SNS version 4.3.30 LTSB bug fixes

System

Certificates and PKI - Syslog server

Corrections have been made to the mechanism that verifies CRLs in order to stop allowing the connection and sending logs to a syslog server with a revoked certificate.

Quality of Service (QoS)

Support reference 85590

An issue that could cause the firewall to freeze when a QoS queue was deleted has been fixed.

Automatic backups and TPM

Support reference 84907

After the hardening of the operating system, automatic backups on firewalls equipped with an initialized TPM function correctly once again without raising the alarm "TPM operation not permitted".

Automatic backups - Custom server

On firewalls that use automatic configuration backups to a custom server that was authenticated with a certificate, clicking on Check usage in Objects > Certificates and PKI after having selected this certificate now correctly indicates that this certificate is being used in the firewall configuration. Likewise, this certificate cannot be deleted without raising an error.

IP reputation - Storage devices

Support references 84495 - 84933 - 85038 - 85081 - 85213

The mechanism that opens IP reputation metadata files has been modified to restrict the number of times the storage device can be accessed. In some cases, when the disk is accessed too often, the firewall would unexpectedly restart.

SD-WAN

Priority calculations have been revised to prevent issues with gateways being too frequently switched. As such, there is no longer any status scale between downgraded gateways. The gateway selection mechanism now follows these rules:

  • Active gateways take priority over downgraded gateways,
  • Main gateways take priority over backup gateways.

Intel interfaces using the igc kernel module

Support reference 85486

When a VLAN is configured on an interface that uses the igc kernel module, and the interface is included in a bridge with the option Keep initial routing/Keep VLAN IDs enabled, packets from other crossing VLANs will no longer be wrongly rejected.

This applies to the following firewall models and firewalls equipped with these network modules:

  • Firewalls: SN-S-Series-220, SN-S-Series-320, SN-M-Series-520, SN-M-Series-720 and SN-M-Series-920.
  • Modules: NA-EX-CARD-8x2_5G-C (8 x 2.5 Gb copper Ethernet) and NC-1-8x2_5G-C (8 x 2.5 Gb copper Ethernet).

Configuration

When a firewall with a defective disk is updated, the configuration file folder will no longer be deleted, as this would make the firewall unreachable.

SN160(W)/SN210(W)/SN310 model firewalls

Support references 84495 - 84933 - 85038 - 85081 - 85213

Changes have been made to the mechanism that calculates Security and System indicators, in order to reduce the number of times disks are accessed. The mechanism would previously cause SN160(W)/SN210(W)/SN310 model firewalls to unexpectedly restart.

Syslog - TLS 1.3

Support reference 85579

When logs are sent via syslog by using TLS 1.3, the operation would no longer fail when the certificate that was used for authentication was signed by a subordinate CA.

Static multicast routing in VLANs

Support reference 85562

An issue regarding random static disruptions to routed multicast traffic in VLANs has been fixed.

Telemetry

An issue with competing access, which could cause the telemetry manager to shut down unexpectedly, has been fixed.

IPsec VPN - Certificate-based authentication

Support reference 85607

After the IPsec tunnel manager was updated, the firewall would wrongly interpret the SerialNumber as the Surname, thereby preventing IPsec tunnels from being set up. This issue has been fixed.

IPsec VPN in DR mode - UDP encapsulation and dynamic NAT

Support reference 85629

Tunnels configured in DR mode, on which UDP encapsulation has been enabled, and the source port of one peer's traffic is translated (dynamic NAT), can now be correctly set up: the remote firewall detects the need to encapsulate the traffic in UDP.

GRE/GRETAP encapsulation in an IPsec tunnel

Support reference 85626

GRE/GRETAP packets can once again be encapsulated in an IPsec tunnel. This regression appeared in SNS version 4.3.24.

SSL VPN

Support reference 85485

In certificate-based SSL VPN tunnels, the SSL VPN monitoring module now presents only established connections.

Virtual EVA firewalls deployed on the Linux KVM hypervisor

Support reference 85722

When a virtual machine is suddenly shut down while being configured on a KVM hypervisor, it no longer corrupts some of its configuration files.

Certificates and PKI - Syslog server

Corrections have been made to the mechanism that verifies CRLs in order to stop allowing the connection and sending logs to a syslog server with a revoked certificate.

Network

BIRD dynamic routing

Support reference 85322

Issues that occurred while adding a default route on a protected interface, or when an interface switches from public to protected with a default route added by BIRD, have been fixed.

These issues would wrongly add the network 0.0.0.0/0 or 0.0.0.0/32 to the table of protected addresses. This would then wrongly raise an alarm regarding an IP spoofing attempt, which could cause legitimate traffic to be dropped.

Intrusion prevention engine

Connection management

Support reference 85370

An issue in the way connections are managed by the intrusion prevention engine, which could cause the firewall to restart unexpectedly, has been fixed.