Available for purchase

Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon as a maintenance contract has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature. For a manual download you will have to specify the support IP as username (e.g. and the hardware ID as password (e.g. 473I-QN34-O@:5).

Important notice:

Please pay attention to the following information regarding incompatibilities of the new IPsec server version.


The IPsec service is updated and from now on uses an interface which is part of the Linux kernel instead of a kernel module.
With the old IPsec implementation it was partially possible to connect multiple IPsec-L2TP clients at the same time via the same (!) NAT router to the same VPN server. With the new version this is usually no longer possible. Should you depend on this scenario, we recommend to switch to IKEv2 connections or OpenVPN. The update will be aborted if multiple IPsec-L2TP clients are connected via the same NAT device when the update beginns.
The new IPsec connection type "Windows IKEv2" helps with the migration to IKEv2. In the long run we expect that the operating systems will stop supporting IPsec-L2TP. Unfortunately IKEv2 offers no combined authentication with a computer certificate and user authentication yet. We recommend to switch over to OpenVPN if multi-factor authentication is important for you.
The IKEv2 interoperability with third party products has been improved.
The status of IPsec connections is now also visible in a docklet on the homepage.

OpenVPN installation package for Windows with SBL/PLAP

An additional flavour of the OpenVPN installation packages for Windows allows the use of Start-Before-Logon (SBL) via Pre-Logon-Authentication-Provider (PLAP). On the Windows logon screen a new icon will appear that allows users to establish the VPN connection before logging in. Via the VPN it becomes possbible for the user to directly logon to the Windows domain.
On Windows at least version 2.6 of the OpenVPN GUI client is required. It is possible to use one-time passwords to protect the VPN tunnel.

Wireguard VPN

With Wireguard an other VPN solution is added that supports both, connecting clients and other VPN routers. Authentication is based on public-keys only. Additional user authentication or even one-time passwords are not available with Wireguard.
We recommend to upgrade IPsec connections with Fritz!Boxes to Wireguard, as they still support IPsec with preshared-key authentication only. You will also benefit from higher throughput on the Fritz!Box.

Application control for firewall

You can now enable application control in the firewall. By analyzing the payloads of a network connection it tries to find out to which application it is related.
Application control is available for bandwidth management and in firewall rules (except for SNAT rules). We recommend using application control with firewall rules only limited though, as a rule with application control enabled has to let pass potentially eligible data packets for further analysis. The firewall will "leak" packets, which is a general disadvantage of application control that is gladly concealed when advertising this feature as part of next generation firewalls. As of HTTP and HTTPS, you should prefer the reverse proxy for inbound connections and the web proxy for outbound connections.
To use application control it has to be enabled in the firewall settings first. Detected applications are then visible in the firewall monitoring connection list. To use application control for bandwidth management or firewall rules, you can select an application in the settings of each protocol in the "Definitions" menu. Note that application control is disabled in pre-defined protocols.

Firewall protocol helper modules (ALGs)

Some protocols use multiple dependant connections. For a few of them firewall modules are available that keep track of dependant connections and grant access automatically. Some call these modules Application Level Gateways (ALGs).
For security reasons it is recommended to not enable all of these modules. It is better to enable only those modules that are really needed and - if possible - restrict them to individual clients or servers.
The update checks if the modules for FTP, SIP, H.323, PPTP and IRC are really needed. This is the case if either an active connection for the respective protocol or a firewall rule with the well-known ports is found. For FTP and SIP we also check, if the corresponding proxy services are enabled. If one of these conditions is met, the module will be enabled for any IPs. You can adapt the configuration in the firewall settings.
The default configuration of new systems will have all helper modules disabled.

TLS parameters of administration interface

It is no longer possible to access the administration interface with outdated browsers. Support for TLS1.0, TLS1.1, 3DES and SHA1 has been disabled.

Export of definitions

It is now possible to export objects from submenus of "Definitions" and install them on other devices via the "Backup" menu. The target system must not have an older software release installed than the source system.

Reworked menu "Monitoring"

The submenus "Log files > Settings" and "Network > SNMP" were actually configuration menus. So they have been moved into mainmenu "Modules". The new submenus are labeled "SNMP server" and "Logging".
The second menu level of "Monitoring > Network" has been removed completely. The new menu items "Tools", "Network", "VPN", "Firewall" and "DHCP" are now direct submenus of "Monitoring".
The "Monitoring" sections in the topics oriented menus on the top of the administration interface have been adapted accordingly and we've added direct links to corresponding logfiles. Wireguard was added to the VPN menu.

Optimized layout of the administration interface

Virusscan of mailboxes

On systems used as mail server with mailboxes, the mailbox contents can now be scanned daily for viruses. So mails with viruses that were unknown to the virusscanner at the time the mail arrived will be sorted out afterwards. An email notification is sent to the respective user and to "admin".
To avoid heavy load, the scan process is limited to newer mails. The maximum age in days has to be configured.

S/MIME-Gateway: delete expired certificates automatically

The S/MIME gateway can collect certificates of peer to subsequently automatically encrypt mails sent to them. Expired peer certificates may now be deleted automatically after a configurable amount of time.

S/MIME-Gateway: exception list for automatic signing

Some recipients might not accept signed emails. You may now add individual recipient addresses or whole recipient domains to a list. The S/MIME gateway will not sign mails to recipients on this list.

Special characters in passwords

When setting or changing passwords in the administration interface, special characters will now be processed in UTF-8 encoding. All current browsers and the majority of other clients use UTF-8 in the meantime. However some clients and protocols are still don't, so we do not recommend to use these special characters.

Encryption of backups

As an option you may now encrypt the backups created by the device. But be careful: If you should loose the password the backup files are worthless!

Port number for backups with secure copy

SSH/SCP based backups can now be sent to non-standard ports.

Time synchronisation

Time synchronisation now uses NTP only. The routines where revised to make sure that the system time is correct, particularly after a reboot.

Syslog and TFTP server

Active networking components without non-volatile memory can now benefit from a syslog and a TFTP server.

The telnet server has been removed

Minor bugfixes and improvements

In the 7.1 releases some features had only been available on systems with a software maintenance contract. In 7.2 these features will now be available on all systems. This includes:

One-time-passwords for OpenVPN

User authentication with time-based one-time-passwords (TOTP) can now be enabled individually in each OpenVPN server interface. Only members of user group "system-ras" with a TOTP key will then be able to login.

OpenVPN parameter "tls-crypt"

In each OpenVPN server interface an additional symmetric key may be configured to encrypt the control channel of connections. This makes it hard to identify OpenVPN datastreams as such. Even the TLS handshake when initiating a new connection will be encrypted, which otherwise exposes certificates in plaintext when TLS version 1.2 or below is used.

Wake-on-LAN for OpenVPN clients

Switching on a PC automatically with Wake-on-LAN used to be available in the Web-Client and when IPsec-L2TP clients connect. Now this is also supported when OpenVPN clients connect. The prerequisit is that user authentication with one-time passwords has been enabled in the configuration of the OpenVPN server interface. Just as for IPsec-L2TP clients, the MAC address of the PC to wake up has to be configured in the RAS settings of the user administration for the respective user.

Blocking of URLs and headers in reverse proxy

It is now possible to block requests with certain URLs or headers for all configured ports. This can help to prevent the exploitation of security vulnerabilities in the web applications of background servers until a bugfix becomes available.

Bandwidth limitation in web proxy

The bandwidth may be limited based on the client IPs and/or the destination host name. If local user authentication is enabled, a limit by user group is possible, too.

Verification of mail server certificates with DANE

It's not feasible to enable the verification of the destination server certificate whenever a mail server forwards a mail to an other mail server, as many mail servers have no valid certificate. With DANE, the operator of a mail server may publish in DNS that and how the certificate of his mail server may be verified. Support for the DANE variant DANE-EE may now be enabled in the mail server configuration.

Tagging the subject of quarantined mails

The email attachment filter looks for emails with possibly dangerous attachments and either quarantines them or delivers them without the attachments. As an option you can now tag the subject of affected emails with an arbitrary text.

IMAP group folders

For the mail server each user group used to represent a mail distribution list. Each group member received an individual copy of mails addressed to the group. Now you can decide per group if the group should have no special meaning for the mail server, be treated as a mail distribution list or if a shared IMAP folder should be provided for the group members.

Management access

It is now possible to grant management access to your device for your reseller or, when operating multiple devices, for a central device. Initially it is possible to retrieve some very basic information, open connections to technical support, trigger an update and access the administration interface.
The corresponding menu on the central device has been renamed from "Remote devices" to "Management server".


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany