Version 4.3.4 bug fixes
Authentication - SSL VPN
Support references 78073 - 81741
In a configuration using a main external LDAP directory and a backup external LDAP directory, switching from the main directory to the backup directory would occasionally cause the authentication engine to shut down unexpectedly, preventing uses from accessing the SSL VPN. This issue has been fixed.
Firewall managed from Stormshield Management Center (SMC)
Support reference 81863
When an administrator connects to a firewall from their SMC connecting server, this administrator’s connection identifier will now correctly appear in the right upper banner of the firewall’s web administration interface.
Values of SD-WAN monitoring parameters
To fit most SD-WAN requirements, the default values and values acceptable as availability testing parameters have been changed:
- Idle timeout: 1s by default (as opposed to 2s prior to SNS 4.3.4),
- Frequency: 5 seconds by default, with a minimum of 2 seconds (as opposed to 15s prior to SNS 4.3.4),
- Number of tries: 5 (as opposed to 3 prior to SNS 4.3.4).
Logs - SD-WAN statistics
Support reference 83961
Statistics regarding SD-WAN metrics (latency, jitter, packet loss rate, etc.) are now collected every 10 minutes (instead of 15) to be better synchronized with routing statistics.
Support reference 83792
Anonymized VPN logs (without any specific access privileges granted) would occasionally reveal information about the remote user certificate by mistake (remoteid field). This anomaly has been fixed.
Support reference 84225
When there are two sections with the exact same name in the network configuration file, the mechanism that reloads network parameters would freeze. This issue has been fixed.
An anomaly which sometimes prevented some routes from being correctly applied (unroutable gateways) has been fixed.
SD-WAN - Logs
In configurations that use SD-WAN, the system log now indicates what caused the links to switch.
Hardware monitoring - Disks
Support reference 84083
The mechanism that analyzes the results of SMART tests has been adapted to stop raising inappropriate alerts on some SSD references.
Support reference 81710
Several anomalies that could cause memory leaks in the SNMP agent have been fixed.
After a traffic shaper was assigned to an interface, its default queue or default ACK queue could no longer be changed. This anomaly has been fixed.
Defining a CBQ QoS queue by using both an absolute value and a percentage for its min. and max. bandwidth characteristics (or reverse min. and max.) could generate inconsistencies in the QoS configuration and block matching traffic. This type of configuration is now explicitly rejected.
QoS configured in a protocol alarm
Support reference 84237
Renaming a QoS queue that is used in a protocol alarm would make this queue disappear from the alarm configuration and cause a system error. This issue has been fixed.
Web administration interface
Support reference 83724
When an error occurs while attempting to connect a firewall to a cluster, the web administration interface no longer freezes when the “High Availability configuration in progress” message appears.
IPsec VPN - Encryption profiles
Support reference 84245
When AES-GCM_16 is selected as the phase 1 (IKE) algorithm, the field that makes it possible to specify an authentication algorithm is now grayed out.
As the only authentication method that AES-GCM-16 supports is prfsha256, it will be automatically selected.
Enabling the ANSSI Diffusion Restreinte (DR) mode
Support reference 82914
When DR mode is enabled on an IPsec configuration that does not meet all of this mode’s requirements, the warning message indicating that the IPsec configuration has been disabled now comes with a blinking symbol indicating that the firewall must be manually restarted in order to apply changes (upper right section of the screen).