This is a beta release. Problems with individual components might occur on some installations.

To be able to install the update at least version 7.1-4.4 is required.
The 7.2-0.* release series is a beta branch which will be finished with the release of update 7.2-1.0. We would like to invite you to paticipate and hope to receive feedback in particular regarding the new features. We would like to thank everyone for their active participation.
Before installing the beta update, please make sure that a current backup is available.

Available for purchase

Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon as a maintenance contract has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature. For a manual download you will have to specify the support IP as username (e.g. and the hardware ID as password (e.g. 473I-QN34-O@:5).

Firewall protocol helper modules (ALGs)

Some protocols use multiple dependant connections. For a few of them firewall modules are available that keep track of dependant connections and grant access automatically. Some call these modules Application Level Gateways (ALGs).
For security reasons it is recommended to not enable all of these modules. It is better to enable only those modules that are really needed and - if possible - restrict them to individual clients or servers.
The update checks if the modules for FTP, SIP, H.323, PPTP and IRC are really needed. This is the case if either an active connection for the respective protocol or a firewall rule with the well-known ports is found. For FTP and SIP we also check, if the corresponding proxy services are enabled. If one of these conditions is met, the module will be enabled for any IPs. You can adapt the configuration in the firewall settings.
The default configuration of new systems will have all helper modules disabled.

Wireguard VPN

With Wireguard an other VPN solution is added that supports both, connecting clients and other VPN routers.

Encryption of backups

As an option you may now encrypt the backups created by the device. But be careful: If you should loose the password the backup files are worthless!

Time synchronisation

Time synchronisation now uses NTP only. The routines where revised to make sure that the system time is correct, particularly after a reboot.

Minor bugfixes and improvements

In the 7.1 releases some features had only been available on systems with a software maintenance contract. In 7.2 these features will now be available on all systems. This includes:

One-time-passwords for OpenVPN

User authentication with time-based one-time-passwords (TOTP) can now be enabled individually in each OpenVPN server interface. Only members of user group "system-ras" with a TOTP key will then be able to login.

OpenVPN parameter "tls-crypt"

In each OpenVPN server interface an additional symmetric key may be configured to encrypt the control channel of connections. This makes it hard to identify OpenVPN datastreams as such. Even the TLS handshake when initiating a new connection will be encrypted, which otherwise exposes certificates in plaintext when TLS version 1.2 or below is used.

Wake-on-LAN for OpenVPN clients

Switching on a PC automatically with Wake-on-LAN used to be available in the Web-Client and when IPsec-L2TP clients connect. Now this is also supported when OpenVPN clients connect. The prerequisit is that user authentication with one-time passwords has been enabled in the configuration of the OpenVPN server interface. Just as for IPsec-L2TP clients, the MAC address of the PC to wake up has to be configured in the RAS settings of the user administration for the respective user.

Blocking of URLs and headers in reverse proxy

It is now possible to block requests with certain URLs or headers for all configured ports. This can help to prevent the exploitation of security vulnerabilities in the web applications of background servers until a bugfix becomes available.

Bandwidth limitation in web proxy

The bandwidth may be limited based on the client IPs and/or the destination host name. If local user authentication is enabled, a limit by user group is possible, too.

Verification of mail server certificates with DANE

It's not feasible to enable the verification of the destination server certificate whenever a mail server forwards a mail to an other mail server, as many mail servers have no valid certificate. With DANE, the operator of a mail server may publish in DNS that and how the certificate of his mail server may be verified. Support for the DANE variant DANE-EE may now be enabled in the mail server configuration.

Tagging the subject of quarantined mails

The email attachment filter looks for emails with possibly dangerous attachments and either quarantines them or delivers them without the attachments. As an option you can now tag the subject of affected emails with an arbitrary text.

IMAP group folders

For the mail server each user group used to represent a mail distribution list. Each group member received an individual copy of mails addressed to the group. Now you can decide per group if the group should have no special meaning for the mail server, be treated as a mail distribution list or if a shared IMAP folder should be provided for the group members.

Management access

It is now possible to grant management access to your device for your reseller or, when operating multiple devices, for a central device. Initially it is possible to retrieve some very basic information, open connections to technical support, trigger an update and access the administration interface.
The corresponding menu on the central device has been renamed from "Remote devices" to "Management server".


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany