Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of Linux kernel

The update fixes a vulnerability in the Linux kernel that allows users that were able to login on operating system level to gain full access. Via network a login on operating system level usually requires that the SSH server has been enabled. If in addition the configuration grants Internet access to the SSH server you should update immediately.

Special characters in passwords

When setting or changing passwords in the administration interface, special characters will now be processed in UTF-8 encoding. All current browsers and the majority of other clients use UTF-8 in the meantime. However some clients and protocols are still don't, so we do not recommend to use these special characters.

S/MIME-Gateway: delete expired certificates automatically

The S/MIME gateway can collect certificates of peer to subsequently automatically encrypt mails sent to them. Expired peer certificates may now be deleted automatically after a configurable amount of time.

S/MIME-Gateway: exception list for automatic signing

Some recipients might not accept signed emails. You may now add individual recipient addresses or whole recipient domains to a list. The S/MIME gateway will not sign mails to recipients on this list.

Changes of 7.1-4.7

The update includes all changes of update 7.1-4.7. The IP lists of Instagram and Soundcloud will be deleted or cleared. Fixed errors with transparent proxying to services that frequently change IPs.

JavaScript library of administration interface

Minor bugfixes and improvements

Reboot on some systems required

Systems that updated to the 7.2 release series from 7.1-4.4 will reboot automatically when the update is finished. Please do not reboot manually.

Changes of 7.1-4.5 and 7.1-4.6

The update includes all changes of updates 7.1-4.5 and 7.1-4.6. It fixes less critical security vulnerabilities in the Linux kernel, the Avira virus scanner and multiple system libraries. It also fixes a problem with DNSSEC validation if the DNS server was started without having Internet access. Web proxy, Intrusion prevention, WLAN service and a few system-related tools received an update. A new product key is installed on systems running Kaspersky Antivirus.

Application control for firewall

You can now enable application control in the firewall. By analyzing the payloads of a network connection it tries to find out to which application it is related.
Application control is available for bandwidth management and in firewall rules (except for SNAT rules). We recommend using application control with firewall rules only limited though, as a rule with application control enabled has to let pass potentially eligible data packets for further analysis. The firewall will "leak" packets, which is a general disadvantage of application control that is gladly concealed when advertising this feature as part of next generation firewalls. As of HTTP and HTTPS, you should prefer the reverse proxy for inbound connections and the web proxy for outbound connections.
To use application control it has to be enabled in the firewall settings first. Detected applications are then visible in the network monitoring connection list. To use application control for bandwidth management or firewall rules, you can select an application in the settings of each protocol in the "Definitions" menu. Note that application control is disabled in pre-defined protocols.

Improved wireguard VPN integration

Only the last out of multiple configured wireguard interfaces worked properly due to missing routing entries.
Wireguard keys were not synchronized on cluster nodes.
The following changes were made to the administration interface: The input element titles were improved. When configuring a connection to a peer with dynamic IP a prompt appeared, asking for an IP. Wireguard routes were missing in the network monitoring menu.

TLS parameters of administration interface

It is no longer possible to access the administration interface with outdated browsers. Support for TLS1.0, TLS1.1, 3DES and SHA1 has been disabled.

The telnet server has been removed

Minor bugfixes and improvements


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany