Version 7.0.1-5161 July 2024

July 2024

This version of SonicOS 7.0.1 is a maintenance release for existing platforms and resolves issues found in previous releases.

SonicOS 7.0.1 firmware should be only used by existing customers who are running SonicOS 7.0.1-5151 or earlier. Do not downgrade to this SonicOS 7.0.1-based firmware if you are already running a version of SonicOS 7.1.1.

Supported Platforms

The platform-specific version for this unified release is the same:

Platform	Firmware Version
TZ Series	7.0.1-5161
NSa Series	7.0.1-5161
NSv Series	7.0.1-5161
NSsp Series	7.0.1-5161

Resolved Issues

Issue ID	Issue Description
GEN7-46630	VPN traffic is intermittently dropped when specific traffic matches a route policy and security policy whose timestamp keeps changing frequently and the VPN tunnel is reset by the route table update. The recheck of the security policy causes the packet to be dropped as the traffic is determined to have been sent as clear text, but should be sent on VPN now.
GEN7-47066	The default HTTPS management NAT rule is reset to top priority after a firewall is restarted with Zero Touch enabled, overriding custom-defined NAT policies.
GEN7-48245	DPI-SSL intercepts some TLS 1.2 connections even after adding an bypass decryption policy. The decryption pre-policy lookup code attempts to identify if the Content Filtering Service (CFS) and country resolution are required to match the traffic, even when a high-priority policy with no CFS and country lookup match.
GEN7-48257	Stack-based buffer overflow vulnerability in SonicOS HTTP server (SNWLID-2024-0008)
GEN7-48274	Heap-based buffer overflow vulnerability in SonicOS SSL-VPN (SNWLID-2024-0009)
GEN7-48662	Content Filtering Service (CFS) blocking over DPI-SSL is not working when TLS hybridized Kyber support is enabled on Chrome browsers. (This support is now enabled by default on Chrome browsers.)
GEN7-48885	App Rules over DPI-SSL are not working when TLS hybridized Kyber support is enabled on Chrome browsers. (This support is now enabled by default on Chrome browsers.)
GEN7-48948	When using DPI-SSL, the block page may not be displayed.
GEN7-49425	NSsp15700 only: The default buffer size for a non-master blade when fetching the Geo-IP map database may experience an overflow if the database size exceeds the maximum limit.
GEN7-49544	Heap-based buffer overflow vulnerability in SonicOS IPSec (SNWLID-2024-0012)

Known Issues

Issue ID	Issue Description
GEN7-41102	The Password Change page is not prompting for a new password when Password change is enabled on the firewall for an imported user.
GEN7-42675	In devices configured for Policy Mode, if the highest priority matching security policy has All users selected, and does not have any of App/Match/URL/Web-Cat selected, then the user redirection is skipped for subsequent security policies.
GEN7-43500	After changing the name of a local user, the entry is still displayed in Server DPI-SSL Inclusion and Server DPI-SSL Exclusion lists and the user with the changed name cannot be selected.
GEN7-43554	Unable to add valid domains to the Custom Malicious Domain Name List and White List pages after adding an invalid domain because the pending configuration is still present. Logging out and back in will alleviate this problem.
GEN7-46927	Traffic from a custom LAN over VPN stops when the WAN Load Balancing member order is changed.
GEN7-47528	When installing NetExtender software from the SSL VPN portal page for 32-bit Windows, the message The installer is only for x64 machine. is displayed .
GEN7-47918	When a lot of VPN security associations are present in a Stateful High Availability environment, some IKE security associations may not be cleaned up on the secondary device if the synchronization message fails.
GEN7-47948	App Rule is blocking files that do not match the hexadecimal content configured in the associated Match Object.

Additional References

GEN7-45198, GEN7-45579, GEN7-45962, GEN7-46606, GEN7-48249, GEN7-48249, GEN7-49508