Please note the information on logfiles, statistics and quarantined emails

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Logfiles and statistics

The storage period of logfiles and the contents of statisics have been reworked in terms of privacy and data protection.
Logfiles will be kept up to a maximum of 7 days. To achive this, logfiles will be rotated daily instead of weekly. The logfiles of previous weeks will be deleted while installing this update. Only the currently active log, i.e. this week's log, will be kept. During the update a warning concerning data protection or necessary configuration changes may be displayed if an external logfile archive has been configured or custom log rotation settings are in effect.
In the future, IP addresses in the firewall logs will be anonymized (192.168.x.x). The proxy, web server and mail server statistics will no longer contain analyses by client IP, user name or email address. The update will keep nothing but the overview of the last 12 months of all statistics. The pages with the monthly statistics will be deleted. At midnight the monthly statistics of the current month will be re-generated.

Storage period for quarantined emails

The default storage period of emails in the quarantine directory has been reduced to 7 days. This value can now be changed in the administration interface. Please check yourself, which value is acceptable with respect to data protection.

Update of the Linux kernel

The new kernel enhances the "Spectre" attack protection and fixes minor vulnerabilities which can be used to crash the system.

RC4 with SMTP connections

For encrypted SMTP connections the insecure RC4 cipher was still allowed.


You can now connect Ethernet, VLAN and WLAN interfaces with a network bridge. For connections within the bridge and connections coming out of the bridge the firewall is configured individually for each port. So it is possible to run a transparent firewall between two network segments (e.g. between LAN and router). For connections routed into a bridge however, there's no firewall configuration by port, only by bridge.

Radius client for WLAN connections

WPA2-EAP authentication is now supported on hardware with WLAN support.

IPsec XAuth and L2TP clients via same NAT router

Simultaneous IPsec connections with XAuth and L2TP clients were not possible, if the clients connected from behind the same NAT router.

URL filter

The URL filter software and the free URL databases have been updated.

IDS/IPS signatures for systems without maintenance contract

Avira, F-Secure and Kaspersky antivirus engines

Minor bugfixes and improvements

Aggregation of network adapters

You can now aggregate multiple network adapters to get redundant connections with switches or to increase throughput.

URL filter message when breaking SSL connections

An option has been added to the web proxy content filter settings which affects what the users will see when the URL filter blocks a whole domain. The proxy used to already block the connection attempt, so the browser reported the generic error, that the proxy forbids the connection. With the new option you can change the behaviour, so the connection is initially allowed and the detailed error message of the URL filters is shown in the browser.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

A security vulnerability has been detected in the speculative execution feature of modern micro processors which lets an attacker read restricted memory areas if the attacker succeeds to execute malicious code (the "spectre" attack). The updated kernel tries to make both variants of this attack more difficult via memory barrieres and the retpoline technique.

IP object of type "Host"

The new IP object type represents an IPv4, IPv6 and MAC address. All three parameters are optional. In most cases only the IP adresses will be considered. If a settings also uses the MAC address it will be noted in the documentation.

Firewall rules based on MAC adresses

To configure a firewall rule for a MAC address, you can select an IP object of type "Host" as the rule's source. If the object contains a MAC address only, the rule will apply to any packet received from this MAC. If at least one of the IPs has been configured in the object, both, the MAC and the IP have to match. To configure a firewall rule for multiple "Hosts", you can nest them in group objects.

User specific message after logging into administration interface

For users with access to the administration interface (group "system-admin") a message can be configured in the user administration which is displayed every time after the user logged into the administration interface.

Various software components

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

A security vulnerability has been detected in Intel processors which lets an attacker read otherwise protected memory areas if the attacker succeeds to execute malicious code (the "meltdown" attack). The updated kernel prevents this attack via Kernel Page Table Isolation (KPTI).
In addition, a security vulnerability has been fixed which allowed local users to gain privileged access.

Web proxy URL filter

Rules granting unconditional full access no longer worked since 7.0-3.1.

UMTS-/LTE-USB sticks

Since 7.0-3.1 the mobile broadband USB sticks no longer switched to modem mode after power was lost.

Comment field when logging into administration interface

A comment field has been added to the login screen of the administration interface. Its contents will be logged. You can e.g. enter the reason for the login, a ticket number or the employer's name.

Minor bugfixes and improvements

DOS check with "Fake reply to Traceroute and ICMP ping"

In version 7.0-3.1 a DOS check with low threshold was applied when the firewall option "Fake reply to incoming Traceroute and ICMP-Ping" was enabled. Forwarded connections except for TCP were affected. In particular VoIP connections were disturbed.

Crashes of IPsec server

The IPsec server of update 7.0-3.1 crashes when a peer proposes encryption without integrity. Normally these proposals are ignored.

Access to when breaking SSL connections

Since Google recently updated the certificates, the proxy refused to accept the OCSP status of the intermediate CA certificate.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Loading new IDS/IPS signatures or configurations

After rotating logs it could happen that the Intrusion Prevention and the Intrusion Detection stopps loading new signatures or reloading the configuration after changes.

Rejecting emails with unwanted attachments

The "admin" user can now grant members of group "sytem-admin" read-only access to the most important configuration menus, e.g. to grant access for an auditor. Previously "admin" could only grant full access to individual menus.

URL filter user groups via Active Directory

The URL filter can now retrieve user groups directly from an Active Directory server. A computer account in the Windows domain is required just like for NTLM proxy authentication.

Additional categories for the fee-based URL filter

The new categories are: Malware, dynamic addresses, "Microsoft data collection", religion and search engines.

IPv6 support in URL filter rules

With the new URL filter version IPv6 addresses may also be configured as client IP in the ruleset. Previously IPv6 addresses have been supported in destination URLs only.

Installation of certificates re-newed automatically via ACME

Certificates managed with ACME like e.g. from Let's Encrypt will be re-newed automatically, in 7.0-3.0 however the new certificate is not installed in the servers. The installation will take place when the whole system configuration is re-written the next time. This usually happens after updates, on a cluster master each time the configuration is synchronized.

IPsec server update

The new version fixes memory leaks and a crash with inbound connections using certain encryption parameters.
If there is more than one tunnel between two IPsec servers and at least one of them is behind a NAT router, it could have happened that not all tunnels got re-established after a connection loss e.g. due to a daily DSL re-connect. This problem has also been solved.

Increased IPsec throughput

The IPsec throughput on high bandwidth links was increased by changes to the L2TP server and the Intrusion Prevention System.

Problems with permissions in 7.0-3.0

Due to changed permissions in 7.0-3.0 problems occured with the following features: web server directories and statistics, FTP access to email quarantine directory and archiving of logfiles.

Selection lists in the administration interface

Selection lists can become quite long, e.g. when selecting a protocol or an IP object. If there are more than 20 entries, a filter function and grouping of elements will assist you in finding the desired element.

Various software components

Among others the Linux kernel, the DNS server, Samba and the OpenSSL crypto library will be updated.

Update of the static SPAM filter ruleset

Minor bugfixes and improvements


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany