SNS version 4.3.42 QS bug fixes
System
Bypass mechanism - SNi20/SNi40 industrial firewalls
The bypass now correctly activates once again when the firewall's hardware manager is unexpectedly disrupted. This regression appeared in SNS version 4.3.35.
Logs
Support reference TAC-1101
Memory leaks, which would cause the log manager to unexpectedly freeze, have been fixed.
Support references TAC-1250 - TAC-1277
Memory corruption issues have been fixed to prevent the log manager from unexpectedly freezing when sending telemetry data.
Firewall authentication pages
Support reference TAC-1134
The 'Frame-Ancestor' CSP directive on the firewall's authentication web pages has been fixed.
RADIUS authentication
Support reference TAC-894 - TAC-409
When a client from a group that is assigned by vendor-specific attributes (VSA) attempts to authenticate through RADIUS, the authentication attempt no longer fails, and no longer causes the firewall's authentication management system to unexpectedly shut down.
Network - Interfaces
Support reference TAC-1320
A DHCP-configured interface that has been disabled no longer appears among the objects derived from the interface: Firewall_interface_name, Firewall_all.
Proxy - Antivirus
Support reference TAC-1257
Antivirus analysis on messages that use specific headers created by some mail clients, such as Fetchmail, now function properly.
Support references TAC-1126 - TAC-1205
An issue, which could cause the firewall to freeze unexpectedly when updating the antivirus database, has been fixed.
Dynamic multicast routing
Support reference TAC-1371
In a configuration that uses an IXL network interface aggregate, when the firewall restarts or the aggregate switches from inactive to active, multicast packets passing through this aggregate will no longer be wrongly blocked.
High availability (HA)
Support reference TAC-1463
Configuration tokens, which describe timeouts when the status of an interface changes during HA quality calculations, now function properly.
Support references TAC-1448 - TAC-1450
The configuration tokens <HAResyncBatchSize> and <HaResyncBatchDelay> can now be added through the command setconf in the configuration of a global IPsec VPN policy (Global/VPN/XX).
Active Updates
Support reference TAC-1151
Global objects found on Active Update servers no longer prevent the update mechanism from functioning properly.
System
Support reference TAC-1123
The [Misc] section in the System/global file, which corresponds to firewall limitations, can now be edited using the file System/global.custom.
Router objects
Support reference TAC-1338
When an SD-WAN configuration has:
- A router object that was configured with a nominal gateway and a backup gateway,
- Both interfaces supporting these gateways, which have DHCP-assigned addresses.
The interface that supports the active gateway is now correctly updated when the gateway switches, and the intrusion prevention engine no longer restarts in loop.
System events - High availability
System node name information has been added to HA-related system events.
Stormshield Management Center (SMC) - Firewalls in high availability
Support reference 86231
After a configuration has been deployed on a firewall cluster via SMC, backtracking files are now correctly deleted on the passive firewall. This issue with files not being deleted would cause unexpected and delayed backtracking during a switch in the cluster.
Hardware
SNi20 - Disk-On-Module storage with SATA interface (SATADOM)
Support reference TAC-1263
To prevent any malfunctions, a firmware update of SATADOMs on SNi20 model firewalls is automatically applied when these firewalls are updated to SNS version 4.3.42 QS.
Intrusion prevention engine
TCP protocol
Support reference TAC-1179
The use of the option Enable automatic adjustment of memory allocated to data tracking together with advanced options, such as TCP Selective ACKnowledgment (SACK), no longer wrongly causes a data queue overflow, which is described by the block alarm "TCP data queue overflow" (tcpudp:84).
Support references TAC-1166 - TAC-1254
Issues have been identified and fixed in the code of the intrusion prevention engine. These issues could make the firewall freeze.
Support reference TAC-1315
BIRD dynamic routing
Support reference TAC-470 - TAC-404
Only the routes that BIRD sends to the kernel are now retrieved in the table of protected network addresses.