SNS version 4.8.9 bug fixes

System

Proxy

Previously, sandboxing (Breach Fighter) files with names that were too long would cause the proxy to shut down unexpectedly. This issue has been fixed. This regression appeared in SNS version 4.8.3.

Support reference 84388

The management of proxy connections has been improved. The proxy now uses the protocol-specific connection pool before using the shared connection pool, thereby preventing errors indicating that there are too many connections, even when the maximum number of connections has not been reached.

IPsec VPN

Support reference 85641

When an IKE security association is renegotiated, authentication information is now transferred to the new security association, and the intrusion prevention engine no longer shuts down the connection.

Support reference 84803

VPN tunnels are renegotiated whenever the peer certificate is modified. This regression appeared in SNS version 4.8.0.

SSL VPN

Support references 84495/84933/85038/85081/85213

Changes have been made to the way the SSL VPN configuration is loaded, in order to reduce the number of times disks are accessed.

Certificates and PKI

Support reference 85968

Previously, when a sub-certification authority and its parent authority both had CRLDPs, only the parent authority's CRL was downloaded. This issue has been fixed, and the firewall now downloads both CRLs.

Support reference 85948

The CLI/Serverd command PKI SCEP QUERY now correctly factors in the bindaddr and bindport arguments, which respectively make it possible to specify a local IP address, and a specific local port for SCEP requests.

More information on the PKI SCEP QUERY command.

High availability

Support reference 85747

Now, when a cluster is connected to SMC in 3.2.3 and higher versions, or when the retrieval of information on a firewall from the cluster is forced, error logs will no longer be generated.

MIB STORMSHIELD-HA-MIB

You can now receive responses when you query the following MIB STORMSHIELD-HA-MIB tables:

  • snsNodePowerSupplyTable,

  • snsNodeDiskTable,

  • snsNodeCpuTable,

  • snsNodeFanTable.

TPM

On SMC-managed firewalls, updates to SNS in version 4.8.9 or higher are blocked when the following conditions are combined:

  • The private key of the certificate that is used for communications with the SMC server is protected by the TPM,

  • The firewall is in SNS version 4.8.2 or lower.

This will prevent the connection between SMC and the firewall from being lost.

TPM - IPsec VPN/SSL VPN

Support reference 86126

It is no longer necessary to resealed the TPM module when the certificates used for IPsec VPN or SSL VPN services are protected by the TPM. This behavior appeared in SNS version 4.8.7,

This situation wrongly caused the error message "Symmetric key access error" to be displayed in the dashboard.

LDAP server

Support reference 86089

The use of global host objects to configure an LDAP server, as announced in SNS version 4.8.7, is now fully operational.

Multicast routing

Support reference 85614

Previously in multicast routing configurations, if the network cable between a firewall in Last Hop Router (LHR) position and a router used as a Rendezvous Point (RP) was disconnected, or the router restarted, traffic was cut off. This issue has been fixed.

Extended Web Control (EWC)

A new implicit rule has been added to guarantee access to the Extended Web Control (EWC) server when the source address is forced with the bindaddr argument in a CLI/Serverd command. The addition of this implicit rule now prevents traffic from passing through the intrusion prevention engine. This new rule can be seen in Configuration > Security policy > Implicit rules.

Virtual machines

High availability configuration (HA) and Pay As You Go (PAYG)

Support reference 85730

The license manager in a cluster has been improved to allow the passive firewall to retrieve its license by synchronizing with the active firewall during the cluster's Pay As You Go enrollment.

Intrusion prevention engine

TCP connections

Support reference 85712

In some TCP connections that use the proxy, the intrusion prevention system would send ACK packets in loop, regardless of the reply that was received. Now, only 10 new attempts are allowed, to prevent packets from being sent in loop.

OPC UA protocol

The NodeID inspection by the OPC UA protocol analysis engine has been modified to comply with protocol specifications, and no longer causes valid OPC UA packets to be wrongly blocked.

NAT

Previously, when child connections failed, the intrusion prevention system would not correctly release ports used by the NAT. This issue has been fixed. This regression appeared in SNS version 4.8.0.

Managing users

Support reference 85999

Previously, when connections were purged, a search would be launched to link the source IP addresses of connections to users, if any. The user search is now performed when the connection is created, to prevent latency. This regression appeared in SNS version 3.4.0.

BIRD

Support reference 86033

CIDRs can once again be used instead of interface names in the BIRD configuration. This regression appeared in version 4.8.1

Support references 84495/84933/85038/85081/85213

The mechanism that updates protected addresses has been optimized to reduce the number of times disks are accessed.

Support reference 86007

On the memory buffer, a character limit on interface names would make it impossible to edit the BIRD configuration if there were too many interfaces. This issue has been fixed.

Web administration interface

TPM

Support reference 86093

In Configuration > Objects > Certificates and PKI, the option to initialize the TPM now no longer appears when you right-click on a certificate if your firewall is not equipped with a TPM.