SNS version 4.3.37 LTSB bug fixes

System

Proxy

Previously, sandboxing (Breach Fighter) files with names that were too long would cause the proxy to shut down unexpectedly. This issue has been fixed. This regression appeared in SNS version 4.3.23.

SSL VPN

Support reference 85942

Now, following an SNS firmware update, if a CRL from a sub-CA has expired, SSL VPN tunnels will still be kept.

High availability

Support reference 85747

Now, when a cluster is connected to SMC in 3.2.3 and higher versions, or when the retrieval of information on a firewall from the cluster is forced, error logs will no longer be generated.

LDAP directory

Support reference 86089

The use of global host objects to configure an LDAP directory, as announced in SNS version 4.3.35 LTSB, is now fully operational.

Extended Web Control (EWC)

A new implicit rule has been added to guarantee access to the Extended Web Control (EWC) server when the source address is forced with the bindaddr argument in a CLI/Serverd command. The addition of this implicit rule now prevents traffic from passing through the intrusion prevention engine. This new rule can be seen in Configuration > Security policy > Implicit rules.

Intrusion prevention engine

OPC UA protocol

The NodeID inspection by the OPC UA protocol analysis engine has been modified to comply with protocol specifications, and no longer causes valid OPC UA packets to be wrongly blocked.

Broadcast mode

Support reference 85763

The management of fragmented packets that are sent over a bridge in broadcast mode has been improved to prevent any further blocking.

Managing users

Support reference 85999

Previously, when connections were purged, a search would be launched to link the source IP addresses of connections to users, if any. The user search is now performed when the connection is created, to prevent latency. This regression appeared in SNS version 3.4.0.

TCP connections

Support reference 85712

The bug fix that was included in SNS version 4.3.33 has been supplemented to factor in other scenarios in which ACK packets are sent in loop over TCP connections that go through the proxy.

NAT

Previously, when child connections failed, the intrusion prevention system would not correctly release ports used by the NAT. This issue has been fixed. This regression appeared in SNS version 4.3.24.