup partition is being copied

Support reference 85390

The mechanism that updates the passive firewall in a cluster has been enhanced to better manage partition backups on it. With these improvements, backups will no longer be abruptly stopped, as this may corrupt the partitions on the passive firewall.

High availability - Updating the active firewall in command line

Support reference 84997

In high availability configurations, attempts to update the active firewall using the command SYSTEM UPDATE UPLOAD fwserial=active no longer fail, and no longer present the error "Source and destination firewalls are the same".

More information on the command SYSTEM UPDATE UPLOAD.

Running an automatic update and system backup simultaneously on the backup partition

Support reference 84744

When an automatic update (autoupdate) was run at the same time as a system backup on the backup partition (dumproot), the system backup could fail, especially when the firewall was managed via SMC.

Improvements have been made to prevent this situation. Now:

  • When a dumproot is in progress, the autoupdate mechanism is put on active standby and will start only when the dumproot ends,
  • When an autoupdate is in progress, the dumproot will not launch and generates a system event.

CRL verification

Support reference 85402

The mechanism that verifies CRLs now correctly performs DNS requests again when three or more DNS servers are specified on the firewall.

IPsec VPN

A mechanism that verifies and restricts the number of requests to set up IPsec tunnels has been added to avoid saturating the queue.

Support reference 85603

When a traffic endpoint has an IP address found in the network of a tunnel's destination hosts, attempting to set up such an IPsec tunnel no longer causes the firewall to freeze unexpectedly. This regression appeared in SNS version 4.3.24 LTSB.

IPsec VPN - Diffusion Restreinte (DR) mode

Support reference 85507

For configurations in DR mode, if a peer in a site-to-site tunnel has enabled the Do not initiate the tunnel (Responder only) option, the tunnel will no longer be prevented from setting up correctly.

Deployments via SMC - Competing access

Support reference 84003

Issues regarding competing access have been fixed so that attempts to deploy configurations via SMC will no longer be unexpectedly blocked.

GRETAP

Support reference 85384

In configurations that use CPU load balancing for encryption on SN-M-Series-520 and SN-M-Series-720 model firewalls, an issue regarding packets being rejected in a GRETAP tunnel's key renegotiation phase has been fixed.

Trusted Platform Module

Support reference 85378

On firewalls with an initialized TPM, attempts to back up a firewall’s configuration no longer cause a system error that logs out the administrator.

Web administration interface

Changing the super-administrator password (admin account)

Support reference 85581

When the admin account password is being changed through the web administration interface, quotation marks are once again not accepted. A regression that allowed these characters appeared in SNS version 4.3.22 LTSB.