Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

End of beta test

The beta test for release 7.2 ends with this update. After the installation the system will have release 7.2-1.0 installed. Thank you for participating in the beta test and thank you for the valuable feedback we received.

Changes of 7.1-4.9

The update includes all changes of update 7.1-4.9. The following list includes these changes as well.

Glibc library

A bug in the central system library glibc allows local users to gain unrestricted access.

Reworked menu "Monitoring"

The submenus "Log files > Settings" and "Network > SNMP" were actually configuration menus. So they have been moved into mainmenu "Modules". The new submenus are labeled "SNMP server" and "Logging".
The second menu level of "Monitoring > Network" has been removed completely. The new menu items "Tools", "Network", "VPN", "Firewall" and "DHCP" are now direct submenus of "Monitoring".
The "Monitoring" sections in the topics oriented menus on the top of the administration interface have been adapted accordingly and we've added direct links to corresponding logfiles. Wireguard was added to the VPN menu.

Dedicated log files for OpenVPN and Wireguard

Previously both VPN services wrote to log file "messages".

OpenVPN installation package for Windows with SBL/PLAP

An additional flavour of the OpenVPN installation packages for Windows allows the use of Start-Before-Logon (SBL) via Pre-Logon-Authentication-Provider (PLAP). On the Windows logon screen a new icon will appear that allows users to establish the VPN connection before logging in. Via the VPN it becomes possbible for the user to directly logon to the Windows domain.
On Windows at least version 2.6 of the OpenVPN GUI client is required. It is possible to use one-time passwords to protect the VPN tunnel.

Homepage docklet for IPsec

The status of IPsec connections is now also visible on the homepage.

IPsec IPComp compression

It was not possible to establish a connection with IPComp enabled since release 7.2-0.3.

Update of various system components

The update includes new releases of the Linux kernel and of Avira Antivirus. The predefined lists of trusted CA certificates, the free URL filter database and the SPAM filter ruleset are updated as well. Systems without daily IDS updates (systems without maintenance contract) receive new IDS rules with this update.

Optimized layout of the administration interface

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Changes of 7.1-4.8

The update includes all changes of update 7.1-4.8. The following list includes these changes as well.

Update of Linux kernel with Intel CPU microcodes

The security vulnerability "Downfall" allows an evil program to access data of other processes or the operating system. The update installs a new Linux kernel with updated Intel CPU microcodes.
The vulnerability affects 19" devices (Rack Server) delivered since October 2020. Thin Servers and the small Eco Servers are not affected.
If you are running a virtual system, please check if a security update is available for the host.

Encryption of PKCS#12 files

The private key in PKCS#12 files used to be encrypted with the outdated TripleDES cipher, as other operating systems are not able to process these files if better encryption is used. As an option you can now choose AES-256 encryption.
IPsec installation packages for Windows will keep using TripleDES, as these files have to be processed by Windows. OpenVPN installation packages for Windows (*.exe) however will be issued with AES-256 only, as OpenVPN for Windows includes its own crypto library that supports this format.
We recommend to create a new AES encrypted backup of the CA certificate and destroy the old copy. OpenVPN configurations on Windows clients with a *.p12 file in addition to the *.ovpn file should be updated, too. In this case, destroy the old *.p12 file.

Virusscan of mailboxes

On systems used as mail server with mailboxes, the mailbox contents can now be scanned daily for viruses. So mails with viruses that were unknown to the virusscanner at the time the mail arrived will be sorted out afterwards. An email notification is sent to the respective user and to "admin".
To avoid heavy load, the scan process is limited to newer mails. The maximum age in days has to be configured.

Syslog and TFTP server

Active networking components without non-volatile memory can now benefit from a syslog and a TFTP server.

Port number for backups with secure copy

SSH/SCP based backups can now be sent to non-standard ports.

Restoring encrypted backups

While restoring an ecrypted backup, entries from submenus of "Definitions" with an "*" in their name often failed to be restored.

OpenVPN installation package for Windows (*.exe)

OpenVPN 2.6 for Windows was no longer able to read the PKCS#12 files of OpenVPN installation packages, as the public certificates were encrypted with a no longer supported cipher.

Let's Encrypt Staging-Server

The download of Let's Encrypt test certificates failed.

Reverse proxy Autodiscover

Added support for Autodiscover V2 via reverse proxy.

Update of various system components

The update includes new releases of the runtime environment for apps, the IPsec, Web, DNS, SNMP and SSH servers.

Minor bugfixes and improvements

IPsec

The IPsec service is updated and from now on uses an interface which is part of the Linux kernel instead of a kernel module.
With the old IPsec implementation it was partially possible to connect multiple IPsec-L2TP clients at the same time via the same (!) NAT router to the same VPN server. With the new version this is usually no longer possible.
The IKEv2 interoperability with third party products has been improved.

Export of definitions

It is now possible to export objects from submenus of "Definitions" and install them on other devices via the "Backup" menu. The target system must not have an older software release installed than the source system.

Restoring an encrypted system backup

Encrypted backups have been introduced in release 7.2-0.0. Sometimes, when restoring an encrypted system backup, the IP groups "*" and the protocol "*" were not restored completely.

Disabling a protocol module (ALG) in the firewall

Since release 7.2-0.0 it is possible to configure which protocol modules (ALGs) are active in the firewall. The option to disable a rule was without function. So a rule had to be deleted to disable it. Please note that after the update any disabled rule becomes really disabled.

Avira Antivirus

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of Linux kernel

The update fixes a vulnerability in the Linux kernel that allows users that were able to login on operating system level to gain full access. Via network a login on operating system level usually requires that the SSH server has been enabled. If in addition the configuration grants Internet access to the SSH server you should update immediately.

Special characters in passwords

When setting or changing passwords in the administration interface, special characters will now be processed in UTF-8 encoding. All current browsers and the majority of other clients use UTF-8 in the meantime. However some clients and protocols are still don't, so we do not recommend to use these special characters.

S/MIME-Gateway: delete expired certificates automatically

The S/MIME gateway can collect certificates of peer to subsequently automatically encrypt mails sent to them. Expired peer certificates may now be deleted automatically after a configurable amount of time.

S/MIME-Gateway: exception list for automatic signing

Some recipients might not accept signed emails. You may now add individual recipient addresses or whole recipient domains to a list. The S/MIME gateway will not sign mails to recipients on this list.

Changes of 7.1-4.7

The update includes all changes of update 7.1-4.7. The IP lists of Instagram and Soundcloud will be deleted or cleared. Fixed errors with transparent proxying to services that frequently change IPs.

JavaScript library of administration interface

Minor bugfixes and improvements

Reboot on some systems required

Systems that updated to the 7.2 release series from 7.1-4.4 will reboot automatically when the update is finished. Please do not reboot manually.

Changes of 7.1-4.5 and 7.1-4.6

The update includes all changes of updates 7.1-4.5 and 7.1-4.6. It fixes less critical security vulnerabilities in the Linux kernel, the Avira virus scanner and multiple system libraries. It also fixes a problem with DNSSEC validation if the DNS server was started without having Internet access. Web proxy, Intrusion prevention, WLAN service and a few system-related tools received an update. A new product key is installed on systems running Kaspersky Antivirus.

Application control for firewall

You can now enable application control in the firewall. By analyzing the payloads of a network connection it tries to find out to which application it is related.
Application control is available for bandwidth management and in firewall rules (except for SNAT rules). We recommend using application control with firewall rules only limited though, as a rule with application control enabled has to let pass potentially eligible data packets for further analysis. The firewall will "leak" packets, which is a general disadvantage of application control that is gladly concealed when advertising this feature as part of next generation firewalls. As of HTTP and HTTPS, you should prefer the reverse proxy for inbound connections and the web proxy for outbound connections.
To use application control it has to be enabled in the firewall settings first. Detected applications are then visible in the network monitoring connection list. To use application control for bandwidth management or firewall rules, you can select an application in the settings of each protocol in the "Definitions" menu. Note that application control is disabled in pre-defined protocols.

Improved wireguard VPN integration

Only the last out of multiple configured wireguard interfaces worked properly due to missing routing entries.
Wireguard keys were not synchronized on cluster nodes.
The following changes were made to the administration interface: The input element titles were improved. When configuring a connection to a peer with dynamic IP a prompt appeared, asking for an IP. Wireguard routes were missing in the network monitoring menu.

TLS parameters of administration interface

It is no longer possible to access the administration interface with outdated browsers. Support for TLS1.0, TLS1.1, 3DES and SHA1 has been disabled.

The telnet server has been removed

Minor bugfixes and improvements

Secure

DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.

Flexible

Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany