SNS 4.3.28 LTSB bug fixes

System

RADIUS Authentication

Support reference 85727

RADIUS authentications to FreeRADIUS servers are now working properly again. This regression appeared in version 4.3.26 LTSB.

IPsec VPN

Support references 84983 - 85253 - 85452

In addition to the fix implemented in version 4.3.20 LTSB regarding IPsec VPN, the mechanism that reloads rules in the IPsec VPN policy has been patched, and the firewall's routing engine no longer shuts down unexpectedly when some configurations remain unchanged.

Dynamic objects

Support reference 85397

Enhancements have been made to prevent the proxy from reloading systematically when dynamic objects (FQDNs or hosts) are used in a filter or address translation mechanism on the SNS firewall, as this would slow down connections.

System backup mechanism on the backup partition

Support reference 85390

The system backup mechanism on the backup partition (dumproot) has been enhanced. When a backup is abruptly stopped, the main partition is no longer corrupted, and the firewall no longer restarts for an indefinite number of times. Only the backup partition remains damaged, and a new backup has to be launched to restore the status of both partitions.

Address translation (NAT)

Support reference 85438

NAT policy rules were not applied in the following cases:

  • When two packets belonging to the same connection, but in opposite directions, arrived on different CPU cores (e.g., a packet from A to B, and the other from B to A),
  • When at the same time, a connection was shut down and a new packet was received for the same connection.

These issues have been fixed.

Virtual EVA firewalls deployed on the Linux KVM hypervisor

Support reference 85635

On virtual EVA firewalls deployed on the Linux KVM hypervisor, the firewall now correctly applies the status of a disconnected interface in the hypervisor's configuration. This issue distorted the calculation of the high availability (HA) quality factor.

Intrusion prevention engine

Maximum size of COTP packets

Support reference 85353

The maximum value of COTP packets is now 65535 bytes. The previous maximum value was 4096 bytes, and could wrongly raise the block alarm Possible attack on capacity (ip:91).