Available for purchase

Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon as the update has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature. For a manual download you will have to specify the support IP as username (e.g. and the hardware ID as password (e.g. 473I-QN34-O@:5).

Migration to 64 bit

The system base is updated to 64 bit. It is necessary to reboot the system three times. The update procedure will initiate the reboots automatically. Once the actual update procedure has started, the system and so also the Internet will be unreachable for several minutes. On older, slow hardware this may take up to 10-15 minutes. Please be patient and don't reboot the system yourself as the system may be severly damaged if the update procedure is interrupted.
Due to increased memory requirements we recommend the update only for system which have at least 2 GB of RAM installed.
Please make sure that a current backup is available before installing the update.


The cluster software is updated for enhanced IPv6 support. After the update the cluster nodes will communicate with unicast packets to a specific port. Previously multicast packets to a variable port have been used.
After updating the master node and until the backup node has been updated, the firewall connection table is no longer synchronized between both units. While in this state, almost all open connections are expected to break in case of a failover.
The Internet interface of a cluster node in backup state will be disabled now

ISDN support

We would like to drop ISDN support in the 7.0 release series. At the moment the update will be aborted when a configured ISDN card is detected in the unit. Please contact technical support if you still require ISDN support. If ISDN is no longer needed, please ask technical support how to delete the ISDN driver configuration. As an alternative you could also dismount the ISDN card.


The FTP server is replaced by a different software. Unfortunately the new software no longer supports restricting anonymous access to specific networks.
If anonymous access was restricted to local networks only, it will be disabled by the update.

The email based dial-up and firewall report is no longer available

IPv6 support

IPv6 support for most components has been added. By default IPv6 is disabled. It must be enabled in menu "Modules > Network > Settings" first and then in each interface as appropriate.
If you miss any IPv6 networking feature, please file a feature request. Currently we do not plan to support IPv6-in-IPv4 tunnels (i.e. IPv6 connectivity over IPv4 only links).
Regarding the server modules we don't plan to support IPv6 for the SIP proxy. Currently IPv6 support is still missing for these components: POP3 / SMTP proxy, FTP proxy and dynamic DNS. The following limitations apply: IPsec L2TP connections may be opened to IPv6 servers, however the payload is IPv4 only (IPv4-in-IPv6). IPsec Xauth connections with IPv6 must not use ModeCfg and the web proxy URL filter doesn't yet support rules for individual IPv6 client IPs.

IP groups / IP objects

The menu item "IP groups" has been renamed into "IP objects". In addition to "Group" and "DNS entry" the following new object types are now available:
Type "Geolocation" can be used in firewall rules only. Enter country codes like "DE", "FR" or "UK" to permit connections based on their country of origin or destination. An internal database is used to map ip addresses to countries.
The object types "IPv6 prefix" and "IPv6 address" are useful to distribute a dynamic IPv6 prefix delegated by the ISP to internal networks. In both object types it is possible to configure a partial address plus a reference to an other object of type "IPv6 prefix". The actual address is then composed of both parts.
Finally there's nothing special about the new type "IPv4 address". It can be used to simplify the configuration in complex setups and to improve the readability.

Re-implementation of dynamic firewall

The dynamic firewall monitors all connections and can block a source IP automatically if it identifies suspicious behaviour. When re-implementing this module we emphasized on easy configuration and low false positive rates. It is no longer necessary to start a "dynamic firewall" service. The entire traffic on all interfaces is analyzed. You can look up the reputation of IPs in the monitoring menu. Yet there are no more than two configuration options: In the per interface settings of the firewall you can enable automatic blocking, which is highly recommended in Internet interfaces if inbound connections are allowed. And, in case of false positives, you can configure a list of IP which must never be blocked in the global firewall settings.

Extended firewall configuration options

You can now configure an expiration time for firewall rules. An expired rule will no longer accept new connections. The primary purpose of this feature is the configuration of temporary rules. Previously administrators often forgot to delete these rules.
It is now also possible to configure firewall deny rules. New connections may either be silently discarded or rejected with an ICMP reply.
Instead of configuring SNAT as part of forwarding rules, a dedicated SNAT configuration table is now available.

Firewall rules for ipsec interfaces

For technical reasons it was not possible to restrict forwarding rules in ipsec interfaces to specific source zones. We have now been able to solve this problem.

Multiple time periods for URL filter rules

So far only a single time period "Working hours" used to be available for URL filter rules. Now you can select an individual period from menu "Definitions > Periods" for each rule.

Trusted hosts in web proxy content filter

Adding an entry to the trusted hosts lists used to disable content filtering completely for this server. Now it is possible to just disable individual subcomponents.

Web proxy caching

The default cache parameters of the web proxy have been changed. The disk cache is now disabled (previously 200MB). 128MB memory is now used for caching instead (previously 8MB). If a parameter is still set to the old default, it will be changed automatically by the update. Custom values will be preserved.

Reverse proxy Exchange backend for MAPI-over-HTTP

Current Exchange and Outlook releases may choose to connect with MAPI-over-HTTP instead of RPC. A new switch for MAPI has been added to the reverse proxy configuration.

Renaming entries

In some tables of the administration interface the entries of the first column are links, refering to complex elements like e.g. users or the definitions of protocols or IP objects. You can rename most of these elements now by clicking the pencil icon on the right of the table row.
Up to release 6.0-4.8 the pencil icon let you edit the settings of the element just like clicking the link in the first column.

Display of tables

The max. number of rows in tables has been doubled.
When exceeding the max. number of rows the entries have been devided over several pages. A new grouping mode is now available for tables where the order of entries is not significant. Grouping refers to the column which currently determines the sort order. Depending on the column's data type, entries are grouped e.g. based on the first letter, the folder name or identical entries. Click the tools icon in the upper right corner to enable grouping mode.

Additional information on IP addresses

When displaying log files and in the network monitoring menus, IP addresses have been turned into links. On click the country of origin and the result of a DNS reverse-lookup will be shown.

Additional information in logs and monitoring

The mail server log contains multiple lines for each email, however these lines often don't show up next to another. In the ID column you will find a link which opens a windows, showing all lines associated with this email.
A link in the intrusion detection (IDS) log will show the dump of the intercepted paket.
In the IPsec log you will also find links displaying associated lines.
By clicking the info icon on the network monitoring IPsec tab you will get more details about the connection.

Display of log files

In some logs certain lines are highlighted in different colors in order to make the logs clearer and easier to understand.

Testing LDAP access

For the Active Directory user import and the LDAP based mail recipient address verification a test function has been added.

Network card speed and duplex settings configurable

Minor bugfixes and improvements

In the 6.0 releases some features had only been available on systems with a software maintenance contract. In 7.0 these features will now be available on all systems. This includes:

Reverse proxy option for strict transport security

The reverse proxy HTTPS ports can now enforce the HTTP Strict Transport Security option. For a certain period of time it instructs the browser to always access the server with HTTPS and to keep the user from ignoring any certificate error. It is meant to make Man-in-the-Middle attacks more difficult.

Remotedesktop gateway via reverse proxy

New options provide access to Remotedesktop gateway servers and with Remotedesktop web access.

Additional SSL interception features in web proxy

If the proxy is configured to break SSL encrypted sessions it is now possible to transparently proxy HTTPS connections to port 443. Authentication must be disabled in the proxy.
The behaviour of the proxy when it encounters an expired certificate or the certificate has been issued to a different server name is now configurable. Instead of letting the user decide if he is willing to trust the connection the proxy may outright deny access.
What the proxy should do when an OCSP connection fails is also configurable.
If the URL filter is enabled, path based filters like blocked filename extensions or enforced safesearch options for search engines are now applied.

Handling of password protected archives by web proxy content filter

A new option allows unchecked forwarding of password protected archives instead of moving these files into quarantine.

Query web proxy URL filter

You can now test the URL filter configuration in the "Monitoring" menu.

Sender Policy Framework (SPF) filter

A new filter is available for systems directly receiving inbound emails, i.e. via DNS MX record. The owner of a domain can publish in DNS that emails with a sender address in the domain may only be sent or relayed through specific servers. The SPF filter will process this information and reject non-compliant emails. As SPF is fighting sender address forgery, it also helps defending against certain kinds of SPAM and malware.
SPF may however cause problems with forwarded emails. Often a few addresses have to be excluded from filtering (e.g. your backup MX). Please see the online help for more detailed information.

Extended email attachment filter configuration

Under the impression of the current virus wave we received many feature requests regarding the attachment filter. This is what we've implemented so far:
The well-known list of filename extensions to block is now labeled "Dangerous file extensions". Matching attachments will always be quarantined. Our recommended default entries are listed in the online help.
Next is a new list of "trusted senders". You can add individual email addresses or whole domains. They are allowed to send any attachment except for "dangerous file extensions".
The default behaviour of the filter is now configurable as well: either pass everything on or quarantine all other attachments. Depending on the default behaviour you will get one more list with filename extensions. If the default behaviour is "quarantine", you will get a whitelist where you should enter less critical files like images or PDF anyone should be allowed to receive. Otherwise, if the default behaviour is "pass", you will get an other blacklist. It differs from the blacklist of "dangerous file extensions" as matching attachments may pass if they have been sent by "trusted senders". Nowadays you might want to enter normal office documents like doc, docx, xls, etc.
Note: to add a long list of filename extensions with a single click, enter them space separated (e.g. "doc docx xls").

Verification of recipient addresses when forwarding to an internal mail server

The SMTP port used for verification is now configurable. It is now also possible to query an Active Directory with LDAP to verify recipient addresses. Use one of these methods if your internal mail server is Exchange 2013.
A new option makes it possible to accepted and queue mails without verification if the internal mail server is temporarily unavailable.

Masquerading of email sender addresses

Individual mail relay depending on sender domain

In individual cases it can be necessary to send outbount mails via different relay servers, depending on the sender domain.

Maildomain routing via external mail server

The outbound mail routing may only be used by internal clients or authenticated users. It optionally applies to all subdomains as well.

OpenVPN access for selected certificates

Previously any OpenVPN client with a certificate issued by the configured VPN CA was able to connect to all OpenVPN server interfaces. With the new option you can limit access to specific certificates individually for each interface.

Simplified overriding of DNS information

In certain situations it is necessary to override DNS information for local clients with different data. Configuration of these entries is now straightforward. Even aliases (CNAMEs) may be used. It is no longer necessary to create a domain zone.

DNSSec validation option

When enabled, the DNS forwarder will validate all DNS replies with DNSSec.

Configurable update interval of DNS IP groups

The IP addresses of DNS IP groups have been updated daily. Now the interval can be shortened to hourly or even every minute, which allows the use of dynamic DNS addresses.

Service monitoring

It monitors the most important services and restarts them in case of a failure. On a cluster master a failover is initiated in case of repeated failures.

Additional features for network tools

The tool "traceroute" has been added. For "ping" the packet size is now configurable and it became possible to select an interface, which allows sending packets with different source IPs through VPN tunnels.


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany