Jobs (DE)Terms of UsePrivacy PolicyLegal Notice

BETA version

This is a pre release of update 7.2-2.0. After installing this update the system will report release 7.2-1.99, so the final 7.2-2.0 still has to be installed.
Before updating, please make sure that a current backup is available.
The purpose of the beta phase is to detect yet unknown incompatibilities of the new reverse proxy software and the new web proxy content filter release. It is also an opportunitiy to gain experience with the new web application firewall and incorporate your feedback into the final release.

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Replaced reverse proxy software

The reverse proxy software is replaced in this update. This affects functionality as follows:
  • There are now two separate logfiles for access and error logging
  • The reverse proxy can no longer log on a remote syslog server
  • Backend servers requesting NTLM authentiation are no longer supported
  • The obsolete RPC-over-HTTP protocol to access Exchange servers is untested. Switch to MAPI-over-HTTP if possible. We are considering to remove RPC-over-HTTP in one of the next releases if nobody objects

Web application firewall for reverse proxy

The reverse proxy now features a web application firewall (WAF). When enabled, it checks client requests for compliance with the standards, unusual properties and known attacks. Potentially unwanted requests are rejected.

Anomaly detection

The logfiles for the intrusion prevention, firewall, web proxy and reverse proxy is now monitored. If certain messages appear unusually frequent the admin is notified by mail. The same applies if the bandwidth usage of the default route interface is unusally high. The anomaly detection requires an 8 day learning phase.

Netflow/IPFIX export

Network connection data may be exported via Netflow v5, v9 or IPFIX for external analysis.

Conversion of opaque signed mails in S/MIME gateway

S/MIME signed mails are usually sent with the signature as attachment. But there are also so called opaque signed mails, wrapping the whole mail in a binary attachment. Some mail clients don't support this format, so they are unable to display the mail. A new option in the S/MIME gateway enables the automatic conversion of inbound opaque signed mails into signed mails with signature as attachment.

Web proxy content filter

The new release fixes problems with individual web servers.

IP objects of type "DNS capture"

For technical reasons it is not possible to combine multiple objects of this type in groups. So we added the possibility to configure multiple domains in a single IP object. The addresses of all these domains are then collected by this IP object.
Accordingly, the name of the "DNS capture" IP object is no longer required to be the domain name for which addresses are to be collected. The name can be chosen freely now.

TLS parameters

In the administration interface, the TLS parameters of various services are configured in four levels. The update will change these levels as follows:
  • outdated: TripleDES completely removed
  • compatible: TLS 1.0 and 1.1 are no longer included
  • contemporary: Diffie-Hellmann key exchange is no longer included
  • maximum: Diffie-Hellmann key exchange and RSA certificates with less than 3072 bits are no longer supported

SSH client and server

RSA keys with less than 2048 bits are no longer supported by the new version. However we don't expect production systems to use shorter keys. We generally recommend to use ed25519 keys instead of RSA.
The scp protocol used to transfer files via SSH will be removed in one of the next releases. If you are using scp to copy backups or logfiles it is not necessary to change the configuration. Once removed, the settings will be converted automatically. You should however make sure that the target server has SFTP enabled.

Various system components

The Linux kernel, Avira Antivirus, OpenVPN, web proxy including URL filter, mail server, POP/IMAP server, web server, DNS as well as several system libraries and tools are updated.

Minor bugfixes and improvements

Transparent web proxying

Since 7.1-5.1 and 7.2-1.1 connection problems occured with transparent proxying if the target server constantly changes its IP in DNS.

IP object type "DNS capture"

DNS replies with multiple IPs of the same address familie have been ignored.

S/MIME gateway: Retrieval of certificates from signed mails for encryption

Some organizations use different S/MIME keys for signing and for encryption. The S/MIME gateway used to extract the certificate used for signing inbound mails for future encryption of outbound mails, even if this certificate wasn't intended to be used for encryption. Usually the recipient was not able to read mails encrypted with the wrong certificate. The S/MIME gateway now checks the certificate purpose and stores the one that is suitable for encryption.

Backup configuration on cluster nodes

The settings for scheduled automatic backups on the cluster master used to be overwritten with the settings of the backup node.

Configuration of mail server no longer updated

Since 7.2-1.5 the mail server configuration was no longer updated if a sender domain specific provider relay is configured.

Monitoring tool "ARP scan"

With the new tool you can scan the network segment directly attached to eth, vlan or wlan interfaces for IPv4 systems. In addition to the IP and MAC address it will also show you the manufacturer of the network adapter, deduced from the MAC address.

MAC addresses of WLAN interfaces change

For technical reasons the MAC adresses of WLAN interfaces will change. The change will take place after the next reboot. You may notice a delay until clients will connect to the modified WLAN.

Optimized memory usage of URL filter

Only those database categories which are actually used by the ruleset will be loaded into memory. If the commercial URL filter is used and the option to analyze uncategorized URLs is enabled, all categories have to be loaded though.

Added domain sls.microsoft.com to domainlist WINDOWS

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Web proxy content filter

Especially with slow Internet connections (e.g. via VPN) problems with transparent HTTPS proxying using chromium based browsers like Chrome or Edge persisted despite of the bugfix in release 7.2-1.6.
The update also fixes sporadic connection failures when the SSL check for the CONNECT method is enabled.

Backup of private keys

If the password protected file format has been configured for the system backup, it will now include the private keys from the keyring. Still the private CA key is not included in the backup.
If you should consider enabling the password protected file format, please bear in mind that the backup file is useless if the password is no longer known.
Additionally it is now possible to download a password protected backup of the private keys in the backup menu.

Encrypted transfer of backups and logfiles

The previously used secure copy protocol (SCP) is deprecated. We've made SFTP available as an alternative which is also based on secure shell.
Both, SCP and SFTP, will now also try the devices ED25519 key in addition to the RSA key for authentication.

New IP object type "DNS capture"

Sometimes software vendors will just give you a domain name instead of individual hostnames when asked what you need to allow in your firewall for their software to work (e.g. *.example.com). This is no problem if the software is able to use the web proxy. But it used to be difficult, if access had to be granted in the firewall. The new IP object type tries to solve the problem by collecting IP addresses found in DNS replies for the respective domain.
The new IP object type can only be used in firewall rules and usually makes only sense as destination of rules for forwarding connections into the Internet. Prerequisite is that the client uses the firewall's DNS server to resolve DNS names, either directly or indirectly. A short delay until a connection becomes possible is system-related.

Various system components

The Linux kernel, Avira Antivirus, web proxy, web server and SSH server as well as some system libraries and tools are updated.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Transparent HTTPS proxying with chromium-based browsers

Starting with Chromium 124 it was no longer possible to access web pages with chromium based browsers like Chrome or Edge via transparent HTTPS proxying.

Damaged mail headers in S/MIME gateway

While modifying long subject lines and the content type of a message in release 7.2-1.5 a control character has been inserted that resulted in a truncated subject or failure to decrypt on some systems.

Automatic certificat management

Customers that need to purchase lots of certificates (e.g. when using the S/MIME gateway) can now automate the process of requesting and renewing certificates via the managed PKI interface (MPKI) of a CA. This new feature is still experimental and currently supports SwissSign only. We are happy to add further CAs. All we need is an interface description and a test account.

Additional categories for the commercial URL filter

We've added the categories Alcohol, Softdrugs, Parked domains and AI chatbots.

Security fixes in several components

The update fixes less critical security vulnerabilities in the Linux kernel, IPsec server, web proxy, DNS and system libraries.

Avira antivirus

Minor bugfixes and improvements

DMARC verification of inbound mails

In addition to SPF, DMARC verification is now also available for mails received from the Internet with SMTP. DMARC combines SPF with DKIM. The check is successful if either the SPF or the DKIM check succeeds and in addition the sender address as displayed by the user's mail program ("From" header) matches the SPF or DKIM domain respectively. As for SPF, it's the owner of a domain who decides if recipients of mails from this domain can perform a DKIM check and what to do in case of a failure: reject the mail, treat it as potential SPAM or just let it pass.

Options for retrieving and sending mails

To better support medical practices that want to use the mail server anti-malware options also for KIM mails (Kommunikation im Medizinwesen), several configuration options have been added. This should allow connecting with all kinds and configurations of KIM client modules. In the POP client you can now add a client certificate and the server port (here: port of KIM client module) is freely configurable. For outbound mails it is also possible to adjust the server port (KIM client module) freely. In addition SMTPS is now also supported for outbound connections and you can configure login credentials when routing an external domain (here: kim.telematik).

Scheduled mailbackup by user

Previously a backup of the local mailboxes was always stored as a single large file. In order to use less storage while creating the backup, you can now choose to store one file per user account.

Interruptions of Windows IKEv2 IPsec connections

Clients were disconnected during re-keying that typically occurs after one hour.

Download of URL filter lists in UTF-8 encoding

Previously the import of UTF-8 encoded lists failed.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

DKIM signatures for emails

Outbound mails can now be signed with DKIM. To configure this feature, add a new entry of type "RSA key (SSH, DKIM)" to the keyring and generate a new key. Publish the public key in the DNS of the domain you want to sign. Finally associate the key with the domain in the domain configuration of the mail server and outbound mails will be signed. Have you configured SPF in the DNS of the domain? Then you could also add a DMARC record now.

Wizard for adding Wireguard clients

Previously a common wizard for adding both, a router or a client was available. Due to frequent misconfigurations we now added a dedicated wizard for adding clients.

Security fixes in several components

The update fixes less critical security vulnerabilities in the Linux kernel, the SSH server and system libraries.

Cluster service

Minor bugfixes and improvements

Several bugfixes for IPsec in 7.2 releases

In specific configurations of IPsec connections via an ADSL interface a route was missing after the re-connect of the ADSL line. So even though the IPsec connection was up, no data was transmitted.
Transparent proxying in ipsec interfaces worked only when configured with DNAT rules. Enabling the checkboxes had no effect.
IKEv2 connections to peers behind a NAT router were not re-negotiated by Dead Peer Detection when the IP of the NAT router changed.

Web proxy crash

The update fixes a crash that could have been triggered by a malicious web server.

New OpenVPN release

A new OpenVPN version is installed with this update. Please note that the new release requires a sufficiently large netmask for the transfer network. The netmasks 255.255.255.252 and 255.255.255.248 are no longer acceptable. The default 255.255.255.0 is more than sufficient.

OpenVPN password authentication

One-time passwords used to be the only user authentication method for the OpenVPN server. From now on it is also possible to authenticate with just the user password or with both, user password and one-time password.

Individual credentials for submitting outbound mails to provider relay

You can now configure individual SMTP credentials by sender address (envelope from) for submitting outbound mails to a provider relay.

DHCP server support for indirect networks

The IPv4 DHCP server now supports networks that have to connect via a DHCP relay.

Network 239.255.255.0/24 on bridged interfaces

It is no longer necessary to configure a route to accept multicast packets to IPs from network 239.255.255.0/24.

Various system components

Among others, the web server and the archive tool tar are updated. The security vulnerabilities that have been fixed are located in unused subcomponents.

Minor bugfixes and improvements

IPsec L2TP and IPsec with IPComp compression

In some environments IPsec L2TP packets were sporadically misrouted. With IPsec compression enabled, some packets were mistakenly dropped by the firewall.

Making use of the Windows certificate store with OpenVPN

New types of the Windows installation packages for OpenVPN store the key-pair in the Windows certificate store. For normal connections the user certificate store is used. PLAP/SBL (Start before Login) packages have to add the key to the machine certificate store.

Automatic download of URL lists

Maintaining or importing data into URL filter lists used to be a manual task. Now it is possible to automatically download URL lists from a web server. The lists may include whole domains, URLs, IP addresses and patterns such as "example.*".

Minor bugfixes and improvements

Security vulnerabilities in web proxy

Several vulnerabilities have been fixed in the web proxy. The most critical one allows an attacker to execute code on the device, provided user authentication with the digest algorithm is enabled. An other critical vulnerabilitiy allowed smuggling of requests or responses through the proxy by sending contradictory meta information.

IPsec connections to clients

In version 7.2-1.0 connections of type "Windows IKEv2" failed to be loaded due to an error in the configuration template. The same happened for connections of type "Client" if the IKEv2 protocol was selected and no virtual IP was configured.
When downloading a setup package for Windows IPsec-L2TP (Powershell) a setup package for Windows IKEv2 was delivered.

Wireguard DNS suffix

While preparing a Wireguard configuration for the peer, you can now include a DNS suffix.

Minor bugfixes and improvements

Secure

DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.

Flexible

Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany