Jobs (DE)Terms of UsePrivacy PolicyLegal Notice

Configuration of Kaspersky Antivirus signature update

The configuration of the Kaspersky signature update has to be modified until 2022-01-31. Without the modification signature updates will fail after this date.

Wake-on-LAN for OpenVPN clients

Switching on a PC automatically with Wake-on-LAN used to be available in the Web-Client and when IPsec-L2TP clients connect. Now this is also supported when OpenVPN clients connect. The prerequisit is that user authentication with one-time passwords has been enabled in the configuration of the OpenVPN server interface. Just as for IPsec-L2TP clients, the MAC address of the PC to wake up has to be configured in the RAS settings of the user administration for the respective user.

Minor bugfixes and improvements

Memory corruption in NSS crypto library

The library is used by IPsec, OpenVPN, the Intrusion Prevention and the administration interface. An unauthenticated attacker might be able to execute code.

Transparent HTTPS proxying via content filter

Transparent HTTPS connections used the IP instead of the hostname to open connections if the SSL check option is disabled. If the proxy is configured to block HTTPS connections to IPs, access was denied. Otherwise, when inspecting HTTPS connections, it was not possible to access some servers that require the correct server name to be set as part of the SSL handshake.

Update of Avira antivirus

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

Deleting all queued mails

When deleting all mails from the mail server queue, also all quarantined mails had been deleted by mistake.

Changes in model "Praxis-Wächter"

Several new IP objects have been added for networks reachable via connector VPN. Please add the required IP objects manually to IP group "TI_vpn/netze".
Firewall rules will be added, granting LDAP access for the PVS to the connector, as required for the "elektronische Arbeitsunfähigkeitsbescheinigung (eAU)".
On older devices settings will be applied which had been added in later versions of the Telematikinfrastruktur wizard. Check the protocol of the administration interface for changes made.

Alternative ADSL PPPoE driver

For ADSL connections with PPP-over-Ethernet an alternative driver can be selected which supports bandwidths above 200 MBit/s.

WPA3 support for devices with Wifi interface

Update of various software components

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

SSH server keys

So far we used installation packages based on Microsoft's CMAK, which are still using SHA1. We now offer our own, Powershell based solution. Besides using SHA2 it has the following advantages:
  • Configuration of additional routes in split tunnel configurations
  • Possibility to install multiple connections to different destinations
In contrast to CMAK it is now possible to configure the parameters of an installed connection afterwards.
While we still provide CMAK based profiles, we recommend to migrate to our new solution over time.
Both types of installation package now allow setting the Windows registry key required when the VPN server is located behind a NAT router.

SSH server keys

The RSA and ed25519 keys used by the SSH server are now available in the keyring menu, so you can now save or restore a backup of the keys or generate a new key.

Management access

It is now possible to grant management access to your device for your reseller or, when operating multiple devices, for a central device. Initially it is possible to retrieve some very basic information, open connections to technical support, trigger an update and access the administration interface.
The corresponding menu on the central device has been renamed from "Remote devices" to "Management server".

Truncated ping replies

In release 7.1-3.0 the tool ping has been updated. The new version however ignores truncated ping replies. As a consequence, devices testing the availability of the Google nameservers and no more than one other Internet IP for fallback purposes switched into fallback mode, as the Google nameservers answer large ping packets with a truncated reply packet.

Graphical firewall statistics

Since 7.1-3.0 the statistics were no longer updated.

Problems resolving DNS names

In particular after a reboot, name resolution errors occured for certain DNS names on systems resolving via the root nameservers.

Accepted IPs in SNMP server

The list of IPs which is allowed to connect to the SNMP server is now configurable.

Static passwords in Web Client

You can now configure the password of the destination system in each Web Client connection, so the user has to authenticate at the Web Client only. In general we do not recommend to enter a static password, however it may be useful e.g. to temporarily grant privileged access for an external service provider to an internal system without having to change or disclose its password.

Changes in model "Praxis-Wächter"

The IP object with the network required for issueing digital vaccination certificate via connector VPN has been added.
You may now select ipsec interfaces as connector interface.

Daily Tasks

Since version 7.1-3-0, the daily tasks, such as creating the statistics or rotating the log files, etc., were no longer performed.

WLAN security flaw FragAttacks

On devices with WLAN extension, the update protects the WLAN protocol stack against FragAttacks.

Certificate requests via ACME protocol

Requesting new certificates with ACME (Let's Encrypt) failed in 7.1-3.0. The new version of the tool used to interact with the ACME server wasn't able to verify the server's certificate.

VPN setup packages for Windows

The installation of IPsec-L2TP and OpenVPN setup packages for Windows (*.exe) which had been created with version 7.1-3.0 failed.

Sending mails with the Groupware App in version 4.x

In 7.1-3.0 sending emails from within the Groupware App failed if a 4.x release of the groupware was installed.

SPAM filter rules with any characters

Userdefined SPAM filter rules used to support ASCII characters only. Now any character is possible.

Verification of mail server certificates with DANE

It's not feasible to enable the verification of the destination server certificate whenever a mail server forwards a mail to an other mail server, as many mail servers have no valid certificate. With DANE, the operator of a mail server may publish in DNS that and how the certificate of his mail server may be verified. Support for the DANE variant DANE-EE may now be enabled in the mail server configuration.

Recording network dumps

In menu "Monitoring > Network > Tools" you can now create packet dumps. You can download a dump as pcap file or view the dump in text format.

Minor bugfixes and improvements


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany