SNS version 5.0.2 EA bug fixes
System
Syslog - SD-WAN
A parameter has been added to each syslog profile set on the firewall to manage the duration before log sending resumes.
In a configuration that uses SD-WAN and router objects, following a network failure and a switchover to a backup gateway, this parameter makes it possible to set, for each profile, the duration after which the firewall will attempt to send logs to the syslog server again. This will limit the amount of logs that may be lost.
Previously set at 60 seconds, this duration can be adjusted to anywhere between 5 and 600 seconds.
Reports
Support references 85380 - 82777
Enhancements have been made to limit the size of the report database, to prevent it from mistakenly filling up its partition.
Support reference 84256
In configurations that manage host reputation, the CLI/Serverd command REPORT RESET report=all now purges the entire report database as expected.
More information on the REPORT RESET command.
IPsec VPN
Support reference 85641
When an IKE security association is renegotiated, authentication information is now transferred, and the intrusion prevention engine no longer shuts down the connection.
Support reference 84803
VPN tunnels are now renegotiated once again whenever the peer certificate is modified. This regression appeared in SNS version 4.8.0.
Support reference 85940
Calculations of security association lifetimes have been optimized to limit the risk of conflicts in an IPsec configuration that contains errors.
Virtual IPsec interfaces (VTI)
Support reference 85770
When the ennetwork -f command is run on a configuration containing a tunnel that is based on virtual IPsec interfaces, the IPsec tunnel will no longer be wrongly shut down.
Certificates and PKI
Support reference 85948
The CLI/Serverd command PKI SCEP QUERY now correctly factors in the bindaddr and bindport arguments, which make it possible to specify an IP address, or a specific port for requests.
More information on the PKI SCEP QUERY command.
Network card drivers
The default values of some queues that are defined for each network card driver have been increased. This prevents minor packet loss, even though the firewall's CPU load is relatively low.
Filter - NAT
Support references 80798 - 85537
Users now need to double-click on the comment of an unselected NAT or filter rule to edit the comment. In earlier SNS versions, clicking on the comment of an unselected NAT or filter rule would open and close the comment editor almost immediately.
Configuration - Check usage
When a user/user group is found in several LDAP directories listed on the firewall, using the Check usage function now only returns results relating to the directory in question.
Configuration - SSH access
Support reference 85101
The use of the "<" and ">" characters between quotes in CLI/Serverd commands that are run in console mode on the firewall over an SSH connection is now correctly interpreted, and no longer causes the "Error in format" error message to appear.
Automatic backups
When the automatic backup module is configured to use a certificate that is signed with the SHA1 algorithm, this certificate is rejected, and a warning message prompts the administrator to generate a new custom certificate that has been signed with secure algorithms.
High availability - Switch optimisation
Support reference 85773
Now, when Reboot all bridged interfaces is selected, only bridged interfaces will restart.
High availability - Restoring backups
Support reference 86025
When a configuration backup is restored, it no longer dissociates SSH keys that are used for synchronization in the cluster. This issue prevented HA synchronization.
High availability - Reports
Support references 85511 - 85844
HA synchronization has been modified to no longer raise errors when the partition that contains reports is more than 50% full.
LDAPS server
Support reference 85766
Global host objects can now be used to configure an LDAPS server.
URL filtering - Extended Web Control (EWC)
Support references 85849 - 86059
The EWC URL filtering service is operational once again, after updating the IP address of the ewc-sns.stormshieldcs.eu server in the service configuration.
Proxy - Statistics
Support reference 86067
The proxy can now write its statistics in the /log/verbose directory. This regression appeared in SNS version 5.0.0.
Proxy - Antivirus
Support references 85841 - 86055
An issue, which could cause the proxy to shut down unexpectedly when updating the antivirus database, has been fixed.
On SNS firewalls that use antivirus inspection, updating from version 4 to version 5 would launch the automatic download of the new antivirus database.
When a configuration that uses manual updates for the advanced antivirus (files with the ".ssp" extension, which can be downloaded from the MyStormshield client area) is updated to version 5, it no longer wrongly launches the regular automatic download of the antivirus database.
Monitoring of power supply modules - SN-S-Series-220/320 firewalls
Plugging in a single power supply module into an SN-S-Series-220/320 model firewall no longer wrongly generates an alert indicating that a power supply module is defective.
Report database backup
Support reference 85700
Backing up the report database may be slow if the database exceeds 25 MB, which can block the firewall update process, particularly in a high availability configuration. A 60-second expiry period has been added to the backup mechanism, to stop penalizing firewall updates.
SMC server redundancy
Support reference 86112
When the main SMC server fails, the SNS firewall will connect to the backup server. Previously, when the main server recovered, no operations (deployment, firewall access, etc.) could be performed from it. This issue has been fixed.
Optimization
Support references 84995 - 85981 - 86070
The reloading of the configuration immediately after a deployment in SMC, or after a configuration has been restored, is now optimized.
Authentication
The use of accented characters in an ID (connection to the web administration interface, VPN, etc.) no longer wrongly makes the ID case-sensitive.
Authentication - Internal LDAP directory
Support reference 86096
The presence of square brackets "[" or "]" in the configuration of an internal LDAP directory, for example in a password, no longer prevents the directory from loading correctly.
Firewall authentication pages
The 'Frame-Ancestor' CSP directive on the firewall's authentication web pages was incorrect, and has been fixed.
Dynamic multicast routing
Support reference 85819
The minimum value of the TTL (Time To Live) parameter of an interface that is involved in dynamic multicast routing was wrong, and has been fixed. This value is now set to 1.
SSL VPN
Support reference 85904
When the listening port of the SSL VPN service is changed, a message now appears, indicating the need to restart the firewall to correctly apply the change.
CLI/serverd commands
Filter - NAT
Support reference 85566
The documentation and integrated help for the CLI/Serverd command CONFIG FILTER RULE UPDATE have been corrected: the srcport parameter can represent only a single port or port range, and not a list of ports, as was previously indicated.
More information on the command CONFIG FILTER RULE UPDATE.
Backup and restoration
The documentation and built-in help for the CLI/Serverd commands CONFIG BACKUP and CONFIG RESTORE have been enriched for the list argument.
Virtual machines
High availability configuration (HA) and Pay As You Go (PAYG)
Support reference 85730
The license manager in a cluster has been improved to allow the passive firewall to retrieve its license by synchronizing with the active firewall during the cluster's Pay As You Go enrollment.
EVA firewalls deployed on the Microsoft Hyper-V hypervisor
Support reference 85840
On EVA firewalls that are deployed on the Microsoft Hyper-V hypervisor, the firewall now correctly applies the status of a disconnected interface in the hypervisor's configuration. This issue distorted the calculation of the high availability (HA) quality factor.
EVA firewalls - Partition labels
The swap partition is once again automatically mounted when the virtual machine starts up. This partition makes it possible to absorb part of the memory load.
Virtual Pay As You Go (PAYG) machines
Support reference 85559
The host objects enroll-sns.stormshieldcs.eu and accounting-sns.stormshieldcs.eu that are used in virtual PAYG machines have been added to the SNS configuration.
Virtual PAYG machines on Microsoft Azure
After the deployment of a PAYG firewall on the Microsoft Azure platform, SSH access to the firewall and HTTPS access to the web administration interface are once again operational.
Intrusion prevention engine
Protocol analysis
Support references 85910 - 86013
Issues have been identified and fixed in the code of the intrusion prevention engine. These issues could make the firewall freeze.
TCP protocol
Support reference 85929
The use of the option Enable automatic adjustment of memory allocated to data tracking together with advanced options, such as TCP Selective ACKnowledgment (SACK), no longer wrongly causes a data queue overflow, which is described by the block alarm "TCP data queue overflow" (tcpudp:84).
BIRD dynamic routing
Support reference 84579
Only the routes that BIRD sends to the kernel are now retrieved in the table of protected network addresses.
SIP protocol
The default value for the Action/Level parameters associated with the sensitive "Anonymous address in SDP connection" alarm (sip:465 alarm) is now Block/Major. This value was previously set to Pass/Minor by mistake.
Stealth mode disabled - IPv6 analysis
Support reference 85327
Firewalls on which stealth mode has been disabled no longer crash unexpectedly when IPv6 packets are scanned.
sfctl system commands
Support reference 85757
The analysis of arguments passed to sfctl system commands no longer stops after the first alphabetical character. This behavior could trigger a command that does not match the requested command, but which is similar to it up to the first alphabetical character.
SCTP - High availability (HA)
Support reference 85372
During a HA swap, an issue with the synchronization of the date on which SCTP associations were established caused the date to be shifted by more than one second in the logs, compared to its actual value. This issue has been fixed.
Managing users in the intrusion prevention engine
Support reference 85999
Previously, when connections were purged, a user search would be launched to link the source IP addresses of connections to users, if any. Searches are now performed when the connection is created, to prevent latency. This regression was introduced in SNS version 3.4.0.
Hardware
Energy Efficient Ethernet (EEE)
EEE can now be enabled on compatible network cards. These cards have the Enable IEEE 802.3az (EEE) checkbox in their advanced configuration.
LPC communication bus
Support reference 84328
An issue with competing access on the LPC communication bus, which could cause unexpected resets to factory configuration, or mistaken readings of hardware monitoring data, has been fixed.
Profinet protocol
Support reference 86082
Profinet packets that use VLAN 0 are now correctly processed by firewalls that use the igc driver, or which are equipped with an IX port. These packets are no longer wrongly blocked.
Web administration interface
Administrators - admin account
When the private or public key of the super-administrator account ( admin account) is exported, the result is now a file in text format. This file was previously in csv format.
Protocols - Filtering in the Sandboxing tab
The filtering feature in the Sandboxing tab for HTTP/SMTP/POP3 and IMAP protocols, and in the SSL protocol's certification authority grid, is now operational once again. This regression appeared in SNS version 4.8.0.
Interfaces - Media type
5 Gbit/s has been added to the list of media as a value that can be selected for a network interface.
Restoring an SNS v4.3.3x LTSB configuration
Restoring an SNS v4.3.3x LTSB configuration on a firewall in version 5.0 no longer blocks access to the firewall's web administration interface.
High availability - Redundant links
Support reference 86154
When creating a cluster with two HA links, the IP addresses of the secondary link are now correctly taken into account.
BIRD dynamic routing
When a BIRD dynamic routing configuration error occurs, the verification console now shows the full details of the error encountered. This information used to be truncated.