SNS 4.3.3 bug fixes

System

IPsec VPN

Support reference 78214

Site-to-site IPsec tunnels with all as the source traffic object no longer wrongly activate the sending of keepalive packets with the broadcast address (255.255.255.255) as the source address. Such packets were blocked because the alarm “Broadcast address used in source address” (ip:89) was raised.
Do note that this anomaly did not disrupt legitimate traffic in IPsec tunnels.

Support reference 82729

Whenever a certificate was identified by a name (DN - Distinguished Name) longer than 128 characters, the firewall would retain only the first 128 characters. The deployment of an IPsec configuration via SMC with such a certificate would therefore fail because the DNs of the certificates do not match.
The maximum size has been raised to 240 characters, the technical limit.

Support reference 81471

In configurations using IPsec VPN tunnels that handle a high network load, when an ARP entry expires, network packets will no longer be lost.

Support reference 81691

Due to an anomaly in the sequencing of processes/threads when priority is dynamically changed, packets would sometimes get lost on firewalls handling heavy traffic. This anomaly has been fixed.

Support reference 83059

IPsec tunnels in which a peer has a name that contains an accented character can now be correctly set up again. This regression appeared in SNS version 4.2.

IPsec VPN IKEv2

Support reference 79713

The reauthentication of an IPsec IKEv2 tunnel in phase 1 would sometimes end too quickly, causing legitimate packets to be wrongly rejected. To prevent this situation, a new setting can be used to delete the older IKE SA later.

IPsec VPN - Certificates

Support references 78593 - 78611 - 73609

For IPsec peers that were deployed via SMC (global IPsec policy) and used certificates defined locally on the firewall, the certificates used were not shown in details of peers. This issue has been fixed.

SSL VPN

Support reference 81349

The OpenVPN daemon would sometimes shut down unexpectedly, logging out all users connected via the SSL VPN as a result. This issue has been fixed.

Proxies

Support reference 79295

Proxies and proxy-based modules (URL classification, etc.) now correctly manage certificates that contain both an emptySubject field and a filled in Subjectaltname field.

Creating interfaces

Support reference 75064

Configurations containing several hundred interfaces (e.g., virtual interfaces, VLAN interfaces, etc.) would cause excessive CPU consumption after the network interface configuration file was repeatedly reloaded.

Host reputation

Support reference 78563

Data relating to the host reputation function no longer consumes an excessive amount of disk space. This issue prevent reports from being displayed.

NOTE
The host reputation database must be reinitialized to apply this fix (Application protection module > Host reputation > Reset scores for all hosts in the database button).

UDP Kerberos authentication

Support reference 78725

The UDP-based Kerberos authentication method no longer worked from SNS version 4.0.3 onwards after support for FAST pre-authentication was introduced in this method (RFC6113). This issue has been fixed.

Authentication to an LDAPS server

The firewall was occasionally unable to authenticate on an LDAPS server when a certificate signed by a CA with a CRL was presented. This issue has been fixed.

Initial configuration via USB key

Support reference 81713

When a firewall is configured via USB key, changes to the reference time zone specified in the additional configuration file in CSV format is now correctly applied.

Network objects - Importing with CSV files

Support reference 78683

Network objects imported via CSV files are now immediately factored into the firewall's configuration.

Automatic updates

Support reference 72728

An issue with scheduled automatic updates that were not applied, occurring whenever the update frequency of a subsystem (antivirus definitions, etc.) was changed, has been fixed.

Whenever a specific port is indicated in an Active Update customized URL, it will now be correctly applied.

Event scheduler

Support reference 77428

The %STATE% macro, which can be used in the event scheduler, is now operational and returns the expected values.

Disk monitoring

Support references 75125 - 75126

An issue with alarms being wrongly raised over the disk status of firewalls has been fixed.

Interface monitoring - VLANs and aggregates

Support reference 80066

For VLANs attached to interfaces that are included in aggregates, the right throughput is now shown in the interface monitoring module, and no longer remains frozen at 10 Mb/s.

ICMP - IPv6

Support reference 82547

In configurations that use IPv6, an issue with competing access could make the firewall freeze whenever it received “destination unreachable” ICMP packets. This issue has been fixed.

PPTP Server

The PPTP server that enables the setup of tunnels between a PPTP client and the firewall now functions again. This regression appeared in SNS version 4.2.

Access to the console via a serial port

Support references 82054 - 81429

On firewall models other than SN210(W) and SN310, access to the console via a serial port no longer made it possible to interrupt the startup sequence to change the password of the admin account in single user mode. This issue has been fixed.

SNMP Agent

Issues with competing access, which can cause the service to shut down, have been fixed in the mechanism that verifies the number of SNMP notifications received.

Support reference 78695

A bandwidth anomaly on link aggregates and on VLANs in the link aggregates, which was reported in the ifSpeed and ifHighSpeed OIDs of the IF-MIB MIB, has been fixed.

Connecting to the web administration interface with certificate-based authentication

Support reference 79815

On firewalls with a configuration that included several LDAP directories, if an administrator with an account from one of the secondary directories authenticated via certificate, the authentication would fail. This issue has been fixed.

SSH connection - Password containing the $ character

Support reference 82949

Passwords containing the $ character (e.g., pas$$word) can now be saved correctly. Users connecting via SSH therefore no longer need to add an escape character \ before each $ character when they enter their passwords.

High availability

Support reference 82211

The ARP cache clearing mechanism, a high availability option, has been enhanced to remove entries at the right moment. Before this fix, such entries were occasionally deleted too early, potentially causing delays in the recovery of some network traffic streams.

High availability - Diffusion Restreinte mode

Enabling Diffusion Restreinte mode in Stormshield Management Center on a high availability configuration (either by direct activation or by restoring a configuration) now makes the passive member of the cluster restart correctly.

High availability (HA) and link aggregation

Support references 82211 - 82855

In high availability configurations:

  • That use link aggregates linked to a network switch,
  • On which theoption Enable link aggregation when the firewall is passive is enabled,
  • And for which each member of the aggregates affects the calculation of the quality index (LACPMembersHaveWeight parameter set to 1 via the CLI/SERVERD commands CONFIG HA CREATE or CONFIG HA UPDATE),

when the switch is lost and subsequently recovered, random swaps may occur within the cluster. This issue has been fixed.

Filtering and NAT

Support references 81369 - 83651

When a NAT policy containing many rules is reloaded, network packets may get lost. An optimization mechanism that prevents such packet loss can be enabled using the CLI/Serverd command CONFIG PROTOCOL IP COMMON IPS CONFIG, by adding the natdiff parameter to the existing parameters in the OptimizeRuleMatch option.

Use the following parameters in a default configuration: OptimizeRuleMatch=equal,diff,cache,natdiff.
Any changes must then be confirmed with the command CONFIG PROTOCOL IP ACTIVATE.

Do note that this mechanism is disabled by default.

NAT - VLANs

Support reference 79759

In configurations that support several VLANs on the same physical interface, and which implement NAT with ARP publication on the same VLANs, GARP (Gratuitous ARP) packets would occasionally be sent by mistake on only one of these VLANs. This issue has been fixed.

Firewalls equipped with a TPM

Support reference 83580

Known PCRs (Platform Configuration Registers) on the TPM may occasionally be modified after a firmware update, invalidating the policy that grants access to secrets stored in the TPM.
The CLI/Serverd command SYSTEM TPM PCRSEAL tpmpassword=<password> [serial=(<serial>|passive|active|local)] was created so that this access policy can be updated by saving the new acceptable PCR values in the TPM from the web administration interface via the CLI console module.
In high availability configurations, this command can also make it possible to select the member of the cluster on which this operation must be performed.

Intrusion prevention

Intrusion prevention engine performance

Support references 76810 - 77932

Changes have been made to the mechanism that allocates memory to connections for the intrusion prevention engine in order to improve its performance.

Intrusion prevention engine statistics

Support references 79713 - 82437 - 81466

The mechanism that manages the statistics of the intrusion prevention engine has been optimized. These changes help to prevent potential packet loss when these statistics are recurrently processed on a firewall that handles heavy network traffic.

IP protocol

Support reference 79787

Whenever the firewall received fragmented IP packets, an anomaly occurring when the packets are rewritten during the protocol analysis would cause the destination host to not receive the first fragment when the re-sent packet was smaller than the original packet. This issue has been fixed.

DNS protocol

Support reference 82274

"Possible DNS rebinding attack" (dns:154) alarms were wrongly raised during the protocol analysis of DNS traffic originating from Microsoft hosts. This issue has been fixed.

Support references 79494 - 80912

The DNS traffic protocol analysis engine was sensitive to the case used in DNS server responses and would raise the “DNS query mismatch” alarm (dns:151) whenever the case was different from the one used in the request. This reaction has been changed in order to be compatible with 1035, 8490 and 4343.

RDP protocol in COTP

Support reference 81814

When RDP packets are analyzed in COTP, going to Microsoft Windows servers and passing through a connection broker, the block alarms "COTP: invalid message length" (cotp:385) and "Invalid COTP protocol" (cotp:379) are no longer raised.

SIP

Support reference 82964

An anomaly in the SIP protocol analysis engine, which could cause the firewall to freeze, has been fixed.

Firewall administration

Support reference 78531

An anomaly during the initialization of the monitoring library would sometimes unexpectedly restart the firewall's administration service. As such, the response time for administration sessions via the web interface or the SSH console would become longer. This anomaly has been fixed and additional information has been provided in advanced logs (verbose mode).

Intrusion prevention engine

Support reference 81690

Whenever the intrusion prevention engine received certain interruption signals, it would stop writing additional logs (core files) making it possible to identify why the engine restarted. This issue has been fixed.

Reputation/location information queues

Whenever a host reputation request is submitted and the reputation/location information queue is full, the right alarm is now raised (“Possible attack on capacity”). Statistics indicating that the queue is full are also correctly updated.

SMB/CIFS protocol

Support reference 83660

An anomaly was fixed after the SMB/CIFS protocol analysis engine factored in the padding bytes at the end of SMB packets.

Web administration interface

Quality of Service (QoS)

During the verification to determine the usage of a QoS queue, and when no valid object was found, the resulting information messages would have issues displaying special characters (e.g., apostrophes, accents, etc.) This issue has been fixed.

SSL filtering - URL filtering

Support references 80809 - 80813

Due to an anomaly in the system command used when the mouse is scrolled over URL category groups or certificate categories groups, the message “This object does not exist” would wrongly appear. This anomaly has been fixed.

Configuration

Support reference 82560

Administrators who held all privileges (other than the super-administrator admin account) could no longer access the Configuration panel in the web administration interface. This regression appeared in SNS version 4.2.1 and has since been fixed.

Configuration - NTP servers

Support reference 81719

The authentication keys associated with NTP servers can now be edited again. This regression appeared in SNS version 4.2.1.

IPsec - Local and global policies

Support reference 82376

It was no longer possible to rename an object in the local IPsec policy, then switch to the global IPsec policy and rename an object in it (and vice versa). This regression appeared in SNS version 4.2.1 and has since been fixed.

IPsec - Diffie-Hellman groups

When an IKE/IPsec profile is created, the Diffie-Hellman group suggested by default is now DH14 (the most secure) and no longer DH1.

IPsec - Check peer usage

In the Configuration module > VPN > IPsec VPN, Peers tab, the function that makes it possible to check the usage of a peer in the firewall configuration (by right-clicking on the peer in question) now takes more factors into account in its verification.

IPsec VPN - Certificate-based authentication

Support reference 83287

When displaying the properties of an IPsec peer that uses certificate-based authentication, the CA that issued the selected certificate would not be displayed. This anomaly has been fixed and the Certificate field is shown as <CA>:<Certificate>.

Network objects

Support reference 79812

When a port range object is being created, simply changing the type of object to create to a port object would still result in a port range object being created. This issue has been fixed.

Support reference 80539

A window indicating that a network object had been modified would occasionally appear by mistake when the Network objects module was used. This issue has been fixed.

Firewall administration

Support reference 78529

In the Administration tab of the Configuration module, when a host allowed to access the firewall’s administration pages was created directly, the host was correctly added to the object database, but would not automatically appear in the list of hosts allowed. This issue has been fixed.

Monitoring - IPsec VPN tunnels

In Monitoring - IPsec VPN tunnels, the link to the configuration of the policy associated with an IPsec tunnel (available by right-clicking on the tunnel), now takes into account the fact that the linked policy is global or local and redirects to the corresponding policy.

Network interfaces

Support reference 83039

Manual changes to the MAC address of a network interface are now saved in the display of the Interfaces module.

Certificates and PKI

Support reference 83828

In the details of a certificate, the “subject” field had been wrongly renamed “issuer” since version 4.0.1. This anomaly has been fixed.

Support reference 83709

Attempts to download an imported certificate or CRL issued by a sub-CA imported on the firewall would result in a failure and “Certification authority not found” system error message. This issue has been fixed.

Support reference 83570

Any attempt to verify the use of a certificate imported on the firewall would result in a failure and “No valid certificate found” system error message. This issue has been fixed.

Support reference 82474

When several identities issued by the same external CA were imported on the firewall, the CA’s tree would contain errors and the modules that made it possible to handle certificates (certificates and PKI, IPsec VPN, etc.) would display this CA as many times as the number of imported identities. This regression appeared in SNS version 4.1 and has since been fixed.

Firewalls with a TPM (SNi20, SN3100) - Enabling IPv6

Support reference 83578

When the TPM has been initialized on SNi20 or SN3100 firewalls, the TPM password is now required to enable IPv6 support, so that the configuration can be correctly backed up without triggering the “TPM operation error: unauthorized” system error message.

Proxies

Support reference 84079

A new certificate signing CA could not be chosen for the proxy when the new CA had the same password as the old CA. This regression appeared in SNS version 4.2 and has since been fixed.