Available for purchase
Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of
charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon
as the update has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature.
For a manual download you will have to specify the support IP as username (e.g. 172.18.253.15) and the hardware ID as password
Migration to 64 bit
The system base is updated to 64 bit. It is necessary to reboot the system three times. The update procedure will initiate
the reboots automatically. Once the actual update procedure has started, the system and so also the Internet will be unreachable
for several minutes. On older, slow hardware this may take up to 10-15 minutes. Please be patient and don't reboot the system
yourself as the system may be severly damaged if the update procedure is interrupted.
Due to increased memory requirements we recommend the update only for system which have at least 2 GB of RAM installed.
Please make sure that a current backup is available before installing the update.
The cluster software is updated for enhanced IPv6 support. After the update the cluster nodes will communicate with unicast
packets to a specific port. Previously multicast packets to a variable port have been used.
After updating the master node and until the backup node has been updated, the firewall connection table is no longer synchronized
between both units. While in this state, almost all open connections are expected to break in case of a failover.
The Internet interface of a cluster node in backup state will be disabled now
We would like to drop ISDN support in the 7.0 release series. At the moment the update will be aborted when a configured ISDN
card is detected in the unit. Please contact technical support if you still require ISDN support. If ISDN is no longer needed,
please ask technical support how to delete the ISDN driver configuration. As an alternative you could also dismount the ISDN
The FTP server is replaced by a different software. Unfortunately the new software no longer supports restricting anonymous
access to specific networks.
If anonymous access was restricted to local networks only, it will be disabled by the update.
The email based dial-up and firewall report is no longer available
IPv6 support for most components has been added. By default IPv6 is disabled. It must be enabled in menu "Modules > Network
> Settings" first and then in each interface as appropriate.
If you miss any IPv6 networking feature, please file a feature request. Currently we do not plan to support IPv6-in-IPv4 tunnels
(i.e. IPv6 connectivity over IPv4 only links).
Regarding the server modules we don't plan to support IPv6 for the SIP proxy. Currently IPv6 support is still missing for
these components: POP3 / SMTP proxy, FTP proxy and dynamic DNS. The following limitations apply: IPsec L2TP connections may
be opened to IPv6 servers, however the payload is IPv4 only (IPv4-in-IPv6). IPsec Xauth connections with IPv6 must not use
ModeCfg and the web proxy URL filter doesn't yet support rules for individual IPv6 client IPs.
IP groups / IP objects
The menu item "IP groups" has been renamed into "IP objects". In addition to "Group" and "DNS entry" the following new object
types are now available:
Type "Geolocation" can be used in firewall rules only. Enter country codes like "DE", "FR" or "UK" to permit connections based
on their country of origin or destination. An internal database is used to map ip addresses to countries.
The object types "IPv6 prefix" and "IPv6 address" are useful to distribute a dynamic IPv6 prefix delegated by the ISP to internal
networks. In both object types it is possible to configure a partial address plus a reference to an other object of type "IPv6
prefix". The actual address is then composed of both parts.
Finally there's nothing special about the new type "IPv4 address". It can be used to simplify the configuration in complex
setups and to improve the readability.
Re-implementation of dynamic firewall
The dynamic firewall monitors all connections and can block a source IP automatically if it identifies suspicious behaviour.
When re-implementing this module we emphasized on easy configuration and low false positive rates. It is no longer necessary
to start a "dynamic firewall" service. The entire traffic on all interfaces is analyzed. You can look up the reputation of
IPs in the monitoring menu. Yet there are no more than two configuration options: In the per interface settings of the firewall
you can enable automatic blocking, which is highly recommended in Internet interfaces if inbound connections are allowed.
And, in case of false positives, you can configure a list of IP which must never be blocked in the global firewall settings.
Extended firewall configuration options
You can now configure an expiration time for firewall rules. An expired rule will no longer accept new connections. The primary
purpose of this feature is the configuration of temporary rules. Previously administrators often forgot to delete these rules.
It is now also possible to configure firewall deny rules. New connections may either be silently discarded or rejected with
an ICMP reply.
Instead of configuring SNAT as part of forwarding rules, a dedicated SNAT configuration table is now available.
Firewall rules for ipsec interfaces
For technical reasons it was not possible to restrict forwarding rules in ipsec interfaces to specific source zones. We have
now been able to solve this problem.
Multiple time periods for URL filter rules
So far only a single time period "Working hours" used to be available for URL filter rules. Now you can select an individual
period from menu "Definitions > Periods" for each rule.
Trusted hosts in web proxy content filter
Adding an entry to the trusted hosts lists used to disable content filtering completely for this server. Now it is possible
to just disable individual subcomponents.
Web proxy caching
The default cache parameters of the web proxy have been changed. The disk cache is now disabled (previously 200MB). 128MB
memory is now used for caching instead (previously 8MB). If a parameter is still set to the old default, it will be changed
automatically by the update. Custom values will be preserved.
Reverse proxy Exchange backend for MAPI-over-HTTP
Current Exchange and Outlook releases may choose to connect with MAPI-over-HTTP instead of RPC. A new switch for MAPI has
been added to the reverse proxy configuration.
In some tables of the administration interface the entries of the first column are links, refering to complex elements like
e.g. users or the definitions of protocols or IP objects. You can rename most of these elements now by clicking the pencil
icon on the right of the table row.
Up to release 6.0-4.8 the pencil icon let you edit the settings of the element just like clicking the link in the first column.
Display of tables
The max. number of rows in tables has been doubled.
When exceeding the max. number of rows the entries have been devided over several pages. A new grouping mode is now available
for tables where the order of entries is not significant. Grouping refers to the column which currently determines the sort
order. Depending on the column's data type, entries are grouped e.g. based on the first letter, the folder name or identical
entries. Click the tools icon in the upper right corner to enable grouping mode.
Additional information on IP addresses
When displaying log files and in the network monitoring menus, IP addresses have been turned into links. On click the country
of origin and the result of a DNS reverse-lookup will be shown.
Additional information in logs and monitoring
The mail server log contains multiple lines for each email, however these lines often don't show up next to another. In the
ID column you will find a link which opens a windows, showing all lines associated with this email.
A link in the intrusion detection (IDS) log will show the dump of the intercepted paket.
In the IPsec log you will also find links displaying associated lines.
By clicking the info icon on the network monitoring IPsec tab you will get more details about the connection.
Display of log files
In some logs certain lines are highlighted in different colors in order to make the logs clearer and easier to understand.
Testing LDAP access
For the Active Directory user import and the LDAP based mail recipient address verification a test function has been added.
Network card speed and duplex settings configurable
Minor bugfixes and improvements
In the 6.0 releases some features had only been available on systems with a software maintenance contract. In 7.0 these features
will now be available on all systems. This includes:
Reverse proxy option for strict transport security
The reverse proxy HTTPS ports can now enforce the HTTP Strict Transport Security option. For a certain period of time it instructs
the browser to always access the server with HTTPS and to keep the user from ignoring any certificate error. It is meant to
make Man-in-the-Middle attacks more difficult.
Remotedesktop gateway via reverse proxy
New options provide access to Remotedesktop gateway servers and with Remotedesktop web access.
Additional SSL interception features in web proxy
If the proxy is configured to break SSL encrypted sessions it is now possible to transparently proxy HTTPS connections to
port 443. Authentication must be disabled in the proxy.
The behaviour of the proxy when it encounters an expired certificate or the certificate has been issued to a different server
name is now configurable. Instead of letting the user decide if he is willing to trust the connection the proxy may outright
What the proxy should do when an OCSP connection fails is also configurable.
If the URL filter is enabled, path based filters like blocked filename extensions or enforced safesearch options for search
engines are now applied.
Handling of password protected archives by web proxy content filter
A new option allows unchecked forwarding of password protected archives instead of moving these files into quarantine.
Query web proxy URL filter
You can now test the URL filter configuration in the "Monitoring" menu.
Sender Policy Framework (SPF) filter
A new filter is available for systems directly receiving inbound emails, i.e. via DNS MX record. The owner of a domain can
publish in DNS that emails with a sender address in the domain may only be sent or relayed through specific servers. The SPF
filter will process this information and reject non-compliant emails. As SPF is fighting sender address forgery, it also helps
defending against certain kinds of SPAM and malware.
SPF may however cause problems with forwarded emails. Often a few addresses have to be excluded from filtering (e.g. your
backup MX). Please see the online help for more detailed information.
Extended email attachment filter configuration
Under the impression of the current virus wave we received many feature requests regarding the attachment filter. This is
what we've implemented so far:
The well-known list of filename extensions to block is now labeled "Dangerous file extensions". Matching attachments will
always be quarantined. Our recommended default entries are listed in the online help.
Next is a new list of "trusted senders". You can add individual email addresses or whole domains. They are allowed to send
any attachment except for "dangerous file extensions".
The default behaviour of the filter is now configurable as well: either pass everything on or quarantine all other attachments.
Depending on the default behaviour you will get one more list with filename extensions. If the default behaviour is "quarantine",
you will get a whitelist where you should enter less critical files like images or PDF anyone should be allowed to receive.
Otherwise, if the default behaviour is "pass", you will get an other blacklist. It differs from the blacklist of "dangerous
file extensions" as matching attachments may pass if they have been sent by "trusted senders". Nowadays you might want to
enter normal office documents like doc, docx, xls, etc.
Note: to add a long list of filename extensions with a single click, enter them space separated (e.g. "doc docx xls").
Verification of recipient addresses when forwarding to an internal mail server
The SMTP port used for verification is now configurable. It is now also possible to query an Active Directory with LDAP to
verify recipient addresses. Use one of these methods if your internal mail server is Exchange 2013.
A new option makes it possible to accepted and queue mails without verification if the internal mail server is temporarily
Masquerading of email sender addresses
Individual mail relay depending on sender domain
In individual cases it can be necessary to send outbount mails via different relay servers, depending on the sender domain.
Maildomain routing via external mail server
The outbound mail routing may only be used by internal clients or authenticated users. It optionally applies to all subdomains
OpenVPN access for selected certificates
Previously any OpenVPN client with a certificate issued by the configured VPN CA was able to connect to all OpenVPN server
interfaces. With the new option you can limit access to specific certificates individually for each interface.
Simplified overriding of DNS information
In certain situations it is necessary to override DNS information for local clients with different data. Configuration of
these entries is now straightforward. Even aliases (CNAMEs) may be used. It is no longer necessary to create a domain zone.
DNSSec validation option
When enabled, the DNS forwarder will validate all DNS replies with DNSSec.
Configurable update interval of DNS IP groups
The IP addresses of DNS IP groups have been updated daily. Now the interval can be shortened to hourly or even every minute,
which allows the use of dynamic DNS addresses.
It monitors the most important services and restarts them in case of a failure. On a cluster master a failover is initiated
in case of repeated failures.
Additional features for network tools
The tool "traceroute" has been added. For "ping" the packet size is now configurable and it became possible to select an interface,
which allows sending packets with different source IPs through VPN tunnels.