Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Version 4.3.6 bug fixes
URL classification - Extended Web Control (EWC)
Support reference 83619
An anomaly affecting communication with EWC servers would occasionally occur after several unsuccessful attempts to classify a URL. This anomaly has been fixed.
Support reference 83607
Issues with competing access to connection counters, which could cause the proxy to shut down unexpectedly, have been fixed.
IPsec VPN - Protocol selection
Support references 83711 - 83777
Selecting the only protocol allowed to set up an IPsec tunnel (TCP, UDP, ICMP or GRE in the Protocol column of the tunnel grid) would sometimes prevent IPsec tunnels from being monitored in the web administration interface. This regression, which first appeared in SNS version 4.2, has been fixed.
Support reference 77080
Hosts referenced in the host reputation monitoring list could previously be deleted from the object database. This inappropriate operation, which would cause a system error that prevented the proxy from starting, has been fixed.
Traffic statistics - Virtual IPsec interfaces
Support reference 82960
The counters that counted packets passing through virtual IPsec interfaces were no longer refreshed (SNMP requests or netstat system command). This anomaly, which first appeared in SNS version 4.1, has been fixed.
Outgoing traffic statistics - SSL VPN
Support reference 79814
The counters that counted packets leaving the network interface linked to the SSL VPN were no longer refreshed This anomaly, which first appeared in SNS version 4.1, has been fixed.
Local connection of an administrator with the "Console (SSH)" permission
Support reference 84289
When administrators with the Console (SSH) permission attempted to connect locally (in console mode or with a monitor/keyboard), their attempts would fail and could cause the console to freeze after two attempts. This issue has been fixed.
IPsec VPN with certificate-based authentication - Topology deployed via SMC
Support reference 84231
Whenever an IPsec VPN topology with certificate-based authentication was deployed from an SMC server, any attempt to modify the firewall (via the web administration interface) of the peer defined in this topology would wrongly display a system error message “A mandatory token for this message has not been specified”. This issue has been fixed.
QoS - Modifying a default queue initially configured in percentage
Any attempt to reconfigure a default queue (or a default ACK queue) that was initially configured in bandwidth percentage would cause an error and display the error message “Reference needed for percentage”. This issue has been fixed.
Hosts with dynamic IP address resolution used in sub-groups
Support references 84202 - 81951
Whenever a host was:
- Configured with dynamic IP address resolution,
- Placed in a sub-group that is in turn used in a configuration module on the firewall (filter rules, permissions to access the web administration interface, etc.).
Changes to this host’s IP address would be ignored in the configuration module in question. This issue has been fixed.
SOFBUS - LACBUS protocol
An anomaly in the engine that analyzes the SOFBUS protocol would wrongly raise the "SOFBUS: invalid protocol” alarm (modbus:741). This anomaly has been fixed.
Android WhatsApp and Facebook applications
Support reference 82865
Legitimate packets from Android WhatsApp or Facebook applications would sometimes wrongly trigger the block alarm "SSL version mismatch" (ssl:117 alarm). This regression, which first appeared in SNS version 4.2.1, has been fixed.
Enabling the option Allow 0-RTT could wrongly raise the alarm "SSL: invalid answer with connection state” (ssl:735 alarm). This issue has been fixed.