SNS version 4.8.12 LTSB bug fixes

System

Routing

Support reference 85724

A warning message now appears when the filter policy is being reloaded, to indicate that a policy-based routing rule cannot be applied, because a static or default route was not configured on the firewall.

High availability (HA)

Support reference 86211

During a switch in the cluster, TCP connections that were set up with a high Window Scale Factor (8 and above) will not resume properly with the new active firewall, which is unable to correctly manage the amount of data that it receives in these TCP connections. As a result, the firewall will block some data packets. To work around this issue, change the value of the token RecoveryToLite, which was added for this purpose in the section [IPSConnection] in the file ConfigFiles/Protocols/tcpudp/0x, to 1.

Do note that once this value is changed, sequence numbers will be ignored, relieving packet analysis.

Proxy - Antivirus

Support references 85841 - 86055

An issue, which could cause the firewall to freeze unexpectedly when updating the antivirus database, has been fixed.

Monitoring of power supply modules - SN-S-Series-220/320 firewalls

The absence of an additional power supply module on an SN-S-Series-220/320 model firewall no longer wrongly generates an alert indicating that a power supply module is defective.

Optimization

Support reference 85277

Physical memory is now optimally managed when the Maximum Transmission Unit (MTU) exceeds 4000 bytes.

Intrusion prevention engine

Managing connections spread out over multiple CPUs

Support reference 85947

An anomaly, which occurred when comparing sets of connections or UDP sessions spread out over several CPUs over very short intervals, has been fixed. This anomaly occasionally disconnected these sessions.

Protocol analysis

Support references 85910 - 86013

Issues have been identified and fixed in the code of the intrusion prevention engine. These issues occasionally caused packet loss.

TCP protocol

Support reference 85929

The use of the option Enable automatic adjustment of memory allocated to data tracking together with advanced options, such as TCP Selective ACKnowledgment (SACK), no longer wrongly causes a data queue overflow, which is described by the block alarm "TCP data queue overflow" (tcpudp:84).

PAYG VM

Support reference 85559

The host objects enroll-sns.stormshieldcs.eu and accounting-sns.stormshieldcs.eu that are used in PAYG VMs have been added to the SNS configuration.

Hardware

Profinet protocol

Support reference 86082

Profinet packets that use VLAN 0 are now correctly processed by firewalls that use the igc driver, or which are equipped with an IX port. These packets are no longer wrongly blocked.

Web administration interface

High availability - Redundant links

Support reference 86154

When creating a cluster with two HA links, the IP addresses of the secondary link are now correctly taken into account.