Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.
Due to the update of numerous software components the update procedure will take significantly longer than usual (after the download is complete at least 10-15 minutes). Please be patient.

Runtime environment for apps

With the update the runtime environment for apps is changed from "Docker" to the lightweight "Podman", which by the way does not come with a service of its own that needs to be running.
Systems which have apps installed need to update them to the most current version beforehand. Then the apps are imported into Podman automatically, if sufficient disk space is available. If the disk space is not sufficient, the update will be canceled with a suitable recommendation on how to proceed.

F-Secure Antivirus is now an app

The new F-Secure scanner has to be installed as an app. This update will not automatically upgrade the old scanner to the new app-based engine. An automatic upgrade will take place in a future release. Please install the F-Secure app in "System > Apps" after the update has finished (mind the reboot!).
The new version, F-Secure now also offers a cloud option to support the scan process. The option is enabled by default but it can be disabled in the administration interface. With the cloud option, new malware should be detected faster, before the next signature update makes its way to the local scanner. Furthermore links in emails will be checked. If a link points to a webserver that according to F-Secure has a bad reputation, the mail will be treated like a virus mail (even though stictly speaking there's no virus in the mail).

Access to groupware

Since version 7.1-3.4, on systems with installed groupware app, the reverse proxy forwarded requests to the groupware, even if the groupware option was disabled in the reverse proxy configuration.

IP objects and domain lists

Since the Microsoft Cloud Germany was closed down towards the end of 2021, the IP object and the domain list MICROSOFT_365_DE is no longer available. Please use MICROSOFT_365 instead. Furthermore the following IP-LISTS are no longer available: AMAZON_VIDEO, BITTORRENT, HOTSPOT_SHIELD, MINING, PS_VUE, WECHAT, WHATSAPP and WHATSAPP_FILES.
The update will delete those lists that are not in use anyway. Lists that are used will be emptied and updated with an appropriate comment. In addition an email notification will be sent to "admin".
The IP-LIST MS_ONE_DRIVE has been renamed to SHAREPOINT. TEAMS is now an alias for SKYPE. New IP-LISTS are EXCHANGE and INSTAGRAM.
Pre-defined geolocation objects have been added below GEO: DE for Germany, DACH for german-speaking countries and EU for the European Union.

Global blocklist for firewall

In the global firewall settings an interface independent IP blocklist has been added. Neither inbound nor outbound connections may be opened to IPs on this list. It is possible to use IP objects of any type, including geolocation objects.

Installations package for management server

Thanks to the new installation package adding an other system to the management server is now piece of cake. The administrator of the management server creates the package and protects it with a password. All you have to do on the target system is upload the package and enter the corresponding password.
To be able to use the new installation package, at least version 7.1-4.0 has to be installed on the systems you want to manage. Only tunnel mode is supported, i.e. the managed system initiates the connection with the management server.

Transparent proxying in DMZ interfaces

The switches for easy configuration of transparent proxying are now also available in DMZ interfaces. The switches used to be available in LAN and RAS interfaces only. In DMZ interfaces firewall rules had to be used to configure transparent proxying.
Already in version 7.1-3.7 we added a new option to the switches for transparent web proxying. If the web proxy configuration allows bypassing the content filter, you can now choose between transparent web proxying with or without content filter. Previously transparent proxying without content filtering had to be configured with firewall rules.
Transparent proxying without content filtering makes sense if the content filter is configured to inspect SSL connections, but on some interfaces devices where the proxy CA certificate cannot be installed (e.g. a staff wifi with private smartphones). If these devices should still connect via proxy, you would select transparent HTTPS proxying without content filtering for these interfaces. Please don't forget to restrict proxy access to trusted networks like the LAN if appropriate.

IP object for Azure Servicebus WCF Relays

Configure the Servicebus Namespace and this IP object will deduce the IP addresses of the corresponding relay servers.

Groupware filter rules for email folders with special characters

Groupware filter rules for automatically moving emails into folders with special characters in their names created a new folder with an encoded representation of the special characters.
The update will not modify existing filter rules. However you can edit affected rules and select the correct folder name with special characters.

Various software components

The update includes new versions of the Linux kernel, the Avira virus scan engine, various system libraries and applications. The predefined lists of trusted CA certificates and the free URL filter database are updated as well. Systems without daily IDS updates (systems without maintenance contract) receive new IDS rules with this update.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Security fixes in several components

The update fixes less critical security vulnerabilities in the Linux kernel, when compressing with the zlib library, in the XML parser library expat and in the Avira scanner.

Minor bugfixes and improvements

Denial-of-service in OpenSSL crypto library

The update fixes a bug in the OpenSSL crypt library, causing an endless loop in applications.

Cache poisoning in DNS forwarder

Affected are DNS configurations with a configured provider nameserver that also allow resolving names via the Internet root servers. While resolving via root servers, potentially forged nameserver information from the cache was used that originated from a provider nameserver.

IPsec fallback for AWS connections

For higher availability, a virtual private gateway (VPG) in the AWS cloud is reachable by two different IP addresses. A new IPsec connection type let's you configure both IPs and will automatically establish a connection with the other IP if one IP is not available.

Improved import feature

When importing data into a two-column table where the second column holds just comments, it is no longer necessary to provide the data in a two-column format (with tabstop). Now you can also upload simple lists with one value per line. For example it is now easy to import an IP list you received from somewhere into an IP object.

Syntax error in exported OpenVPN configuration

If one-time passwords are enabled for OpenVPN connections, the installation packets and the OpenVPN configuration files exported for clients contained a syntax error.

Avira Antivirus

Minor bugfixes and improvements

Configuration of Kaspersky Antivirus signature update

The configuration of the Kaspersky signature update has to be modified until 2022-01-31. Without the modification signature updates will fail after this date.

Wake-on-LAN for OpenVPN clients

Switching on a PC automatically with Wake-on-LAN used to be available in the Web-Client and when IPsec-L2TP clients connect. Now this is also supported when OpenVPN clients connect. The prerequisit is that user authentication with one-time passwords has been enabled in the configuration of the OpenVPN server interface. Just as for IPsec-L2TP clients, the MAC address of the PC to wake up has to be configured in the RAS settings of the user administration for the respective user.

Minor bugfixes and improvements

Memory corruption in NSS crypto library

The library is used by IPsec, OpenVPN, the Intrusion Prevention and the administration interface. An unauthenticated attacker might be able to execute code.

Transparent HTTPS proxying via content filter

Transparent HTTPS connections used the IP instead of the hostname to open connections if the SSL check option is disabled. If the proxy is configured to block HTTPS connections to IPs, access was denied. Otherwise, when inspecting HTTPS connections, it was not possible to access some servers that require the correct server name to be set as part of the SSL handshake.

Update of Avira antivirus

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

Deleting all queued mails

When deleting all mails from the mail server queue, also all quarantined mails had been deleted by mistake.

Changes in model "Praxis-Wächter"

Several new IP objects have been added for networks reachable via connector VPN. Please add the required IP objects manually to IP group "TI_vpn/netze".
Firewall rules will be added, granting LDAP access for the PVS to the connector, as required for the "elektronische Arbeitsunfähigkeitsbescheinigung (eAU)".
On older devices settings will be applied which had been added in later versions of the Telematikinfrastruktur wizard. Check the protocol of the administration interface for changes made.

Alternative ADSL PPPoE driver

For ADSL connections with PPP-over-Ethernet an alternative driver can be selected which supports bandwidths above 200 MBit/s.

WPA3 support for devices with Wifi interface

Update of various software components

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

SSH server keys

So far we used installation packages based on Microsoft's CMAK, which are still using SHA1. We now offer our own, Powershell based solution. Besides using SHA2 it has the following advantages:
  • Configuration of additional routes in split tunnel configurations
  • Possibility to install multiple connections to different destinations
In contrast to CMAK it is now possible to configure the parameters of an installed connection afterwards.
While we still provide CMAK based profiles, we recommend to migrate to our new solution over time.
Both types of installation package now allow setting the Windows registry key required when the VPN server is located behind a NAT router.

SSH server keys

The RSA and ed25519 keys used by the SSH server are now available in the keyring menu, so you can now save or restore a backup of the keys or generate a new key.

Management access

It is now possible to grant management access to your device for your reseller or, when operating multiple devices, for a central device. Initially it is possible to retrieve some very basic information, open connections to technical support, trigger an update and access the administration interface.
The corresponding menu on the central device has been renamed from "Remote devices" to "Management server".

Truncated ping replies

In release 7.1-3.0 the tool ping has been updated. The new version however ignores truncated ping replies. As a consequence, devices testing the availability of the Google nameservers and no more than one other Internet IP for fallback purposes switched into fallback mode, as the Google nameservers answer large ping packets with a truncated reply packet.

Graphical firewall statistics

Since 7.1-3.0 the statistics were no longer updated.

Problems resolving DNS names

In particular after a reboot, name resolution errors occured for certain DNS names on systems resolving via the root nameservers.

Accepted IPs in SNMP server

The list of IPs which is allowed to connect to the SNMP server is now configurable.

Static passwords in Web Client

You can now configure the password of the destination system in each Web Client connection, so the user has to authenticate at the Web Client only. In general we do not recommend to enter a static password, however it may be useful e.g. to temporarily grant privileged access for an external service provider to an internal system without having to change or disclose its password.

Changes in model "Praxis-Wächter"

The IP object with the network required for issueing digital vaccination certificate via connector VPN has been added.
You may now select ipsec interfaces as connector interface.

Daily Tasks

Since version 7.1-3-0, the daily tasks, such as creating the statistics or rotating the log files, etc., were no longer performed.

WLAN security flaw FragAttacks

On devices with WLAN extension, the update protects the WLAN protocol stack against FragAttacks.

Certificate requests via ACME protocol

Requesting new certificates with ACME (Let's Encrypt) failed in 7.1-3.0. The new version of the tool used to interact with the ACME server wasn't able to verify the server's certificate.

VPN setup packages for Windows

The installation of IPsec-L2TP and OpenVPN setup packages for Windows (*.exe) which had been created with version 7.1-3.0 failed.

Sending mails with the Groupware App in version 4.x

In 7.1-3.0 sending emails from within the Groupware App failed if a 4.x release of the groupware was installed.

SPAM filter rules with any characters

Userdefined SPAM filter rules used to support ASCII characters only. Now any character is possible.

Verification of mail server certificates with DANE

It's not feasible to enable the verification of the destination server certificate whenever a mail server forwards a mail to an other mail server, as many mail servers have no valid certificate. With DANE, the operator of a mail server may publish in DNS that and how the certificate of his mail server may be verified. Support for the DANE variant DANE-EE may now be enabled in the mail server configuration.

Recording network dumps

In menu "Monitoring > Network > Tools" you can now create packet dumps. You can download a dump as pcap file or view the dump in text format.

Minor bugfixes and improvements


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany