Version 4.3.3 bug fixes
Support reference 78214
Site-to-site IPsec tunnels with all as the source traffic object no longer wrongly activate the sending of keepalive packets with the broadcast address (255.255.255.255) as the source address. Such packets were blocked because the alarm “Broadcast address used in source address” (ip:89) was raised.
Do note that this anomaly did not disrupt legitimate traffic in IPsec tunnels.
Support reference 82729
Whenever a certificate was identified by a name (DN - Distinguished Name) longer than 128 characters, the firewall would retain only the first 128 characters. The deployment of an IPsec configuration via SMC with such a certificate would therefore fail because the DNs of the certificates do not match.
The maximum size has been raised to 240 characters, the technical limit.
Support reference 81471
In configurations using IPsec VPN tunnels that handle a high network load, when an ARP entry expires, network packets will no longer be lost.
Support reference 81691
Due to an anomaly in the sequencing of processes/threads when priority is dynamically changed, packets would sometimes get lost on firewalls handling heavy traffic. This anomaly has been fixed.
Support reference 83059
IPsec tunnels in which a peer has a name that contains an accented character can now be correctly set up again. This regression appeared in SNS version 4.2.
IPsec VPN IKEv2
Support reference 79713
The reauthentication of an IPsec IKEv2 tunnel in phase 1 would sometimes end too quickly, causing legitimate packets to be wrongly rejected. To prevent this situation, a new setting can be used to delete the older IKE SA later.
IPsec VPN - Certificates
Support references 78593 - 78611 - 73609
For IPsec peers that were deployed via SMC (global IPsec policy) and used certificates defined locally on the firewall, the certificates used were not shown in details of peers. This issue has been fixed.
Support reference 81349
The OpenVPN daemon would sometimes shut down unexpectedly, logging out all users connected via the SSL VPN as a result. This issue has been fixed.
Support reference 79295
Proxies and proxy-based modules (URL classification, etc.) now correctly manage certificates that contain both an emptySubject field and a filled in Subjectaltname field.
Support reference 75064
Configurations containing several hundred interfaces (e.g., virtual interfaces, VLAN interfaces, etc.) would cause excessive CPU consumption after the network interface configuration file was repeatedly reloaded.
Support reference 78563
Data relating to the host reputation function no longer consumes an excessive amount of disk space. This issue prevent reports from being displayed.
The host reputation database must be reinitialized to apply this fix (Application protection module > Host reputation > Reset scores for all hosts in the database button).
UDP Kerberos authentication
Support reference 78725
The UDP-based Kerberos authentication method no longer worked from SNS version 4.0.3 onwards after support for FAST pre-authentication was introduced in this method (RFC6113). This issue has been fixed.
Authentication to an LDAPS server
The firewall was occasionally unable to authenticate on an LDAPS server when a certificate signed by a CA with a CRL was presented. This issue has been fixed.
Initial configuration via USB key
Support reference 81713
When a firewall is configured via USB key, changes to the reference time zone specified in the additional configuration file in CSV format is now correctly applied.
Network objects - Importing with CSV files
Support reference 78683
Network objects imported via CSV files are now immediately factored into the firewall's configuration.
Support reference 72728
An issue with scheduled automatic updates that were not applied, occurring whenever the update frequency of a subsystem (antivirus definitions, etc.) was changed, has been fixed.
Whenever a specific port is indicated in an Active Update customized URL, it will now be correctly applied.
Support reference 77428
The %STATE% macro, which can be used in the event scheduler, is now operational and returns the expected values.
Support references 75125 - 75126
An issue with alarms being wrongly raised over the disk status of firewalls has been fixed.
Interface monitoring - VLANs and aggregates
Support reference 80066
For VLANs attached to interfaces that are included in aggregates, the right throughput is now shown in the interface monitoring module, and no longer remains frozen at 10 Mb/s.
ICMP - IPv6
Support reference 82547
In configurations that use IPv6, an issue with competing access could make the firewall freeze whenever it received “destination unreachable” ICMP packets. This issue has been fixed.
The PPTP server that enables the setup of tunnels between a PPTP client and the firewall now functions again. This regression appeared in SNS version 4.2.
Access to the console via a serial port
Support references 82054 - 81429
On firewall models other than SN210(W) and SN310, access to the console via a serial port no longer made it possible to interrupt the startup sequence to change the password of the admin account in single user mode. This issue has been fixed.
Issues with competing access, which can cause the service to shut down, have been fixed in the mechanism that verifies the number of SNMP notifications received.
Support reference 78695
A bandwidth anomaly on link aggregates and on VLANs in the link aggregates, which was reported in the ifSpeed and ifHighSpeed OIDs of the IF-MIB MIB, has been fixed.
Connecting to the web administration interface with certificate-based authentication
Support reference 79815
On firewalls with a configuration that included several LDAP directories, if an administrator with an account from one of the secondary directories authenticated via certificate, the authentication would fail. This issue has been fixed.
SSH connection - Password containing the $ character
Support reference 82949
Passwords containing the $ character (e.g., pas$$word) can now be saved correctly. Users connecting via SSH therefore no longer need to add an escape character \ before each $ character when they enter their passwords.
Support reference 82211
The ARP cache clearing mechanism, a high availability option, has been enhanced to remove entries at the right moment. Before this fix, such entries were occasionally deleted too early, potentially causing delays in the recovery of some network traffic streams.
High availability - Diffusion Restreinte mode
Enabling Diffusion Restreinte mode in Stormshield Management Center on a high availability configuration (either by direct activation or by restoring a configuration) now makes the passive member of the cluster restart correctly.
High availability (HA) and link aggregation
Support references 82211 - 82855
In high availability configurations:
- That use link aggregates linked to a network switch,
- On which theoption Enable link aggregation when the firewall is passive is enabled,
- And for which each member of the aggregates affects the calculation of the quality index (LACPMembersHaveWeight parameter set to 1 via the CLI/SERVERD commands CONFIG HA CREATE or CONFIG HA UPDATE),
when the switch is lost and subsequently recovered, random swaps may occur within the cluster. This issue has been fixed.
Filtering and NAT
Support references 81369 - 83651
When a NAT policy containing many rules is reloaded, network packets may get lost. An optimization mechanism that prevents such packet loss can be enabled using the CLI/Serverd command CONFIG PROTOCOL IP COMMON IPS CONFIG, by adding the natdiff parameter to the existing parameters in the OptimizeRuleMatch option.
Use the following parameters in a default configuration: OptimizeRuleMatch=equal,diff,cache,natdiff.
Any changes must then be confirmed with the command CONFIG PROTOCOL IP ACTIVATE.
Do note that this mechanism is disabled by default.
NAT - VLANs
Support reference 79759
In configurations that support several VLANs on the same physical interface, and which implement NAT with ARP publication on the same VLANs, GARP (Gratuitous ARP) packets would occasionally be sent by mistake on only one of these VLANs. This issue has been fixed.
Firewalls equipped with a TPM
Support reference 83580
Known PCRs (Platform Configuration Registers) on the TPM may occasionally be modified after a firmware update, invalidating the policy that grants access to secrets stored in the TPM.
The CLI/Serverd command SYSTEM TPM PCRSEAL tpmpassword=<password> [fwserial=(<serial>|passive|active|local)] was created so that this access policy can be updated by saving the new acceptable PCR values in the TPM from the web administration interface via the CLI console module.
In high availability configurations, this command can also make it possible to select the member of the cluster on which this operation must be performed.
Intrusion prevention engine performance
Support references 76810 - 77932
Changes have been made to the mechanism that allocates memory to connections for the intrusion prevention engine in order to improve its performance.
Intrusion prevention engine statistics
Support references 79713 - 82437 - 81466
The mechanism that manages the statistics of the intrusion prevention engine has been optimized. These changes help to prevent potential packet loss when these statistics are recurrently processed on a firewall that handles heavy network traffic.
Support reference 79787
Whenever the firewall received fragmented IP packets, an anomaly occurring when the packets are rewritten during the protocol analysis would cause the destination host to not receive the first fragment when the re-sent packet was smaller than the original packet. This issue has been fixed.
Support reference 82274
"Possible DNS rebinding attack" (dns:154) alarms were wrongly raised during the protocol analysis of DNS traffic originating from Microsoft hosts. This issue has been fixed.
Support references 79494 - 80912
The DNS traffic protocol analysis engine was sensitive to the case used in DNS server responses and would raise the “DNS query mismatch” alarm (dns:151) whenever the case was different from the one used in the request. This reaction has been changed in order to be compatible with 1035, 8490 and 4343.
RDP protocol in COTP
Support reference 81814
When RDP packets are analyzed in COTP, going to Microsoft Windows servers and passing through a connection broker, the block alarms "COTP: invalid message length" (cotp:385) and "Invalid COTP protocol" (cotp:379) are no longer raised.
Support reference 82964
An anomaly in the SIP protocol analysis engine, which could cause the firewall to freeze, has been fixed.
Support reference 78531
An anomaly during the initialization of the monitoring library would sometimes unexpectedly restart the firewall's administration service. As such, the response time for administration sessions via the web interface or the SSH console would become longer. This anomaly has been fixed and additional information has been provided in advanced logs (verbose mode).
Intrusion prevention engine
Support reference 81690
Whenever the intrusion prevention engine received certain interruption signals, it would stop writing additional logs (core files) making it possible to identify why the engine restarted. This issue has been fixed.
Reputation/location information queues
Whenever a host reputation request is submitted and the reputation/location information queue is full, the right alarm is now raised (“Possible attack on capacity”). Statistics indicating that the queue is full are also correctly updated.
Support reference 83660
An anomaly was fixed after the SMB/CIFS protocol analysis engine factored in the padding bytes at the end of SMB packets.
Web administration interface
Quality of Service (QoS)
During the verification to determine the usage of a QoS queue, and when no valid object was found, the resulting information messages would have issues displaying special characters (e.g., apostrophes, accents, etc.) This issue has been fixed.
SSL filtering - URL filtering
Support references 80809 - 80813
Due to an anomaly in the system command used when the mouse is scrolled over URL category groups or certificate categories groups, the message “This object does not exist” would wrongly appear. This anomaly has been fixed.
Support reference 82560
Administrators who held all privileges (other than the super-administrator admin account) could no longer access the Configuration panel in the web administration interface. This regression appeared in SNS version 4.2.1 and has since been fixed.
Configuration - NTP servers
Support reference 81719
The authentication keys associated with NTP servers can now be edited again. This regression appeared in SNS version 4.2.1.
IPsec - Local and global policies
Support reference 82376
It was no longer possible to rename an object in the local IPsec policy, then switch to the global IPsec policy and rename an object in it (and vice versa). This regression appeared in SNS version 4.2.1 and has since been fixed.
IPsec - Diffie-Hellman groups
When an IKE/IPsec profile is created, the Diffie-Hellman group suggested by default is now DH14 (the most secure) and no longer DH1.
IPsec - Check peer usage
In the Configuration module > VPN > IPsec VPN, Peers tab, the function that makes it possible to check the usage of a peer in the firewall configuration (by right-clicking on the peer in question) now takes more factors into account in its verification.
IPsec VPN - Certificate-based authentication
Support reference 83287
When displaying the properties of an IPsec peer that uses certificate-based authentication, the CA that issued the selected certificate would not be displayed. This anomaly has been fixed and the Certificate field is shown as <CA>:<Certificate>.
Support reference 79812
When a port range object is being created, simply changing the type of object to create to a port object would still result in a port range object being created. This issue has been fixed.
Support reference 80539
A window indicating that a network object had been modified would occasionally appear by mistake when the Network objects module was used. This issue has been fixed.
Support reference 78529
In the Administration tab of the Configuration module, when a host allowed to access the firewall’s administration pages was created directly, the host was correctly added to the object database, but would not automatically appear in the list of hosts allowed. This issue has been fixed.
Monitoring - IPsec VPN tunnels
In Monitoring - IPsec VPN tunnels, the link to the configuration of the policy associated with an IPsec tunnel (available by right-clicking on the tunnel), now takes into account the fact that the linked policy is global or local and redirects to the corresponding policy.
Support reference 83039
Manual changes to the MAC address of a network interface are now saved in the display of the Interfaces module.
Certificates and PKI
Support reference 83828
In the details of a certificate, the “subject” field had been wrongly renamed “issuer” since version 4.0.1. This anomaly has been fixed.
Support reference 83709
Attempts to download an imported certificate or CRL issued by a sub-CA imported on the firewall would result in a failure and “Certification authority not found” system error message. This issue has been fixed.
Support reference 83570
Any attempt to verify the use of a certificate imported on the firewall would result in a failure and “No valid certificate found” system error message. This issue has been fixed.
Support reference 82474
When several identities issued by the same external CA were imported on the firewall, the CA’s tree would contain errors and the modules that made it possible to handle certificates (certificates and PKI, IPsec VPN, etc.) would display this CA as many times as the number of imported identities. This regression appeared in SNS version 4.1 and has since been fixed.
Firewalls with a TPM (SNi20, SN3100) - Enabling IPv6
Support reference 83578
When the TPM has been initialized on SNi20 or SN3100 firewalls, the TPM password is now required to enable IPv6 support, so that the configuration can be correctly backed up without triggering the “TPM operation error: unauthorized” system error message.
Support reference 84079
A new certificate signing CA could not be chosen for the proxy when the new CA had the same password as the old CA. This regression appeared in SNS version 4.2 and has since been fixed.