Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.
Due to the update of numerous software components the update procedure will take significantly longer than usual (after the download is complete at least 10-15 minutes). Please be patient.

Kaspersky virus scanner engine

The new version required different signatures. This is why the scanner update is unusually big (381 MB). So we decided to not include it in the regular update file. Instead the update will download the new engine if necessary.
On devices which have an older version of the Kaspersky scanner installed, the update procedure will download the 381 MB Kaspersky update from our website right at the beginning.
As an alternative, you can download the Kaspersky scanner from our website and install it before starting the update.

Various software components

The update includes new versions of the Linux kernel, the virus scanner engines, various system libraries and applications. The predefined lists of trusted CA certificates, the URL filter database and the SPAM filter rules are updated as well. Systems without daily IDS updates (systems without maintenance contract) receive new IDS rules with this update.

Editing tables in the administration interface

When intensively editing a list in the administration interface, the web browser started to become unresponsive due to large ammounts of occupied memory.

Definitions > Domainlists

The new item in the "Definitions" menu lets you create lists of server and domain names which may then be used in multiple web proxy settings. For some applications that are likely to be of general interest, we added a few pre-defined domainlists.

Allowed destination ports in web proxy

In the list of ports for unencrypted (HTTP) connections you can now enable ports for individual servers. We recommend to delete the entry, granting access to all ports in the range 1024-65535.
Access to the administration interface (port 44344) via web proxy is no longer automatically granted. After the update, the list of allowed CONNECT ports (for HTTPS) will contain entries for access to the administration interface which can be deleted if they are not needed or wanted.

Microsoft update servers

The servers and will be added as trusted hosts to the web proxy content filter configuration if they are missing.

Mail server ports 587 and 465

You can now enable the two mail submission ports 587 and 465 in the mail server configuration. The pre-defined protocols SMTP-SUB and SMTPS have been added for the two ports.

Minor bugfixes and improvements

TLS based server processes could have been crashed

A bug in the OpenSSL system library allowed attackers to crash TLS based servers.

Minor bugfixes and improvements

Reset switch on ECO server and Praxis-Wächter hardware

There's a tiny hole in the front of our entry level hardware ECO server and the Praxis-Wächter standard hardware. There's a reset switch behind it which may be pushed with a straightened paper clip or something similar. This reset switch is now enabled. Press and hold the switch until you can hear a beep. When the reset process is finished, you will hear a double-beep.
Only the system configuration will be reset. So among others neither users nor logfiles or apps will be removed. The reset is meant for situations where you locked yourself out after modifying the configuration. The reset won't help if you forgot the password or if the software image is corrupt, e.g. after powering the device off while updating.

Model "Praxis-Wächter" only: several modifications and improvements

The TI wizard now supports using network interface "eth2" for VLANs only. Please manually create the required VLAN interfaces beforehand. Please make sure that "eth2" is not used directly in the "wiring plan".
If the connector is not attached to the "Geräte" interface but to a dedicated (VLAN) interface instead, the TI wizard will from now on adjust the base configuration of this interface.
If the internal network "Verwaltung" is bridged with the connector, the firewall rule for access to "TI_vpn/netze" is now configured in both, the bridge and the routing firewall rules. You have to re-run the firewall part of the TI wizard to get the additional rule.
If the TI connector is the default gateway (SIS), an additional firewall rule will deny connections from Praxis-Wächter to "TI_vpn/netze". Also for this rule you will have to re-run the firewall part of the TI wizard again.
Furthermore a re-run will add the IP object "TI_vpn/netze" to the exception list for transparent proxying in interface eth0 and to the proxy autoconf file. "INTRANET" is also added to the proxy autoconf file.

Routing in bridge

This new option helps if a network device and its standard gateway are connected via bridge and necessary static routes are not configured on the network device. Packets to destination addresses which are configured on other interfaces, in VPNs or static routes will then be routed and not bridged.

Wizard "Internet access" restructured

DHCP server configuration option to assign NTP timeservers

Minor bugfixes and improvements

Bandwidth limitation in web proxy

The bandwidth may be limited based on the client IPs and/or the destination host name. If local user authentication is enabled, a limit by user group is possible, too.

Exception list for transparent proxying

In the firewall configuration of LAN and RAS interfaces there's now an exception list for destinations addresses. No transparent proxying will be applied to connections to these addresses.

Improved communication security

When the backup node connects to the master, it will now verify the master key.

Improved bandwidth management

With high bandwidth Internet connections the priority classes "low" and "standard" will now benefit from higher and more even throughput.

Model "Praxis-Wächter" only: several modifications and improvements

It is now possible to enable and disable the firewall rule for access to the Connector administration in the "Telematikinfrastruktur" wizard.
The protocol "TI_sicct" which is used for communication between cardreader and connector is splitted into "TI_sicct_udp" (UDP only) and "TI_sicct" (TCP and UDP). The wizard "Telematikinfrastruktur" now adds an additional firewall rule for "TI_sicct_udp" from cardreader to connector. If the cardreader and connector networks are bridged, an other "TI_sicct_udp" rule is added from connector to the broadcast address. This is expected to solve problems when pairing the devices and it should speedup the recovery process after a reboot of the connector or a cardreader. To get the additional rules, please step through the firewall branch of the wizard again.
Running the firewall branch of the wizard will also allow ping from Praxis-Wächter to IPs in the networks "Verwaltung" and "Geräte".
An IP address is added to IP object "arvato/dns" where applicable.
An IP object for the insurance service provider ACTINEO has been added. If required, it can be added to IP object "TI_vpn/netze" to gain access to their servers via Telematikinfrastruktur VPN.
Improved support in the wizard for environments with Internet access via SIS through a parallel connector or through a serial connector which is not attached to the Internet interface of the Praxis-Wächter.

Update of several software components

Minor bugfixes and improvements

Configuration options for Web Client 1.2.0

The clipboard for RDP and VNC connections can be restricted to one direction or disabled completely. For file transfer via RDP can now also be restricted to one direction. Finally the additional keyboard layouts for RDP connections may be configured.

Redirect instead of error message for unknown paths in reverse proxy

Requests for URL paths with no configured backend server used to be rejected with an error message. As an alternative you can now redirect these requests to an arbitrary URL. The URL path of the original request may be kept or stripped. As a special use case each requests received via an unencrypted HTTP port may be redirected to its corresponding HTTPS URL.

Tables in the administration interface

In previous releases you could select the display method for sortable tables with more than 20 entries in the settings menu (upper right corner). Now you can select individually by table if its entries are displayed in groups or if you have to switch from page to page. The default for tables where you can select sub-objects is the grouped view. Tables with simple values have a pager by default.

Model "Praxis-Wächter": Supplement of T-Systems DNS servers

We finally learned the DNS IPs for TI connections via T-Systems, as configured on "Praxis-Wächter" models. The update modifies IP object "t-systems/dns". The reference to IP object "t-systems/de" (IP addresses in Germany) with the actual DNS IPs.

Archiving of IDS/IPS logs

Malfunction of DHCP relay in certain network environments

Minor bugfixes and improvements

Missing access permissions since 7.1-2.0

After updating the SElinux rules in 7.1-2.0 some operations failed due to missing access permissions. Affected were the hardware power button to switch off the device, archiving logs to a Windows share, the new OpenVPN one-time-password authentication and generating a new OpenVPN key for tls-crypt.

SPAM filter configuration changes

In 7.1-2.0 changes to the SPAM filter configuration didn't become effective until after a manual restart.

Adjusting the system time

Adjusting the system time via administration interface and time scheduled daily or weekly didn't work in 7.1-2.0. The continuous time synchronization via NTP service was not affected.

Minor bugfixes and improvements


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany