SNS version 4.8.3 EA bug fixes

System

GRE/GRETAP encapsulation in an IPsec tunnel

Support reference 85626

GRE/GRETAP packets can once again be encapsulated in an IPsec tunnel. This regression appeared in SNS version 4.7.3.

High availability and dynamic objects

Support reference 81176

During a switch in a cluster, the dynamic object database now appears immediately on the newly active firewall. Previously, this step would require several minutes and block network traffic that uses these objects during this time frame.

SD-WAN

Priority calculations have been revised to prevent issues with gateways being too frequently switched. As such, there is no longer any status scale between downgraded gateways. The gateway selection mechanism now follows these rules:

  • Active gateways take priority over downgraded gateways,
  • Main gateways take priority over backup gateways.

Filtering and NAT - Web services

Support reference 85539

When a custom web service with a name that is exactly 20 characters long is used in a filter rule, the rule would not function.

A warning message will then appear in the Messages widget on the Dashboard. The message indicates the filter policy and rule number that caused the error.

To work around the issue:

  1. Change the name of the web service (to fewer than 20 characters) in the CSV import file that was initially used,
  2. Import this file once again in Objects > Web services > Import custom services tab,
  3. Modify the filter rule to use the new name of the web service.

Configuration

Support reference 85434

The number of IP addresses defined on an interface can no longer exceed the limit allowed on the firewall. Do note that previously, excess IP addresses were not enabled, but no error message was displayed when the configuration was validated. This anomaly has been fixed.

The command system ping host no longer wrongly raises the error "Format error" when it is used with a fully qualified domain name (FQDN) as an argument. This regression appeared in SNS version 4.8.

When a firewall with a defective disk is updated, the configuration file folder will no longer be deleted, as this would make the firewall unreachable.

Support reference 85725

In the factory settings on firewalls in SNS version 4.8.3 EA or higher, downgrades to a lower firmware version are now allowed once again by default.

This behavior can be edited exclusively through the CLI/Serverd command: SYSTEM UPDATE DOWNGRADE state=off to prohibit downgrading to a lower version, based on the following rules:

  • Virtual firewalls: downgrading to any version lower than the current version is prohibited.
  • Physical firewalls: downgrading to any version lower than the versions of the main partition and the backup partition is prohibited.

WARNING
The CLI/serverd command SYSTEM UPDATE DOWNGRADE state=on can no longer be used to allow downgrades to lower firmware versions once again.

System report (sysinfo)

Support reference 85593

Information regarding verbose mode being enabled is now correctly reported in the system report.

Intel interfaces using the igc kernel module

Support reference 85486

When a VLAN is configured on an interface that uses the igc kernel module, and the interface is included in a bridge with the option Keep initial routing/Keep VLAN IDs enabled, packets from other crossing VLANs will no longer be wrongly rejected.

This applies to the following firewall models and firewalls equipped with these network modules:

  • Firewalls: SN-S-Series-220, SN-S-Series-320, SN-M-Series-520, SN-M-Series-720 and SN-M-Series-920.
  • Modules: NA-EX-CARD-8x2_5G-C (8 x 2.5 Gb copper Ethernet) and NC-1-8x2_5G-C (8 x 2.5 Gb copper Ethernet).

Virtual EVA firewalls deployed on the Linux KVM hypervisor

Support reference 85635

On virtual EVA firewalls deployed on the Linux KVM hypervisor, the firewall now correctly applies the status of a disconnected interface in the hypervisor's configuration. This issue distorted the calculation of the high availability (HA) quality factor.

Support reference 85722

When a virtual machine is suddenly shut down while being configured on a KVM hypervisor, it no longer corrupts some of its configuration files.

IP reputation - Storage devices

Support references 84495 - 84933 - 85038 - 85081 - 85213

The mechanism that opens IP reputation metadata files has been modified to restrict the number of times the storage device can be accessed. In some cases, when the disk is accessed too often, the firewall would unexpectedly restart.

Host reputation

Support reference 85635

An issue with access privileges, which prevented the host reputation manager from functioning correctly, has been fixed. This regression appeared in SNS version 4.7.

Telemetry

A memory leak issue has been fixed in the telemetry manager.

Monitoring - Telemetry

The telemetry service is no longer wrongly displayed as shut down in the dashboard.

Authentication – TS Agent

Support reference 85401

Authentication through the TS Agent method would logically fail for users whose logins contained a space (prohibited character), but no error message would appear to indicate the issue. An alarm is now raised when this occurs. The list of prohibited characters is also provided in addition to information about the alarm.

SN160(W)/SN210(W)/SN310 model firewalls

Support references 84495 - 84933 - 85038 - 85081 - 85213

Changes have been made to the mechanism that calculates Security and System indicators, in order to reduce the number of times disks are accessed. The mechanism would previously cause SN160(W)/SN210(W)/SN310 model firewalls to unexpectedly restart.

Syslog - TLS 1.3

Support reference 85579

When logs are sent via syslog by using TLS 1.3, the operation would no longer fail when the certificate that was used for authentication was signed by a subordinate CA.

IPsec VPN - Certificate-based authentication

Support reference 85607

After the IPsec tunnel manager was updated, the firewall would wrongly interpret the SerialNumber as the Surname, thereby preventing IPsec tunnels from being set up. This issue has been fixed.

IPsec VPN in DR mode - UDP encapsulation and dynamic NAT

Support reference 85629

Tunnels configured in DR mode, on which UDP encapsulation has been enabled, and the source port of one peer's traffic is translated (dynamic NAT), can now be correctly set up: the remote firewall detects the need to encapsulate the traffic in UDP.

Automatic backups - Custom server

On firewalls that use automatic configuration backups to a custom server that was authenticated with a certificate, clicking on Check usage in Objects > Certificates and PKI after having selected this certificate now correctly indicates that this certificate is being used in the firewall configuration. Likewise, this certificate cannot be deleted without raising an error.

Quality of Service (QoS)

Support reference 85590

An issue that could cause the firewall to freeze when a QoS queue was deleted has been fixed.

Partition size allocated to reports

Changes to the size of the partition dedicated to storing reports were no longer applied. This regression, which first appeared in SNS version 4.8.0, has been fixed.

Web administration interface

SSL VPN

Support reference 85663

The certificate presented by the server or by the SSL VPN client can now be changed again. This regression appeared in SNS version 4.8.1.

Captive portal

Support reference 84750

The interface sslvpn_udp can now be selected in the captive portal's profiles. Users who present from this interface can therefore access the captive portal now.

Microsoft Active Directory external LDAP directory

Support reference 85764

After a new external LDAP directory such as Microsoft Active Directory is created, users found in this directory are now correctly shown again in the user module. This regression appeared in SNS version 4.8.0.