SNS 4.3.6 bug fixes

System

URL classification - Extended Web Control (EWC)

Support reference 83619

An anomaly affecting communication with EWC servers would occasionally occur after several unsuccessful attempts to classify a URL. This anomaly has been fixed.

HTTP proxy

Support reference 83607

Issues with competing access to connection counters, which could cause the proxy to shut down unexpectedly, have been fixed.

IPsec VPN - Protocol selection

Support references 83711 - 83777

Selecting the only protocol allowed to set up an IPsec tunnel (TCP, UDP, ICMP or GRE in the Protocol column of the tunnel grid) would sometimes prevent IPsec tunnels from being monitored in the web administration interface. This regression, which first appeared in SNS version 4.2, has been fixed.

Host reputation

Support reference 77080

Hosts referenced in the host reputation monitoring list could previously be deleted from the object database. This inappropriate operation, which would cause a system error that prevented the proxy from starting, has been fixed.

Traffic statistics - Virtual IPsec interfaces

Support reference 82960

The counters that counted packets passing through virtual IPsec interfaces were no longer refreshed (SNMP requests or netstat system command). This anomaly, which first appeared in SNS version 4.1, has been fixed.

Outgoing traffic statistics - SSL VPN

Support reference 79814

The counters that counted packets leaving the network interface linked to the SSL VPN were no longer refreshed This anomaly, which first appeared in SNS version 4.1, has been fixed.

Local connection of an administrator with the "Console (SSH)" permission

Support reference 84289

When administrators with the Console (SSH) permission attempted to connect locally (in console mode or with a monitor/keyboard), their attempts would fail and could cause the console to freeze after two attempts. This issue has been fixed.

IPsec VPN with certificate-based authentication - Topology deployed via SMC

Support reference 84231

Whenever an IPsec VPN topology with certificate-based authentication was deployed from an SMC server, any attempt to modify the firewall (via the web administration interface) of the peer defined in this topology would wrongly display a system error message “A mandatory token for this message has not been specified”. This issue has been fixed.

QoS - Modifying a default queue initially configured in percentage

Any attempt to reconfigure a default queue (or a default ACK queue) that was initially configured in bandwidth percentage would cause an error and display the error message “Reference needed for percentage”. This issue has been fixed.

Hosts with dynamic IP address resolution used in sub-groups

Support references 84202 - 81951

Whenever a host was:

  • Configured with dynamic IP address resolution,
  • Placed in a sub-group that is in turn used in a configuration module on the firewall (filter rules, permissions to access the web administration interface, etc.).

Changes to this host’s IP address would be ignored in the configuration module in question. This issue has been fixed.

Intrusion prevention

SOFBUS - LACBUS protocol

An anomaly in the engine that analyzes the SOFBUS protocol would wrongly raise the "SOFBUS: invalid protocol” alarm (modbus:741). This anomaly has been fixed.

Android WhatsApp and Facebook applications

Support reference 82865

Legitimate packets from Android WhatsApp or Facebook applications would sometimes wrongly trigger the block alarm "SSL version mismatch" (ssl:117 alarm). This regression, which first appeared in SNS version 4.2.1, has been fixed.

SSL protocol

Enabling the option Allow 0-RTT could wrongly raise the alarm "SSL: invalid answer with connection state” (ssl:735 alarm). This issue has been fixed.