SNS version 4.3.35 LTSB bug fixes

System

TLS proxy

Support reference 85895/85961

When sessions are cached in the TLS proxy, they would sometimes cause an unexpected shutdown of the proxy, or excessive memory consumption. This issue has been fixed.

IPsec VPN

Support reference 85831

The maximum number of tasks handled by the IPsec VPN tunnel manager is valid only when Denial of Service (DoS) protection is enabled. In addition, the engine no longer needs to be restarted when the limit is reached.

Support reference 85717

When IPsec VPN tunnels that use virtual interfaces (VTIs) were deployed through SMC, they were negotiated before the end of the deployment, and were not operational. This issue has been fixed.

OpenVPN

Support reference 85704

VPN tunnels can now be set up again with OpenVPN in version 2.6.8 and higher (Stormshield SSL VPN client in version 4.0.0 and higher). The encryption algorithm used is either AES-256-GCM or AES-128-GCM, not the OpenVPN client's algorithm.

Length of the additional alarm message of the l_alarm log

Support reference 85621

The maximum number of characters for the additional alarm message of l_alarm logs is now 512 characters. Ellipses are now added to the end of messages if they are truncated.

LDAPS server

Support reference 85766

Global host objects can now be used to configure an LDAPS server.

Certificates and PKI

Support reference 85968

Now, when a CA has a single sub-CA with a single certificate, and both have CRLDPs, the CLI/Serverd command SYSTEM CHECKCRL can retrieve the sub-CA's CRL.

Bypass

Support reference 85358

The suspension of the connection when a firewall is powered up again with bypass mode enabled now lasts six seconds or less.

Filter - NAT

Support reference 82534

An anomaly while exporting NAT rules into a CSV file has been fixed: the export now factors in the contents of the Protocol column.

Support reference 85713

Previously, some operational filter policies in SNS 3.11 versions would stop loading in SNS version 4.3, thereby blocking traffic that passed through the firewall. The filter policy will now load, but a warning message will appear in the confirmation of the configuration in Configuration > Security policy > Filter - NAT.

Support reference 85677

When IPv6 is enabled, an error in the filter rule optimization mechanism would occasionally make some filter rules non-operational. This issue has been fixed.

Logs

Support reference 84831/85632

When the log manager is unavailable, it no longer wrongly causes the intrusion prevention engine to freeze temporarily.

IPFIX collector - Network connection logs

Support reference 85054

Network connection logs are now sent to the IPFIX collector whenever they originate from a filter policy rule with Firewall as its inspection level.

PKI

Support reference 85798

Previously, the DN of certificates created with the command PKI EST QUERY and the DN of certificates created with the commands PKI CERTIFICATE CREATE, PKI REQUEST CREATE and PKI CA CREATE were not encoded with the same encoding, which caused compatibility issues with special characters and third-party PKI programs. This issue has been fixed.

Backup server

Support reference 86010

The name of the object that is used as the backup server can now contain up to 255 characters.

Intrusion prevention engine

Black list

Support reference 85782

The maximum number of blacklisted IP addresses is now applied, and can no longer be exceeded.

IPS connections

Support reference 85716/85718

When one or several sub-networks are used, the intrusion prevention system no longer blocks IPS connections when the protocol alarm "Packet for destination on the same interface" (ip:95) is set to Allow.

DCERPC protocol

Support reference 85661

Previously, when connections that were launched with the DCERPC protocol failed, the intrusion prevention system would not correctly release ports. This issue has been fixed.

Hosts

Previously, the maximum number of reserved hosts and the number of hosts in general were the same, which could affect the firewall's performance. This issue has been fixed.

Web administration interface

Static DHCP interface

Support reference 85534

DHCP interfaces can no longer be made static when a DNS name object or associated Firewall_ifname_router object is used in a filter or NAT rule, as this would result in preventing the firewall from loading a filter or NAT policy.