SNS 4.3.4 bug fixes

System

Authentication - SSL VPN

Support references 78073 - 81741

In a configuration using a main external LDAP directory and a backup external LDAP directory, switching from the main directory to the backup directory would occasionally cause the authentication engine to shut down unexpectedly, preventing uses from accessing the SSL VPN. This issue has been fixed.

Firewall managed from Stormshield Management Center (SMC)

Support reference 81863

When an administrator connects to a firewall from their SMC connecting server, this administrator’s connection identifier will now correctly appear in the right upper banner of the firewall’s web administration interface.

Values of SD-WAN monitoring parameters

To fit most SD-WAN requirements, the default values and values acceptable as availability testing parameters have been changed:

  • Idle timeout: 1s by default (as opposed to 2s prior to SNS 4.3.4),
  • Frequency: 5 seconds by default, with a minimum of 2 seconds (as opposed to 15s prior to SNS 4.3.4),
  • Number of tries: 5 (as opposed to 3 prior to SNS 4.3.4).

Logs - SD-WAN statistics

Support reference 83961

Statistics regarding SD-WAN metrics (latency, jitter, packet loss rate, etc.) are now collected every 10 minutes (instead of 15) to be better synchronized with routing statistics.

VPN logs

Support reference 83792

Anonymized VPN logs (without any specific access privileges granted) would occasionally reveal information about the remote user certificate by mistake (remoteid field). This anomaly has been fixed.

Network configuration

Support reference 84225

When there are two sections with the exact same name in the network configuration file, the mechanism that reloads network parameters would freeze. This issue has been fixed.

Static routing

An anomaly which sometimes prevented some routes from being correctly applied (unroutable gateways) has been fixed.

SD-WAN - Logs

In configurations that use SD-WAN, the system log now indicates what caused the links to switch.

Hardware monitoring - Disks

Support reference 84083

The mechanism that analyzes the results of SMART tests has been adapted to stop raising inappropriate alerts on some SSD references.

SNMP Agent

Support reference 81710

Several anomalies that could cause memory leaks in the SNMP agent have been fixed.

QoS

After a traffic shaper was assigned to an interface, its default queue or default ACK queue could no longer be changed. This anomaly has been fixed.

Defining a CBQ QoS queue by using both an absolute value and a percentage for its min. and max. bandwidth characteristics (or reverse min. and max.) could generate inconsistencies in the QoS configuration and block matching traffic. This type of configuration is now explicitly rejected.

QoS configured in a protocol alarm

Support reference 84237

Renaming a QoS queue that is used in a protocol alarm would make this queue disappear from the alarm configuration and cause a system error. This issue has been fixed.

Web administration interface

High availability

Support reference 83724

When an error occurs while attempting to connect a firewall to a cluster, the web administration interface no longer freezes when the “High Availability configuration in progress” message appears.

IPsec VPN - Encryption profiles

Support reference 84245

When AES-GCM_16 is selected as the phase 1 (IKE) algorithm, the field that makes it possible to specify an authentication algorithm is now grayed out.
As the only authentication method that AES-GCM-16 supports is prfsha256, it will be automatically selected.

Enabling the ANSSI Diffusion Restreinte (DR) mode

Support reference 82914

When DR mode is enabled on an IPsec configuration that does not meet all of this mode’s requirements, the warning message indicating that the IPsec configuration has been disabled now comes with a blinking symbol indicating that the firewall must be manually restarted in order to apply changes (upper right section of the screen).