SNS version 4.8.4 bug fixes

System

Proxies

Support references 85568 - 85625 - 85701

Issues in the SSL proxy, which could cause traffic using the proxy to unexpectedly be blocked, have been fixed.

POP3 proxy - Antispam and/or antivirus

Support reference 81432

During the antivirus and/or antispam analysis, the POP3 proxy would wrongly detect batch e-mail processing (pipelining) and inappropriately fragment messages. This issue has been fixed.

IPsec VPN

Support reference 85786

When the IPsec configuration on a firewall in a version lower than SNS 4.8 uses a phase 2 profile with the PFS field set to None, upgrading such a firewall to SNS version 4.8 will no longer wrongly delete the corresponding token in the IPsec configuration file. This anomaly prevented the setup of IPsec tunnels that use this phase 2 profile.

Phase 1 of an IPsec tunnel is now automatically deleted when the only associated phase 2 has been deleted following an idle timeout.

Support reference 85721

After deploying via SMC an IPsec configuration that:

  • Uses virtual interfaces (VTIs),
  • Has a peer defined in Do not initiate the tunnel (ResponderOnly) mode.

Attempts to set up the tunnel will no longer cause the firewall to unexpectedly freeze.

Support reference 85676

High availability configurations that handle a heavy volume of traffic now have better stability. This prevents the IPsec tunnel manager from shutting down unexpectedly.

SSL VPN

Users can once again set up their VPN tunnels by authenticating with external services (push mode). This regression appeared in SNS version 4.8.3.

Imported certification authority

Support reference 85740

CRLs from imported certification authorities can now be deleted.

Importing certificates

Support reference 85731

Certificates in .cert and .crt format are now identified as PEM certificates during import. They were previously considered P12 certificates, which subsequently caused errors.

SN160(W)/SN210(W)/SN310 model firewalls

Support reference 84495 - 84933 - 85038 - 85081 - 85213

Changes have been made to reduce the frequency of disk access to the configuration file ConfigFiles/Openvpn/openvpn, as this would cause SN160(W)/SN210(W)/SN310 model firewalls to unexpectedly restart.

High availability (HA) - CRL

Support reference 85558

CRLs that originate from global CAs are now synchronized every 60 minutes between the active and passive firewalls.

Support reference 85553

CRLs that are retrieved by the active firewall are now immediately synchronized with the passive firewall. Previously, these synchronizations occurred only every 60 minutes. As such, if a switch occurred in the cluster during this time frame, the new active firewall would not necessarily know all the CRLs, and could then prevent IPsec tunnels from being set up, for example.

Audit logs

Support reference 85563

When the firewall is restarted within five minutes after a filter is created in Logs - Audit logs > All logs, the filter will no longer be deleted.

Bird dynamic routing

Support reference 85756

The BIRD dynamic routing engine now no longer restarts in loop when it is in verbose mode. This regression appeared in SNS version 4.8.0.

Support reference 85271

When the OSPF protocol is used in dynamic routing, the size of the socket buffer has been increased to stop packet loss.

Support reference 85755

BIRD v1 and BIRD v2 can no longer be started at the same time.

Virtual interfaces

Support reference 85669

In GRE tunnels, whenever the size of a packet exceeded the MTU, the ICMP response packet would not indicate the right MTU value. This issue has been fixed.

Backup partition

Support reference 85527

On firewalls:

  • In SNS version 4.8,

  • With a backup partition in SNS version 4.3.23 LTSB or lower,

Malfunctions may occur when the backup partition is used. Firewalls cannot be updated to SNS version 4.8 if the backup partition is not in SNS version 4.3.24 LTSB or higher.

Filter - NAT

Support references 68445 - 70036 - 85660

The right value now appears in the #set_tos column when filter rules are exported to a CSV file, and new columns have been added for QoS and synproxy.

Wi-Fi interfaces

Support reference 84615

The network configuration manager no longer shuts down unexpectedly during startup when the Wi-Fi interface has the country code for Jamaica.

CLI/serverd commands

Support reference 85797

When the CLI/serverd SYSTEM UPDATE UPLOAD command was used without arguments, serverd would shut down unexpectedly, and log the user out of the console. This issue has been fixed.

Intrusion prevention engine

Memory

In some cases, the firewall would unexpectedly freeze while processing errors due to memory shortage. This issue has been fixed.

Web administration interface

Applications and protections

Support reference 85779

The index of a protocol profile that was edited in the Applications and protections module once again matches the index configured in the security profiles. This regression appeared in SNS version 4.8.0.

QoS

Support reference 85458

The list of prohibited characters in QoS queue names is now the same as the list in the section Allowed or prohibited names in the SNS user guide.