Transparent web proxying

Since 7.1-5.1 and 7.2-1.1 connection problems occured with transparent proxying if the target server constantly changes its IP in DNS.

IP object type "DNS capture"

DNS replies with multiple IPs of the same address familie have been ignored.

S/MIME gateway: Retrieval of certificates from signed mails for encryption

Some organizations use different S/MIME keys for signing and for encryption. The S/MIME gateway used to extract the certificate used for signing inbound mails for future encryption of outbound mails, even if this certificate wasn't intended to be used for encryption. Usually the recipient was not able to read mails encrypted with the wrong certificate. The S/MIME gateway now checks the certificate purpose and stores the one that is suitable for encryption.

Backup configuration on cluster nodes

The settings for scheduled automatic backups on the cluster master used to be overwritten with the settings of the backup node.

Configuration of mail server no longer updated

Since 7.2-1.5 the mail server configuration was no longer updated if a sender domain specific provider relay is configured.

Monitoring tool "ARP scan"

With the new tool you can scan the network segment directly attached to eth, vlan or wlan interfaces for IPv4 systems. In addition to the IP and MAC address it will also show you the manufacturer of the network adapter, deduced from the MAC address.

MAC addresses of WLAN interfaces change

For technical reasons the MAC adresses of WLAN interfaces will change. The change will take place after the next reboot. You may notice a delay until clients will connect to the modified WLAN.

Optimized memory usage of URL filter

Only those database categories which are actually used by the ruleset will be loaded into memory. If the commercial URL filter is used and the option to analyze uncategorized URLs is enabled, all categories have to be loaded though.

Added domain sls.microsoft.com to domainlist WINDOWS

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Web proxy content filter

Especially with slow Internet connections (e.g. via VPN) problems with transparent HTTPS proxying using chromium based browsers like Chrome or Edge persisted despite of the bugfix in release 7.2-1.6.
The update also fixes sporadic connection failures when the SSL check for the CONNECT method is enabled.

Backup of private keys

If the password protected file format has been configured for the system backup, it will now include the private keys from the keyring. Still the private CA key is not included in the backup.
If you should consider enabling the password protected file format, please bear in mind that the backup file is useless if the password is no longer known.
Additionally it is now possible to download a password protected backup of the private keys in the backup menu.

Encrypted transfer of backups and logfiles

The previously used secure copy protocol (SCP) is deprecated. We've made SFTP available as an alternative which is also based on secure shell.
Both, SCP and SFTP, will now also try the devices ED25519 key in addition to the RSA key for authentication.

New IP object type "DNS capture"

Sometimes software vendors will just give you a domain name instead of individual hostnames when asked what you need to allow in your firewall for their software to work (e.g. *.example.com). This is no problem if the software is able to use the web proxy. But it used to be difficult, if access had to be granted in the firewall. The new IP object type tries to solve the problem by collecting IP addresses found in DNS replies for the respective domain.
The new IP object type can only be used in firewall rules and usually makes only sense as destination of rules for forwarding connections into the Internet. Prerequisite is that the client uses the firewall's DNS server to resolve DNS names, either directly or indirectly. A short delay until a connection becomes possible is system-related.

Various system components

The Linux kernel, Avira Antivirus, web proxy, web server and SSH server as well as some system librariews and tools are updated.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Transparent HTTPS proxying with chromium-based browsers

Starting with Chromium 124 it was no longer possible to access web pages with chromium based browsers like Chrome or Edge via transparent HTTPS proxying.

Damaged mail headers in S/MIME gateway

While modifying long subject lines and the content type of a message in release 7.2-1.5 a control character has been inserted that resulted in a truncated subject or failure to decrypt on some systems.

Automatic certificat management

Customers that need to purchase lots of certificates (e.g. when using the S/MIME gateway) can now automate the process of requesting and renewing certificates via the managed PKI interface (MPKI) of a CA. This new feature is still experimental and currently supports SwissSign only. We are happy to add further CAs. All we need is an interface description and a test account.

Additional categories for the commercial URL filter

We've added the categories Alcohol, Softdrugs, Parked domains and AI chatbots.

Security fixes in several components

The update fixes less critical security vulnerabilities in the Linux kernel, IPsec server, web proxy, DNS and system libraries.

Avira antivirus

Minor bugfixes and improvements

DMARC verification of inbound mails

In addition to SPF, DMARC verification is now also available for mails received from the Internet with SMTP. DMARC combines SPF with DKIM. The check is successful if either the SPF or the DKIM check succeeds and in addition the sender address as displayed by the user's mail program ("From" header) matches the SPF or DKIM domain respectively. As for SPF, it's the owner of a domain who decides if recipients of mails from this domain can perform a DKIM check and what to do in case of a failure: reject the mail, treat it as potential SPAM or just let it pass.

Options for retrieving and sending mails

To better support medical practices that want to use the mail server anti-malware options also for KIM mails (Kommunikation im Medizinwesen), several configuration options have been added. This should allow connecting with all kinds and configurations of KIM client modules. In the POP client you can now add a client certificate and the server port (here: port of KIM client module) is freely configurable. For outbound mails it is also possible to adjust the server port (KIM client module) freely. In addition SMTPS is now also supported for outbound connections and you can configure login credentials when routing an external domain (here: kim.telematik).

Scheduled mailbackup by user

Previously a backup of the local mailboxes was always stored as a single large file. In order to use less storage while creating the backup, you can now choose to store one file per user account.

Interruptions of Windows IKEv2 IPsec connections

Clients were disconnected during re-keying that typically occurs after one hour.

Download of URL filter lists in UTF-8 encoding

Previously the import of UTF-8 encoded lists failed.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

DKIM signatures for emails

Outbound mails can now be signed with DKIM. To configure this feature, add a new entry of type "RSA key (SSH, DKIM)" to the keyring and generate a new key. Publish the public key in the DNS of the domain you want to sign. Finally associate the key with the domain in the domain configuration of the mail server and outbound mails will be signed. Have you configured SPF in the DNS of the domain? Then you could also add a DMARC record now.

Wizard for adding Wireguard clients

Previously a common wizard for adding both, a router or a client was available. Due to frequent misconfigurations we now added a dedicated wizard for adding clients.

Security fixes in several components

The update fixes less critical security vulnerabilities in the Linux kernel, the SSH server and system libraries.

Cluster service

Minor bugfixes and improvements

Several bugfixes for IPsec in 7.2 releases

In specific configurations of IPsec connections via an ADSL interface a route was missing after the re-connect of the ADSL line. So even though the IPsec connection was up, no data was transmitted.
Transparent proxying in ipsec interfaces worked only when configured with DNAT rules. Enabling the checkboxes had no effect.
IKEv2 connections to peers behind a NAT router were not re-negotiated by Dead Peer Detection when the IP of the NAT router changed.

Web proxy crash

The update fixes a crash that could have been triggered by a malicious web server.

New OpenVPN release

A new OpenVPN version is installed with this update. Please note that the new release requires a sufficiently large netmask for the transfer network. The netmasks 255.255.255.252 and 255.255.255.248 are no longer acceptable. The default 255.255.255.0 is more than sufficient.

OpenVPN password authentication

One-time passwords used to be the only user authentication method for the OpenVPN server. From now on it is also possible to authenticate with just the user password or with both, user password and one-time password.

Individual credentials for submitting outbound mails to provider relay

You can now configure individual SMTP credentials by sender address (envelope from) for submitting outbound mails to a provider relay.

DHCP server support for indirect networks

The IPv4 DHCP server now supports networks that have to connect via a DHCP relay.

Network 239.255.255.0/24 on bridged interfaces

It is no longer necessary to configure a route to accept multicast packets to IPs from network 239.255.255.0/24.

Various system components

Among others, the web server and the archive tool tar are updated. The security vulnerabilities that have been fixed are located in unused subcomponents.

Minor bugfixes and improvements

IPsec L2TP and IPsec with IPComp compression

In some environments IPsec L2TP packets were sporadically misrouted. With IPsec compression enabled, some packets were mistakenly dropped by the firewall.

Making use of the Windows certificate store with OpenVPN

New types of the Windows installation packages for OpenVPN store the key-pair in the Windows certificate store. For normal connections the user certificate store is used. PLAP/SBL (Start before Login) packages have to add the key to the machine certificate store.

Automatic download of URL lists

Maintaining or importing data into URL filter lists used to be a manual task. Now it is possible to automatically download URL lists from a web server. The lists may include whole domains, URLs, IP addresses and patterns such as "example.*".

Minor bugfixes and improvements

Security vulnerabilities in web proxy

Several vulnerabilities have been fixed in the web proxy. The most critical one allows an attacker to execute code on the device, provided user authentication with the digest algorithm is enabled. An other critical vulnerabilitiy allowed smuggling of requests or responses through the proxy by sending contradictory meta information.

IPsec connections to clients

In version 7.2-1.0 connections of type "Windows IKEv2" failed to be loaded due to an error in the configuration template. The same happened for connections of type "Client" if the IKEv2 protocol was selected and no virtual IP was configured.
When downloading a setup package for Windows IPsec-L2TP (Powershell) a setup package for Windows IKEv2 was delivered.

Wireguard DNS suffix

While preparing a Wireguard configuration for the peer, you can now include a DNS suffix.

Minor bugfixes and improvements

Secure

DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.

Flexible

Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany