- D-Link
Contents
1. 26 The User Authentication logs sometimes contained faulty authentication information Log events were also missing in some authentication scenarios 27 A file transfer scanned by the HTTP ALG with anti virus activated could be aborted after a WindowZero event from the client 28 The active column of updatecenter servers command showed misleading information The column shows which server that is the recommended server to use by the UTM services Anti virus IDP and Web Content Filtering The column has been renamed to Precedence and a server is either marked as Primary or Backup 29 PCAP captures on non Ethernet interfaces were missing Ethernet headers causing Wireshark to fail opening the files 30 The configuration user and session stored for the configuration changes sometimes indicated that the wrong user session stored the configuration Now the correct user session parameters are stored 31 In rare cases the Web Content Filtering feature could trigger an unexpected restart of the firewall 32 A lease for a static host in a DHCP server was removed if a new lease with the same MAC address was created A lease is now removed if the new lease is within the same DHCP server and has the same MAC address 33 The webUI memory logger search fields used partial matching The search fields are now using strict matching with the possibility to use the wildcards and 34 Outdated information was sometimes used wh2. 31 The SIP ALG s CLI command sip registration flush did not work 32 Unreachable RADIUS Accounting servers could in rare cases cause undefined behavior 33 No log was generated when an L2TP session was closed 34 The SIP ALG s CLI command sip statistics flush did not work 35 Valid Neighbor Discovery packets would always cause the interface drop statistics to increase 36 After an HA failover the inactive node was getting stuck with old route states This had the side effect that routes could be reported as down in the inactive node even if they were actually up The issue is fixed by resetting the routes states whenever a node becomes inactive and for instance Route monitoring in High Availability will now work as it should 37 The index value for SNMP stat values for HTTP ALG was reset at reconfiguration so when polling those only one HTTP ALG was listed 38 A help text in the HTTP ALG incorrectly mentioned that URL Filter was not supported for the HTTPS protocol 39 Polling the SNMP property if Alias would for certain interface types not return the comment configured for the interface 40 Configuration backup restore failed if the backup file contained an additional line break at the end of the configuration file 4 i S lli hie z l D Link NetDefend Firewall Firmware Release Notes 41 When using DHCP client on an interface the broadcast address was not set With the broadcast infor
3. DFL 1660 2560 2560G DFL 260E 860E DFL 260E A2 A1 for all models 2 40 03 DFL 1660 2560 2560G DFL 260E 860E DFL 260E A2 A1 for all models 2 40 02 DFL 1660 2560 2560G DFL 260E 860E DFL 260E A2 A1 for all models 2 40 01 DFL 1660 2560 2560G DFL 260E 860E A1 for all models 2 40 00 DFL 1660 2560 2560G DFL 260E 860E A1 for all models 2 30 01 DFL 1660 2560 2560G DFL 260E 860E A1 for all models 2 27 03 DFL 210 800 1600 2500 DFL 260 860 1660 2560 2560G DFL 260E 860E A1 for all models A2 for DFL 210 800 1600 2500 A3 for DFL 210 800 1600 A4 A5 for DFL 210 Bi for DFL 260 860 DFL 210 800 1600 2500 DFL 260 860 1660 2560 2560G Al for all models A2 for DFL 210 800 1600 2500 A3 for DFL 210 800 1600 A4 A5 for DFL 210 Bi for DFL 260 860 DFL 210 800 1600 2500 DFL 260 860 1660 2560 2560G A1 for all models A2 for DFL 210 800 1600 2500 A3 for DFL 210 800 1600 A4 A5 for DFL 210 B1 for DFL 260 860 DFL 210 800 1600 2500 DFL 260 860 1660 2560 2560G Al for all models A2 for DFL 210 800 1600 2500 A3 for DFL 210 800 1600 A4 A5 for DFL 210 B1 for DFL 260 860 2 26 02 DFL 160 DFL 210 800 1600 2500 DFL 260 860 1660 2560 2560G A1 A2 for all models A3 A4 A5 for DFL 210 800 1600 2500 B1 for DFL 260 860 2 26 01 DFL 160 DFL 210 800 1600 2500 DFL 260 860 1
4. The inactive node in an HA cluster cannot be reachable over IPSec PPTP L2TP and GRE tunnels 7 If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over VPN tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 No aspects of the IDP signature states are synchronized in HA modes 2 40 00 1 Don t support the latest protocol used by oray net Peanut Hull clients 2 Transparent Mode won t in HA mode 3 ALGs won t synchronize states in HA mode 4 L2TP PPTP IPSec won t synchronize states in HA mode 5 The inactive node in an HA cluster cannot be reachable over IPSec PPTP L2TP and GRE tunnels 7 DFL cannot support redirecting L2TP IPSec tunnels to another DFL working in LAN 8 No aspects of the IDP signature states are synchronized in HA modes 2 30 01 1 Don t support the latest protocol used by oray net Peanut Hull clients 2 Transparent Mode won t in HA mode 3 ALGs won t synchronize states in HA mode 4 L2TP PPTP IPSec won t synchronize states in HA mode 5 The inactive node in an HA cluster cannot be reachable over IPSec PPTP L2TP and GRE tunnels 7 DFL cannot support redirecting L2TP IPSec tunnels to another DFL working in LAN 8 No aspects of the IDP signature states are synch
5. 5 lli hi z l D Link NetDefend Firewall Firmware Release Notes 124 The firewall could perform an unexpected restart in case an up and running PPPoE tunnel was disabled by the user 125 The DHCP Client did not renew its IP address lease after a link failure had been restored 126 The firewall would incorrectly terminate some HTTPS sessions when using an HTTP ALG with HTTPS resulting in a blank page in some browsers 127 TCP traffic inside an IPsec tunnel using Transport Mode where both peers were located behind a NAT gateway did not work as expected SYN ACKs never reached client when the firewall was configured with SynRelay 128 The community string in SNMP Remote Management was truncated if it was longer than 32 characters 129 Unsolicited ARP reply was not handled correctly according to the Unsolicited ARPReplies setting 130 The setting for Multiple Username Logins on the User Authentication Rule did not work as intended when selecting to use timeouts from the authentication server 131 When two SSL VPN Interfaces were configured on the same Interface with the same listening IP only one of them was triggering for all client connections even though different ports were used 132 The L2TPv3 Server leaked a small amount of memory when a new session was initiated within an established tunnel 133 Certain SIP PBX configurations caused the firewall to drop INVITE requests 134 In rare occasions when SIP was recon
6. HTTP request was generated while the WCF server connection was establishing The URL category lookup request is now silently queued and sent to the WCF server once the connection has been established 58 The HTTP ALG blocked web pages with malformed charset statement in HTTP headers 59 A misconfigured IPsec tunnel could in some scenarios cause the firewall to malfunction 60 The firewall sometimes restarted unexpectedly when using IDP Pipes 61 The LDAP client now handles authentication using PPP with CHAP MS CHAPv1 and MS CHAPv2 62 Adobe Illustrator ai files saved by recent versions of Illustrator did not pass the MIME type check performed by the Application Layer Gateways since they were identified as PDF files 63 Removing the use of DHCP on multiple interfaces could in some rare cases 4 i S 47 z l D Link NetDefend Firewall Firmware Release Notes during reconfigure cause the firewall to perform an unexpected abort Protection has been added to the timeout handling routine of DHCP 64 HTTP ALG generated information pages e g Restricted site notice could get incorrectly cached by downstream proxy servers This could lead to proxy servers returning a cached error message even though no error page should be seen 65 The OSPF Interface was missing the network configuration parameter This caused problems in certain setups where IPsec tunnels configured with 0 0 0 0 0 as remote or local netw
7. Mode setting in the HTTP ALG was not honored by the Dynamic Web Content Filtering 28 The log message for expired or no valid Web Content Filtering license did only show up once There is now a log message generated once a one minute This should be more noticeable to the administrator 29 The SMTP ALG could in some scenarios cause instability to the system by losing track of SMTP state synchronization The SMTP ALG has been updated with improved state tracking and email syntax validation 30 It was not possible to configure the primary NBNS server for L2TP PPTP server interfaces in the web user interface 31 The TCP monitoring of Server Load Balancing did not increase TCP sequence number in the reset packet sent to server in case of connection timeout The sequence number is now increased by one 32 Server Load Balancing did not use All To One for port numbers When using a range on the service the destination port would be the specified port plus 4 Ke S link z l D Link NetDefend Firewall Firmware Release Notes the offset from the low port number in the service 33 One of the log messages had an incorrect format When the log message was placed first in the log table the web user interface memlog would display an empty page 34 The description text for IP Pools incorrectly specified that IP Pools could be used by L2TP and PPTP 35 A confusing Anti Virus status message was visible in status pa
8. Support for VLAN priority derived from IP DSCP precedence 31 Gigabit Traffic Shaping Support 32 The PPPoE client has been changed to support unnumbered PPPoE 33 Improved server monitoring for Server Load Balancing 34 The ping CLI command has been improved 35 The schedule page has been improved 36 SSL TLS Termination 2 20 03 1 No new features were introduced in the 2 20 03 release 2 20 02 1 MTU can be configured for PPPoE Interfaces 2 MTU can be configured for PPTP L2TP Client Interfaces Changes of Functionality Firmware Modified Features Version 10 21 02 1 Disable SSLv3 support due to the vulnerability CVE 2014 3566 1 The firmware 2 30 01 and latter would ONLY be applied on the current 2 30 01 platform DFL 260E 860E 1660 2560 2560G 2 26 00 1 DFL 210 and DFL 800 remove IDP Maintenance Service Changes of MIB amp D View Module Support memory usage and TCP buffer usage monitoring Problems Fixed Firmware Version Problems Fixed 10 22 01 1 The options ValidateLogBad ValidateReopen ValidReopenLog ReopenValidate and ReopenValidLog for the setting TCPSequenceNumbers did not work and the system behaved as if configured with ValidateLogBad 2 The system would sometimes log that a packet had invalid TCP sequence number and would be dropped despite the fact that packets were allowed to reopen the connection and should be forwarde
9. The TCP stack used by TCP based ALGs web based user authentication and remote management did not respond to SYNs with the window set to zero 50 The CLI command arp flush lt interface gt did not work It has now been corrected Flushing the ARP cache on all interfaces using arp flush did work though 51 The firewall did not respond to TCP Keep Alive packets 52 Management sessions to the WebUI could on low throughput links timeout before the web pages have been fully loaded The timeout of the sessions has been increased in order to better handle this scenario 53 A leak of addresses in the static IPsec config mode IP pool caused the number of addresses available to clients to shrink over time It could also cause the device to reboot itself 54 IPsec config mode configured with a static IP pool did not in general hand out the last address in a range to clients 55 Log messages were not throttled correctly when the configured log receiver was offline and in return sent ICMP destination unreachable packets to the gateway This made the gateway trigger more log messages which could lead to drained CPU resources 56 IPsec config mode configured with multiple subnets or a static IP pool with multiple ranges of addresses falsely treated unchanged configurations as changed during reconfiguration and disconnected all tunnels 57 Using Web Content Filtering users were incorrectly displayed the access has been denied page if their
10. Transparent Mode and there is no loop avoidance 2 HA No state synchronization for Application Layer Gateways No aspect of Application Layer Gateways are state synchronized This means that all traffic handled by ALGSs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 3 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node e Inactive HA member cannot send log events over tunnels e Inactive HA member cannot be managed monitored over tunnels e OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 4 HA No state synchronization for L2TP and PPTP tunnels There is no state synchronization for L2TP and PPTP tunnels On failover incoming clients will e establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 1
11. clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 10 The function StateKeepAlive of NAT Pool is not working 11 The DUT would be crash and reboot after restart the GRE interface 1 The Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance gt AE EN 3 HA No state synchronization for ALGs No aspects of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent o F Ex hl ae i k z l D Link NetDefend Firewall Firmware Release Notes fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are
12. email syntax validation 30 It was not possible to configure the primary NBNS server for L2TP PPTP server interfaces in the web user interface 31 The TCP monitoring of Server Load Balancing did not increase TCP sequence number in the reset packet sent to server in case of connection timeout The sequence number is now increased by one 32 Server Load Balancing did not use All To One for port numbers When using a range on the service the destination port would be the specified port plus the offset from the low port number in the service 33 One of the log messages had an incorrect format When the log message was placed first in the log table the web user interface memlog would display an empty page 34 The description text for IP Pools incorrectly specified that IP Pools could be used by L2TP and PPTP 35 A confusing Anti Virus status message was visible in status page on non UTM capable devices The message has been removed 4 ae D Link NetDefend Firewall Firmware Release Notes Known Issues Firmware Version Known Issues 10 22 01 1 L2TPv3 is not support DFL will not add a switch route for L2TPv3 remote client 2 Radius server redundancy issue DFL will not rollback to primary Radius server till Secondary Radius server is down 3 Unable to support Radius setting via CLI 10 21 02 1 HA Transparent Mode won t work in HA mode There is no state synchronization for
13. engine causes false negatives during an HA failover Related Documentation NetDefend Firewall User Manual vi0 21 02 NetDefend Firewall CLI Reference Guide v10 21 02 NetDefend Firewall Logging Reference Guide v10 21 02 NetDefend Firewall Application Control Sig v10 21 02
14. established to from the active node 5 Inactive HA member cannot send log events over tunnels 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 2 26 00 1 The Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance 3 HA No state synchronization for ALGs No aspect of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back
15. in 15 When using a large number of neighbors in nodes running OSPF there was a rare possibility of memory corruption 16 A prompt was not added after various SSH printouts in the CLI 2 40 01 1 Corrected leap year problem where leap year day was added to January instead of February 2 The log event no arp ID 04100007 firewall action text was previously route_enabled the text is now corrected to route_disabled 3 Time unit seconds added to help texts in WebUI ALG SIP dialog and CLI command help ALG SIP 4 An expired AV or IDP license in an HA environment could trigger unexpected behavior in the inactive cluster node 5 Some web authentication scenarios could lead to unexpected behavior by the firewall 6 The output text for the CLI command dns list was not formatted correctly when using SSH remote management 7 The firewall did not handle lower and upper case correctly in some configuration scenarios where objects were named almost identically 4 i S z l D Link NetDefend Firewall Firmware Release Notes 8 In some High Availability scenarios the HA setting ReconfFailoverTime was not obeyed resulting in a failover when deploying a configuration on the active peer before the ReconfFailoverTime was reached 9 Cancelling the HA wizard would result in unexpected behavior of the firewall Affected models DFL 260E 860E 10 In rare occasions closing down a SIP session could lea
16. initiating a new SIP call 12 The return traffic for ICMP messages received on an IPsec transport mode interface was wrongly routed to the core itself and then dropped The return traffic is now passed back using the same connection as it arrived on 13 Tab completion in the command line interface CLI did not work on IPsec tunnels when using the ipsecstats command Tab completion is now possible to s la NYSE i kia z l D Link NetDefend Firewall Firmware Release Notes use in the ipsecstats command 14 The firewall did not accept certificates signed with RSA SHA256 15 Timezone setting could make the minimum date limit in scheduling to wrap and become a date into the future The minimum and maximum dates in scheduling have been modified to be between the years 2000 and 2030 which will not trigger the incorrect behavior 16 The SMTP ALG incorrectly blocked emails sent using the CHUNKING BDAT extension The ALG has been modified to remove the CHUNKING capability from the server s EHLO response This allows the emails to pass through the ALG 17 It was not possible to connect to the firewall using SSH if lots of public keys were registered in the SSH client 18 The firewall could unexpectedly restart when disabling automatic updates of anti virus and IDP updates 19 IPsec tunnels with a DNS name as remote endpoint would cease to function after a remote endpoint IP address change 20 Blackli
17. it worked correctly The techsupport command now only sends log message when it fails 10 A limitation on the number of simultaneous WebAuth transaction could prevent the authentication of authorized users 11 The IP Rule view in the Web User Interface was slow when viewing large collection of rules The rendering speed has been improved 12 Dropdown menus in the Web User Interface used a fixed width which caused objects with long names to push information outsize the window The dropdowns are now scaled to be able to show all the information The dropdown also automatically scrolls to the selected item when opened 13 The Mappings and Leases links on the DHCP Server status page in the Web User Interface didn t work 14 Disabling objects with references in the Web User Interface would delete the objects and references instead The objects are now only disabled when selecting to disable them 2 26 02 DFL 210 260 800 860 1600 1660 2500 2560 2560G 1 The range parameter in the rules CLI command did not work 2 The CLI command dns query only returned one IP address even though the DNS Record contained multiple entries 3 An error in the configuration engine caused problems when configuring the first OSPF Area for an OSPF Router Process 4 When using services with the SYN flood protection SYN Relay functionality enabled reconfigurations could result in unexpected behavior 5 Certain conditions sometimes led to
18. that does not accept log messages might 4 see S z l D Link NetDefend Firewall Firmware Release Notes send ICMP destination unreachable packets to the firewall These packets would trigger new log messages resulting in high CPU utilization Logging is now connection based and the sending rate of log messages will be decreased by the firewall when it receives ICMP destination unreachable packets regarding log receiver connections 24 TCP connections with SYN relay were not synchronized correctly In case of HA failover traffic on these connections would freeze 25 Unnecessary DynDNS and HTTP Poster re posts were triggered during reconfigure This is now avoided by always considering if the local interface IP address has been changed or if the HTTP Poster DynDNS configuration has been changed 26 Some H 323 messages were incorrectly disallowed by the ALG The H 323 Status Enquiry message is now allowed to be forwarded through the H 323 ALG 27 The Fail Mode setting in the HTTP ALG was not honored by the Dynamic Web Content Filtering 28 The log message for expired or no valid Web Content Filtering license did only show up once There is now a log message generated once a one minute This should be more noticeable to the administrator 29 The SMTP ALG could in some scenarios cause instability to the system by losing track of SMTP state synchronization The SMTP ALG has been updated with improved state tracking and
19. the firewall to freeze during save amp activate reconfigure 2 27 02 1 2 It was not possible to use User Authentication on IP4Group objects Certain SIP server scenarios in REGISTER transactions made the firewall reject incoming SIP calls 3 In some situations when using SMTP ALG with Anti Virus e mails with z l D Link NetDefend Firewall Firmware Release Notes attachments would not be completely transferred resulting in a timeout The ALG Anti Virus feature now specifically logs failure to decompress encrypted zip files A setting to allow or deny encrypted zip files have also been added 4 The usage bars on the DHCP Server status page were not displayed correctly when leases reached 100 usage 5 ACK messages for non 2xx PBXs responses were not forwarded by the SIP ALG 6 The DHCP Server did not send DHCP NAK messages in all scenarios This change speeds up the process of receiving a new IP address lease in these scenarios 7 The SMTP ALG always allowed emails where the SMTP from address and email header from address did not match A new setting has been added which allows the administrator to deny or tag these mails as spam 8 CLI command ipsecdefines has been removed from techsupport command 9 During configuration certain values were not reset after parsing an IGMP Report rule which made the next IGMP Query misbehave The configuration values are now properly reset aft
20. 20 seconds range 5 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover SSL VPN client 1 1 1 z l D Link NetDefend Firewall Firmware Release Notes 1 The client would sometimes terminate unexpectedly when displaying a balloon tooltip 2 It is now only possible to choose connect in the menu if not already connected and vice versa 3 The persistent gateway route configured on the tunnel interface was not properly torn down on disconnect 2 60 02 1 The Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance 3 HA No state synchronization for ALGs No aspect of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunne
21. 3 Internet Explorer 7 and Chrome 4 2 27 01 1 A confirmation question will be prompted if the user attempts to execute a CLI command that may cause system delays 2 27 00 1 Grouping configuration objects into logical groups makes it easier to manage large number of configuration objects It is also possible to add a descriptive description and custom color to distinguish what these objects do This grouping functionality is only for presentation and does not affect the existing functionality 2 Logging enabled by default on rules for the following objects Access DHCP Server DHCP Relay Routing Rule Dynamic Routing Policy Rule IDP Rule Action IP Rule OSPF Router Process Threshold Action and User Authentication Rule 3 Static configuration objects default to their default values if the objects contain configuration errors This will prevent the firewall to misbehave due to configuration errors on static objects 4 The script command has been updated to handle adding objects with dependencies between each other 5 User authentication has been updated with a new authentication source that will grant access to the user without checking any credentials This functionality can be used to authenticate users from within login scripts etc to make auditing easier 6 All rule page layouts have been updated for how to enter the interface and network combination to be more intuitive 7 The data grid in the Web User I
22. 660 2560 2560G A1 A2 for all models A3 A4 A5 for DFL 210 800 1600 2500 B1 for DFL 260 860 2 26 00 DFL 210 800 1600 2500 DFL 260 860 1660 2560 2560G A1 for all models A2 A3 A4 A5 for DFL 210 800 1600 2500 2 25 01 28 DFL 210 260 800 860 1600 2500 A1 for all models A2 A3 A4 for DFL 210 800 1600 2500 2 25 01 22 DFL 210 260 800 860 1600 2500 A1 for all models A2 A3 A4 for DFL 210 800 1600 2500 2 20 03 DFL 210 260 800 860 1600 2500 A1 for all models A2 A3 A4 for DFL 210 800 1600 2500 2 20 02 Jul 10 2008 DFL 210 260 800 860 1600 2500 A1 for all models A2 A3 A4 for DFL 210 800 1600 2500 D Link NetDefend Firewall Firmware Release Notes Upgrading Instructions Upgrading by using CLI via SCP protocol SCP Secure Copy is a widely used communication protocol for file transfer No specific SCP client is provided with NetDefendOS distributions but there exists a wide selection of SCP clients available for nearly all workstation platforms SCP is a complement to CLI usage and provides a secure means of file transfer between the administrator s workstation and the NetDefend Firewall Various files used by NetDefendOS can be both uploaded and downloaded with SCP This feature is fully described in Section 2 1 6 Secure Copy of NetDefend Firewall v10 21 02 user Manual Upgrading by using Web UI For detailed installati
23. 8 VLAN traffic sent over and received from L2TPv3 interfaces was incorrectly required to be received on or forwarded on a VLAN interface with identical ID Now L2TPv3 interfaces trust the routing configuration and do not enforce any additional restrictions regarding how VLAN packets are handled by the rest of the system 169 Group names returned from external databases e g LDAP that contained spaces were not supported 170 The output list from the CLI command vlan was not sorted in VLAN ID order This has been corrected and the command was enhanced with the parameters to segment long output lists using num and page 171 The blacklist CLI command did not set the correct port number and destination URL in its output 172 The default metric for a manually added route was 0 instead of 100 173 Static destination address translation would fail for transport mode IPsec traffic 174 Changing an IDP Rule Action setting from Action Protect and Dynamic Black Listing enabled to Action Audit left the Dynamic Black Listing enabled 175 IPsec Transport mode clients using the same remote ID behind NAT devices failed to connect simultaneously 176 A warning text has been added to inform the administrator when the maximum number of IPsec rules for an IPsec interface has been reached 4 i S Mht z l D Link NetDefend Firewall Firmware Release Notes 177 The SSL VPN Portal would sometimes not u
24. A failover 1 The Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance 3 HA No state synchronization for ALGs No aspect of ALGs are state synchronized This means that all traffic handled by ALGs willfreeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node ete 5 Inactive HA member cannot send log events over tunnels 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels O
25. BLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D LINK RECEIVED FROM THE END USER FOR THE PRODUCT Content REVISION HISTORY AND SYSTEM REQUIREMENT ssssseecccccssssssseeecccccessseseeeecccceccseeeeessececcseeeeeeesececsesseeesseeeoseees 2 UPGRADINGIINSTRUGTIONS are 3 UPGRADING BY USING CUIVIASEP PROTOCOL c ccccs scccccssonscstsuscecouancctsosancet suvancessuscscessnicedessnecesbontasssscetasssnestsevatcntsebatsstsescscess 3 UPGRADING BY USING WEB UI o ccscc cccssececuxesseecssceececssoscsseysnecessterceuostossesssteessnostcassseoseesususocessborccsbeecesusteressdecsessesceteatsacensses 3 NEW FEATURES EEE 3 CHANGES OF FUNGTIONALITN 2c ciicccsccccccccesssessssccccccscssesssseccecuesossersctecccesssestsceccccscsssecstececcocssesssetcecccccstssstiescccessssseresee 12 CHANGES OF MIB amp D VIEW MODULE 12 PROBLEMS FIXME Dscscsscvsicccscctsssoedeccccccbeiiesieisscccssiuissctescocscusdebevscecccansasdvezsccesausssessseancuss uussuedesedecteusesevecuscosvescesivecsasaseeess 12 AOW NS SUS 54 RELATED DOCUMENTATION EEE 65 D Link NetDefend Firewall Firmware Release Notes Revision History and System Requirement Firmware Version Model Hardware Version 10 22 01 DFL 1660 2560 2560G DFL 260E 860E DFL 260E A2 A1 for all models 10 21 02 DFL 1660 2560 2560G DFL 260E 860E DFL 260E A2 A1 for all models 2 60 02 DFL 1660 2560 2560G DFL 260E 860E DFL 260E A2 A1 for all models 2 40 04
26. Content Transfer Encoding header field in e mails could sometimes cause the SMTP ALG session to malfunction 10 With TCP sequence validation turned on closing existing connections would cause all subsequent attempts to reopen the same connection to be dropped with a log message about a bad sequence number The situation would 4 i S z l D Link NetDefend Firewall Firmware Release Notes resolve itself after a timeout of about 50 seconds but would still cause severe traffic impairment in certain situations most noticeably HTTP traffic This change will by default loosen the restrictions when an attempt to reopen a closed connection is received ValidateSilent ValidateLogBad while still enforcing RFC correctness 11 The SMTP ALG could not tell the difference between the new Microsoft Office 2007 document file types and file type ZIP This is because there is no difference that can be easily discovered the new Microsoft Office files are in fact ZIP files with a different extension An ALG configured to make file integrity checks would therefore signal these files as invalid wrong mime type wrong file suffix The ALG will now identify Office 2007 files as ZIP files Anti virus checks will if enabled scan the contents of the new Office 2007 files just like it would with a regular ZIP file 12 IP address with suffixes 0 and or 255 could incorrectly be assigned to IPSec config mode clients 13 Nested M
27. DFL 260E and DFL 860E 6 Some scenarios made the firewall send malformed packets in an SSL negotiation 7 In a High Availability scenario it was not possible to log in to the firewall in order to download the SSL VPN client 8 The value Password Attribute for LDAP Servers could not be empty It is now possible to create an LDAP Server with an empty Password Attribute field 9 The possibility to configure interface groups inside interface groups has been added 10 Routes monitored only by ARP were not marked as down when the link on the Ethernet interface was down Affected models DFL 260E and DFL 860E 11 Setting up a High Availability cluster using the backup and restore method would result in problems synchronizing the configuration because of an invalid interface configuration The units now correctly handle that interface configuration by using information from the old configuration 12 Large VLAN tagged packets would be dropped by the RealTek R8169 driver The driver has been updated to handle VLAN packets Affected models DFL 260E and DFL 860E 13 The RealTek R8169 interface reported wrong link speed for SNMP The interface has been updated to report the correct speed Affected models DFL 260E and DFL 860E 14 The RealTek R8169 driver contained a watchdog that erroneously triggered too often and made the interface restart The watchdog has been updated with a z l D Link NetDefend Firewall Firmware Release
28. IME bodies could in some scenarios be blocked by the SMTP ALG For example the SMTP ALG could block images inserted as inline with an error message indicating base64 decoding error The recipient received the email without the attached image but an error message saying The attachment xxxx has been blocked by the Security Gateway The ALG has been updated with better support for nested MIME blocks 14 A user logging in via Web based user Authentication when configured to handle user credentials via one or several RADIUS servers it could cause an unexpected abort if no RADIUS server was reachable This issue has been fixed 15 The web user interface the properties in Dynamic Black Listing were incorrectly enabled when action was set to something else than protect 16 The icon for removing IKE SA was missing hence making it impossible to remove an IKE SA using the web user interface 17 DNS Blacklist CLI command showed wrong status of blacklist servers on inactive HA member Inactive HA member does not perform any anti spam inspection so the inactive node is unaware of the status of the blacklist servers 18 Email attachments with very long file names could cause memory corruption in the SMTP ALG 19 Log string sent to syslog receivers was not always correctly formatted Some log arguments were not separated by a whitespace resulting in invalid parsing by syslog receivers 4 Ke S lli hie z l D Link Ne
29. Intrusion Detection Protection IDP scenarios using hardware acceleration could cause scans to fail 4 Restarting a GRE interface did sometimes trigger an unexpected restart of the firewall 5 The POP3 ALG did not allow Digest MD5 authentication 6 The SIP ALG could forward malformed SIP messages if a range 0 65535 was used as destination port in the SIP service configuration 7 Specific scenarios using the PPTP ALG could sometimes cause an unexpected restart of the firewall 8 The log message sent when reclassifying a URL using Web Content Filtering showed the wrong category The log message has been updated to display the correct category 9 Web User Interface Activating a configuration that had deleted an item that was represented in the navigation tree would not automatically update the navigation tree This resulted in a navigation tree that did not correspond to the running configuration 10 Checked checkbox properties that were disabled were unchecked when submitting data in the Web User Interface since information sent by a web browser is identical for an unchecked checkbox and a disabled checkbox The configuration engine now correctly remembers the state of disabled checkboxes when submitting data 11 The HTTP ALG MIME type check did not have support for OpenDocument Text Documents odt 12 Script execute did not allow the cc command to run without parameters The command has been updated 1 The IP4 Group ob
30. Link NetDefend Firewall Firmware Release Notes inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 10 The function StateKeepAlive of NAT Pool is not working 1 The Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance 3 HA No state synchronization for ALGs No aspects of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again
31. Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node 537 00 5 Inactive HA member cannot send log events over tunnels 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 2 F Ex hl ae 4 N z l D Link NetDefend Firewall Firmware Release Notes 10 The function StateKeepAlive of NAT Pool is not working 1 T
32. Notes longer timer to prevent this from happening Affected models DFL 260E and DFL 860E 2 30 01 1 The firewall did not forward SIP registrations REQUEST with null values in the Authorization field 2 The source port 20 is occupied when combining the SAT Action in an IP rule with the FTP ALG 3 The CLI commands reset configuration and reset unit show incorrect default management IP 4 SIP ALG would close SIP calls two minutes after the call session was established in some network scenario 5 The Route Type in OSPF Actions was incorrectly interpreted by the firewall when the configuration was activated 6 An unexpected restart could occur during a configuration deployment when new IPSec tunnels were added to the configuration 7 It was not possible to use all address object combinations in places like routes or in the Address Book 8 The severity for the log message sslvpn max sessions reached was incorrectly set to DEBUG but has been changed to NOTICE 9 IP4Groups containing Userauth configured objects were not available for selection in IPRules The IPRules have been updated to allow IP4Groups containing objects with Userauth 10 The TLS ALG rejected SSL HELLOs with zero or more than one compression method 11 Some cipher suite combinations prevented the AES256 algorithm to be used when establishing SSH administration sessions to the firewall 12 Some specially crafted SDP payloads c
33. OSPF could in certain scenarios be set incorrectly which resulted in connectivity problems 16 A large number of applications that were previously unsupported have been added to Application Control feature 17 Dead Peer Detection for IPsec interfaces didn t work against some remote clients 18 The firewall could in rare occasions reboot unexpectedly if Anti Virus scanning was configured 19 The message shown when trying to log in with a user with insufficient privileges was not descriptive enough 20 The Advanced TCP Setting for CC Connection Count option was incorrectly named TCP Option Connection Timeout in the WebUI 21 The firewall could generate TCP packets with incorrect checksum on connections using address translation and some content inspection feature such D F hae NJ z l D Link NetDefend Firewall Firmware Release Notes as Application Control or Anti Virus In rare cases this could lead to stalled TCP connections 22 The configuration warning message Shared IP address cannot be equal to iface IP address was missing the name of the offending interface 23 Non pertinent information was displayed in the console command appcontrol show lists 24 Using some layer 7 features such as Application Control or Anti Virus would prevent ICMP errors from being forwarded even when the service was configured to allow ICMP errors 25 When using the IPsecBeforeRules or L2TPBef
34. age at failover triggered by linkmon 4 A new advanced setting has been added to control the number of RADIUScommunication contexts that can be used simultaneously 5 DNS name resolving uses the shared IP in High Availability setups 6 Added support for Host Monitor for Routing 7 Added command to handle language files on disk 8 Improved LDAP functionality 9 Redesign of the tuple value controller in the webUI 10 Display of network objects 11 Extended route monitoring capabilities 12 The IPsec status page has been improved 13 PCAP Recording 14 New advisory link in virus found log messages 15 The webUI has been extended to handle child objects in a tab 16 Support of custom monitor interval in Linkmonitor 17 ZoneDefense now supports DGS 3200 series switches 18 Anti Virus triggered ZoneDefense 19 LDAP Authentication 20 Route Load Balancing 21 Extended SIP Application Layer Gateway supporting new scenarios 22 TCP transport added to the SIP Application Layer Gateway 23 Multiple media connections for SIP Application Layer Gateway 24 PPTP server support for multiple PPTP clients behind the same NAT gateway 25 PPTP server and client have been extended to support stateful MPPE 26 Improved verification of IP4 values 27 IDP Triggered Traffic Shaping z D Link NetDefend Firewall Firmware Release Notes 28 AVSE MaxMemory setting has been removed 29 Relayer IP address filter at DHCP Server 30
35. an unexpected behavior when a firewall had IPsec tunnels configured 6 It was not possible to use User Authentication enabled objects in Routing Rules Threshold Rules IDP Rules or Pipe Rules 7 The log pages for the Web User Interface were rendered incorrectly resulting z l D Link NetDefend Firewall Firmware Release Notes in artifacts on some web browsers 8 The SMTP ALG did not load all whitelist and blacklist entries if the number of entries were more than about 30 The entries that failed to load were silently ignored All configured whitelisted and blacklisted addresses are now loaded and filtered correctly 9 Users were not properly logged in when IPsec LAN to LAN tunnels were configured to require IKE XAuth This could cause an unexpected reboot Now the LAN to LAN case is properly handled by IKE XAuth 10 The L2TP PPTP Server overview grid did not have a column for Server IP 11 The dropdown to select the interface for OSPF Neighbor in the Web User Interface printed the name wrongly The dropdown code has been enhanced to handle this value correctly and print the proper name 12 The validation of the latency setting in the Host Monitor configuration was not correct The configured value was lowered to an incorrect value 13 The setup wizard only created the second of the two possible Syslog servers The first Syslog server is now correctly created by the wizard 14 The min and preferred input fields
36. and GRE tunnels as such tunnels are established to from the active node 6 Inactive HA member cannot send log events over tunnels 7 Inactive HA member cannot be managed monitored over tunnels 8 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 9 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 10 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 2 20 03 1 The Oray net for Peanut Hull DDNS client does not work after supplier changed the protocol 2 HA Transparent Mode won t work in HA modeThere is no state synchronization for Transparent Mode and there is no loop avoidance 3 HA No state synchronization for ALGsNo aspect of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the
37. cal parameter naming The recvif parameter is now renamed to srcif 20 HTTP ALG Added Force SafeSearch option A new option Force SafeSearch has been added to the HTTP ALG This option can be enabled so search queries to Google Bing and Yahoo through this HTTP ALG will be modified to enforce the SafeSearch functionality these search engines provide 21 L2TPv3 server enhancement The L2TPv3 server has been improved to better handle scenarios with a high amount of L2TPv3 clients connected to the same L2TPv3 server interface 22 L2TPv3 client Support for L2TPv3 client has been added The client can be configured to run over an Ethernet or a VLAN interface Protocols supported are UDP and IP In addition to this extended security can be added by routing the L2TPv3 client through an IPsec interface 23 New ipver argument to the connections CLI command The connections CLI command has been enhanced with an additional argument ipver that makes it possible to list only IPv4 or IPv6 connections 23 SHA256 and SHA512 IPsec algorithms The IPsec engine now supports the SHA256 and SHA512 algorithms to be configured on IPsec tunnels 2 40 03 1 Added the DHCP server when used with MAC address authentication to enable automatic logout of users When an IP address is being reused from the DHCP server and the old user was logged in via MAC authentication the DHCP server sends a logout message to log out the old user from the sys
38. category classification for the Web Content Filtering service calculated the percentage incorrectly when the number of hits was very large 73 The Application Control subsystem allocated memory resources which 4 i S lli hie z l D Link NetDefend Firewall Firmware Release Notes remained allocated for a long time and could cause the system to run out of memory A cleanup mechanism has been added that will optimize the Application Control memory usage when the system runs low on RAM 74 It was not possible to configure two or more SSL VPN interfaces with the same server IP and port 75 The firewall might experience unexpected behavior when reporting IDP events using SMTP LogReceiver under certain specific circumstances 76 L2TP client behind NAT using L2TP IPsec transport mode tunnel did not always succeed in reestablishing the L2TP tunnel 77 Using RADIUS accounting could under certain rare conditions lead to system instability 78 In rare occasions when an IPsec configuration was updated the firewall could restart or stop responding unexpectedly 79 The MTU for VLAN interfaces was calculated incorrectly causing unnecessary ICMPv6 PacketTooBig error messages 80 The invalid ip checksum log message did not correctly list the actual and expected checksums as intended 81 CRL lookup over LDAP did not work if the URL for the CRL distribution point did not contain the port 82 The ping command could
39. cation control was turned off It is now enabled disabled based on the application control slider 9 Enabling IPv6 on a VLAN interface with IPv6 disabled in the global settings did not produce a configuration warning 10 Route monitoring using link status did not recover a disabled route after a reconfigure had been issued 11 Keep alive set to Auto did not work on IPsec tunnels where the Remote Endpoint was a DNS name 12 SSH CLI sessions could not handle large amount of data being pasted or piped into the session 13 Connections scanned by IDP were sometimes broken at HA cluster configuration deployment 14 In the WebUI s L2TP PPTP client page there was no way of configuring the Originator IP Type or Originator IP 15 It was not possible to change the index of an interface route that was created automatically by the system using the CLI 16 In case of timeout a SIP session was terminated without notifying the UAC and the UAS This is now fixed by sending a timeout message to the UAC and a cancel message to the UAS in order to notify them before terminating the session 17 The Application Control feature did not recognize the Sohu Video application correctly 18 Anycast IPv6 source addresses were treated as invalid by the firewall In accordance to RFC 4291 a new advanced setting has been added called IPv6 Anycast Source where this behavior can be changed when needed 19 The CLI commands arpsnoop and ndsnoop did not out
40. cenarios and so on 1 Support SSL VPN feature 2 Support TLS renegotiation RFC 5746 in the TLS ALG 3 Increase the number of IDP signatures to up to 30 000 Configuration of up to 30 000 IDP signatures is now possible Affected models DFL 1660 2560 2560G 4 Add clone functionality to Web GUI It s now possible to create a copy of an object in the Web GUI by selecting Clone in the context menu in the data grids the edit page will pop up with information copied from the original object 2 30 01 5 Enhancement of services drop down menu The drop down menu for services has been enhanced to show port numbers 6 Enhanced IDP signature configuration It s now possible to select IDP signature groups from a visual tree interface 7 Add lifetime for connection in the log messages 8 Warning for incompletely cloned objects When cloning objects that contain properties which cannot be cloned an alert will be displayed 9 Support for dynamic server addresses in SSL VPN The SSL VPN server has been updated to support the sending of an optional domain name FQDN to the client that will be used to connect to the server 1 The D Link DES 3528 switch can now be used by ZoneDefense 2 27 02 2 A new log message has been added indicating that an ARP resolve query failed z l D Link NetDefend Firewall Firmware Release Notes 3 The following browsers are now supported Firefox 3 Opera 10 5 Safari
41. clients behind the same NAT gateway 5 SNMP Interface Alias field was empty when selecting Comment in Interface Alias 6 If L2TP clients with the same local IP address established IPsec tunnels behind a NAT device there were sometimes problems with the connections 7 The OSPF routes database was not updated during reconfigure in some High Availability scenarios 8 In some unusual circumstances the use of XAuth based authentication would lead to an unexpected reboot 9 The web user interface was not 100 compatible with Explorer 10 The basic structure has now been updated to render the page correctly in all major browsers 10 The firewall Dynamic Routing Rules did not properly export import OSPF routes when they were filtered by OSPF Tag range or Router Type 11 A few log message categories such as SSL VPN and IPv6 Neighbor Discovery were missing from the log message exception list 12 In some scenarios when using IPsec with XAuth ESP delete notifications would not be sent 2 40 02 1 In some rare occasions the memory consumption of the firewall could increase unexpectedly when deploying cluster configurations 2 The output list from the CLI command vlan was not sorted in VLAN ID order This has been corrected and the command was enhanced with the parameters to segment long output lists num and page 3 The blacklist CLI command did not set the correct port number and destination URL in its out
42. completion when adding a Custom Option for a DHCP Server was confusing and has been improved 104 The firewall s WebUI page showing authenticated users had the label Logged in as instead of the name or groups of the user s 105 The advanced IP setting to block multicast source addresses was covering a range that included too many addresses The range has been decreased to the correct 224 0 0 0 239 255 255 255 span 106 LDAP authentication was failing if the display Name of a user had a space and it was used as user name against an AD 107 On rare occasions the system could make an unexpected restart when using 4 Ke S link z l D Link NetDefend Firewall Firmware Release Notes the HTTP ALG together with Anti Virus scanning 108 In certain rare scenarios the H323 ALG could make the firewall reboot unexpectedly 109 The system would advertise the wrong IPv6 address when going active in a high availability scenario 110 In rare cases when a heavy load of IPsec traffic was sent through the firewall there could be logs about hardware acceleration failure with performance degradation as a result Affected models were DFL 260E and DFL 860E 111 When listing VLANs in the CLI and the same VLAN ID was available on more than one physical interface the listing was incorrect 112 Fragmented packets coming from a VLAN going into an L2TPv3 tunnel would be erroneously dropped in some situations 113 The int
43. d Alps Se 1 z l D Link NetDefend Firewall Firmware Release Notes 3 In rare occasions when using the PPTP ALG an incorrect ALG associated connection could be closed resulting in unexpected behavior 4 OSPF point to multipoint interfaces didn t allow for more than one neighbor to be configured 5 OSPF point to multipoint interfaces discovered neighbors using multicast instead of unicast 6 OSPF point to multipoint interfaces created an invalid dummy route for the interface IP 7 An Ethernet interface with a manually assigned MAC address would revert to its original MAC address after issuing the console command ifstat restart 8 The firewall might show unexpected behavior when restarting after changes in configuration if an SSL VPN interface using a specific Routing Table was already configured 9 The NetDefendOS web authentication feature could fail in some rare situations when the system was under heavy stress 10 The firewall s SNMP statistics could report active IPsec tunnels as down under certain circumstances 11 It was not possible to use Interface Groups as the OuterInterface when configuring an SSL VPN interface 12 The H 323 ALG sometimes caused unexpected reboots 13 It was not possible to use the CLI command ippool renew to renew leases 14 An error message is now displayed when trying to save a certificate with the same name as an existing object 15 The E flag in
44. d to an unexpected restart of the firewall 11 The general stability of SSL VPN tunnels has been improved 12 The deployment of new configuration could have a negative impact on the performance of Realtek 8169 interfaces Affected models DFL 260E DFL 860E 13 Running SSL VPN on a shared IP in an HA cluster disconnected the client at reconfiguration due to the inactive node going active during reconfiguration 14 A recent change in scp secure copy uses an end of option parameter that was handled erroneously by the firewall causing scp connections to be closed unexpectedly 15 The add CLI command would in some cases add a new configuration object with errors and the set CLI command allowed the user to modify configuration objects by entering invalid values Now the behavior has been changed to not modify the configuration if the resulting change causes errors unless the force flag is specified 16 The CLI netobject command incorrectly printed IPv6 addresses in IPv4 format 17 It was not possible to disable sending out High Availablility cluster heartbeats on nodes The setting was not obeyed 18 The Web Content Filtering WCF server connection could stall after a reconfigure and fail to resolve new URLs The issue has been corrected along with additional server connection statistics for the httpalg wcfcache CLI command 19 Log messages containing routing information used invalid values 20 Using the H323 ALG could
45. e overridden the content filter 11 A predefined list of file types were missing in the configuration for ALG file integrity and anti virus scan exclusion Specifying the file extensions can now be done with support of a list of extensions 12 The arguments to the CLI command arpsnoop have been changed To enable snooping on all interfaces all should now be used instead of and none instead of disable 13 Some malformed HTTP URLs were always blocked when scanning with IDP It is now possible to configure the way malformed HTTP URIs should be treated log drop droplog ignore 14 Previously ARP monitoring would be disabled if there was no gateway to monitor 15 Previously a route could not be configured to include its own gateway among hosts to monitor if the gateway address was obtained via DHCP 16 A missing anti virus signature database or a license file not allowing anti virus scanning resulted in all traffic sent through an anti virus enabled Application Layer Gateway to be blocked Even though this behavior guaranteed that un scanned traffic never passed through the gateway it could lead to unexpected interrupts in traffic flows 17 At shut down of the unit connected SSH clients were not disconnected 18 The interface status page could show corrupted driver hardware output when viewing VLAN interfaces VLAN interfaces have no driver or hardware information so this field is now left empty 19 Executing commands w
46. en fixed so it is normal to expect a lower rate of updates after a firmware upgrade 32 Safe Search configured together with Web Content Filtering sometimes caused system reboot 33 Removing a large number of IPsec tunnels from the configuration could cause the system to restart 34 Application Control Rules would with certain selected applications take longer time than necessary to parse during reconfiguration 2 60 02 1 No validation was done on hexadecimal pre shared keys before pressing OK on the configuration page They are now validated to only accept hexadecimal strings 2 It was possible to create user authentication rules without giving them a name but when saving the configuration an error was shown The name is now required when adding the rule 3 The CLI command dns showed servers with an index value of 0 to 2 The servers are now listed with an index value of 1 to 3 4 The statistics value for connections in TCP FIN state incorrectly also included TCP_OPEN 4 i S z l D Link NetDefend Firewall Firmware Release Notes 5 Long pipe names would disrupt the format of the CLI command pipes show The VLAN interface statistics was reset on each reconfiguration DHCP relay packets received on interfaces without configured DHCP relay could in some configuration scenarios be dropped 8 The Add button on the application control tab on an IP Policy was enabled even when appli
47. en generating log events from the ALGs which could cause the device to restart 35 It was not possible to select Local ID for certificates Added configuration support for Local ID D F hae NJ z l D Link NetDefend Firewall Firmware Release Notes 36 Configuring the static IPsec config mode IP pool with an address range where the least significant byte of the last address in the range is smaller that the least significant byte of the first address in the range would cause the device to reboot when several tunnels are established One example of such a range is 172 16 1 240 172 16 2 40 37 Route Fail Over status information was faultily printed on the console every time the state of the route changed These printouts are now removed and only the log events remain 38 Changing the high availability setting use unique shared MAC could make both nodes of a high availability cluster go active 39 There was a dependency between link monitors which resulted in that the effective ping interval was reduced for each new link monitor configured 40 The CLI was missing a quick and easy way to list the available runtime services A services CLI command has been added This command lists the runtime values of configured services 41 It was not possible to send IKE messages through an IPsec interface The result was that a pair of hosts could not establish an IPsec tunnel with each other using IKE if the neg
48. er parsing IGMP Report rules 10 Incoming SIP traffic routed through an IPsec tunnel was discarded by the SIP ALG 11 Some empty configuration values were not written to the configuration After a restart of the firewall the default values were used instead 12 Some buttons in the web user interface had truncated text 13 The reception of 255 255 255 254 as Framed IP Address in a RADIUS negotiation wasn t handled correctly in all installations Now this will always lead to an IP being assigned to the PPTP L2TP client from the configured IP pool 14 It was not possible to click on the IDP signature group links in the web user interface page IDP Factory Signatures Clicking on the link now lists the signatures in the group 15 The DNS client always dropped DNS replies that had the truncated bit set The truncated bit indicates that the reply does not contain the complete response and that a new DNS request should be sent using TCP if the client supports TCP DNS The DNS client now uses the addresses in the partial response instead of ending up with no address at all 2 27 01 1 Certain SIP PBX configurations blocked media transmission on calls established between devices located on the same interface of the firewall 2 The POP3 ALG did not reset its state after a failed authentication This could cause the next login attempt to fail z l D Link NetDefend Firewall Firmware Release Notes 3 Specific
49. er timed out from a RADIUS server 9 Configuring OSPF to run on top of VLAN interfaces did not set the VLAN s Ethernet base interface s receive mode parameter to accept OSPF multicast packets causing OSPF communication fail in some scenarios 10 The Web User Interface selection box was not wide enough which made long object names not being displayed in full 11 Error messages output by the time sync command were in some failure cases not informative enough to describe the problem 12 On rare occasions the firewall could perform an unexpected restart after reconfiguring a PPTP server that used LDAP authentication 13 Configuring an IPv6 core route would always cause a configuration warning 14 Traffic passing through an IPsec tunnel was sometimes incorrectly dropped if there was fragmentation of the packets 15 Valid UTF 8 characters were in some logs not shown properly 16 UDP packets sent from the firewall when using the ping CLI command always had the same Fragmentation ID or Identification field set 17 The output from the time sync command was shown in all active CLI sessions It will now only appear in the session where the command was executed 18 The description of the Facility parameter in the Syslog Receiver configuration object was incorrect 19 The device could restart unexpectedly when Application Control was disabled on an IPRule matching active IPv6 traffic 20 Certain rare certificates could not be added to
50. ernal SSH Server could in rare circumstances use an increasing amount of memory 114 Enabling Router Advertisement on an interface with an unnamed IPv6Network would produce a configuration error 115 The properties for local peer and remote peer in the IPsec logs were sometimes truncated 116 The system sometimes restarted unexpectedly during a reconfiguration 117 The firewall would always perform automatic updates of IDP and AV databases on startup and HA activation Automatic updates will now only occur at the configured time 118 The log events too many flows aged and failed to select policy rule both used the same log ID 01803001 Now the former uses ID 01803005 and the latter ID 01803001 119 Syslog messages sent from the firewall did not follow the standard specified in RFC5424 A setting that enables sending Syslog messages according to RFC5424 has been added to the LogReceiverSyslog configuration object 120 LDAP queries against OpenLDAP servers did not work as expected It is now possible via the new setting Combined Username and Optional Attribute on the LDAP Server to specify how LDAP queries towards an OpenLDAP server should be sent 121 Certain web pages were not possible to reach or load when using the HTTPS ALG 122 POP3 ALG log messages would sometimes contain incorrect e mail addresses 123 On rare occasions the SMTP and POP3 ALGs could not read fields from the DataHeader correctly 4
51. etime 189 ISAKMP cookies in IKEsnoop messages were sometimes displayed incorrectly and could lead to a mismatch in the print out of the Delete SPIs and the cookies in an IKE delete message 190 In an IPsec scenario where XAuth was used on the tunnel the memory consumption could in rare circumstances increase unexpectedly after renegotiations 191 Certain configurations related to one sub system could cause a security vulnerability 2 40 04 1 The IP protocols 33 and 48 were logged with incorrect names and IP protocols 131 to 142 were missing names The IP protocol list has been updated according to the current IANA definition 2 Syslog messages sent from the firewall did not follow the standard specified in RFC5424 A setting that enables sending Syslog messages according to RFC5424 has been added to the LogReceiverSyslog configuration object z l D Link NetDefend Firewall Firmware Release Notes 3 Certain configurations related to one sub system could cause a security vulnerability 2 40 03 1 Routemon did not detect link state changes on some Realtek interfaces Affected models DFL 260E DFL 860Es 2 The link status info for the Realtek interfaces disappeared after a reconfigure Affected models DFL 260E DFL 860E 3 In some scenarios with IDP configured traffic of certain patterns could in rare circumstances be delayed 4 It was not possible to connect multiple L2TP IPsec
52. f entries exist that are older than 30 days it will print 30 days and truncate if less than 30 days date of last entry will be printed 14 The system information slides on the front panel display could stop after showing the first sensor under certain conditions when Hardware Monitor was enabled The system information slides can now loop through all pages without getting stuck Only affected hardware models with front panel display 15 There was a critical defect in the Web Content Filter functionality that could cause the firewall to reboot unexpectedly DFL 160 1 It did not work to have DHCP assigned IP on the WAN interface and at the same time relay DHCP requests to hosts on the LAN or DMZ in transparent mode 2 If the Internet connection had dynamic IP address DHCP enabled and transparent mode was used on LAN or DMZ the IP address on the LAN DMZ D hae SU z l D Link NetDefend Firewall Firmware Release Notes interface was set to 0 0 0 0 1 PPP negotiations were sometimes slower than necessary 2 Deploying a configuration during heavy traffic load could cause a watchdog reboot 3 It was possible to enable the anti spam feature DNSBL on an SMTP ALG without specifying any DNSBL servers Configuring DNSBL without specifying any servers will now give an error 4 Some errors in IPsec tunnel configuration were not correctly treated during the firewall start up process resulting i
53. figured the firewall could make an unexpected restart 135 Some characters were not supported in passwords for users being authenticated using LDAP as source 136 It was possible to configure multiple static DHCP hosts with the same IP or MAC address without getting a configuration warning 137 The cryptographic accelerator on DFL 260E 860E could in some high performance situations become unresponsive 138 With Application Control enabled in some high bandwidth scenarios there was a possibility that connections might stall and make the traffic flow slow 139 The CLI command dhcpserver was not able to show the client identifier string Now it supports both MAC and identifier 140 Unexpected exceptions sometimes occurred when the remote endpoint of an IPsec tunnel was set to a DNS object 141 The system would set the BROADCAST flag in DHCP Discover and DHCP Request messages despite being fully capable of receiving unicast replies 4 5 link 4 z l D Link NetDefend Firewall Firmware Release Notes 142 The update center CLI command would return an error if no argument was specified It will now show the status of all databases as default action 143 The L2TP PPTP client used the wrong source IP when the interface used for L2TP PPTP traffic was changed due to a DHCP update 144 The navigation menu disappeared when visiting the List all active IKE SAs from the IPsec status page The navigation menu s
54. for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 10 The function StateKeepAlive of NAT Pool is not working 11 SIP ALG Limited functionality on SIP ALG It supports three scenarios a Protecting local clients Proxy located on the Internet b Protecting proxy and local clients Proxy on the same network as clients c Protecting proxy and local clients Proxy on a DMZ interface A more detailed description and network topologies can be found in the Admin Guide Any scenario different from these three might be difficult to deploy 12 SIP ALG Limited functionality on IP telephony It is not support all functionality in RFC 3261 or other RFC s that is referred to from RC 3261 There may be third party SIP aware units that cannot be configured to be compatible with the SIP ALG 1 The Oray net Peanut Hull client does not work after they changed the protocol 5 57 0P 2 HA Transparent Mode won t work in HA mode There is no state er synchronization for Transparent Mode and there is no loop a
55. g based technologies from Kaspersky improving protection for malicious scripts URLs and files transported through the system 7 6 in 4 Tunneling The new 6 in 4 Tunneling feature is a transition mechanism that enables customers that lack native IPv6 connectivity to setup a tunnel towards a Tunnel Broker using IPv4 and thereby be able to access IPv6 hosts and offer services on IPv6 This feature greatly simplifies configuring mixed networks and enables customers to continue to use IPv4 only services in a more transparent way 8 Support for IEEE 802 1ad QinQ Service VLAN NetDefendOS already provide fine granularity for configuring 802 1q tagging enabling customers to configure the same 802 1q tag on different Ethernet Interfaces With the addition of 802 1ad it is now possible to configure QinQ using 802 1q VLANs on top of Service VLANs 802 1ad VLANs This new feature is very useful in service provider scenarios or for larger enterprises 9 PCAP support in the Web User Interface A PCAP tool has been added to Status gt Tools to allow control over packet capturing from the web user interface Some of the more common filters and 2 F Ex hl ae i k z l D Link NetDefend Firewall Firmware Release Notes options are available to specify and it is possible to start stop and download packet captures 10 Added Diagnostic Console Page in the Web User Interface The Diagnostic Console collects system cr
56. ge on non UTM capable devices The message has been removed 1 ICMP Destination Unreachable packets were not sent when UDP packets hit a Reject rule 2 Web authentication and web server connections were not closed correctly at reconfiguration 3 The DHCP Server did just send replies back on the receiving interface without regarding routing decisions The DHCP Server now performs a route lookup if the reply is destined for a host address i e not an IP broadcast 4 HA setups with IDP scanning enabled packets could be lost during a failover 5 Some services were using the private IP in HA setups for communicating This is now changed and the shared IP is used 6 The DNS lookup of the IP address to a remote gateway failed under certain circumstances for IPSec interfaces 7 The CLI command for displaying updatecenter AV IDP update status did not show enough information It has now been improved zavi 8 TCP connections could sometimes fail due to an incorrect sequence number check 9 A missing Content Transfer Encoding header field in e mails could sometimes cause the SMTP ALG session to malfunction 10 With TCP sequence validation turned on closing existing connections would cause all subsequent attempts to reopen the same connection to be dropped with a log message about a bad sequence number The situation would resolve itself after a timeout of about 50 seconds but would still cause severe traffic impairment in certain
57. guration synchronization 68 Configured IDP pipes were not always displayed in the CLI 69 Blacklist logs sometimes showed incorrect protocol or port 70 Memory usage for SIP was displayed incorrectly 71 A DHCP server lease was not removed from the inactive HA node when the CLI command dhcpserver releaseip was issued on the active node 72 The system could unexpectedly restart if a service s ALG type changed from e g FTP to HTTP while having active connections 10 21 02 1 Source Address Translation Auto would not result in correct behavior when configuring IPPolicies 4 i S z l D Link NetDefend Firewall Firmware Release Notes 2 Fragmented traffic sent through an IPsec tunnel was sometimes dropped 3 No error was generated when configuring HTTPS management without selecting an HTTPS certificate 4 The Router Advertisement related settings had inconsistent naming The names have been updated and a configuration converter has been added so that existing behavior is kept after upgrade 5 IPsec interfaces could not be used by OSPF to communicate with a neighbor 6 Connections using the secondary route in a route monitor setup where the primary route had failed were incorrectly closed during reconfiguration 7 A firewall with User Identity Awareness configured could in rare scenarios reboot unexpectedly 8 Memory consumption could in rare circumstances increase when an authenticated us
58. had swapped position on the configuration page for IPsec Algorithms and IKE Algorithms in the Web User Interface The position of the input fields has been corrected 15 Inthe Web User Interface it was not possible to change order of objects that were both disabled and deleted It s now possible to move objects that are both disabled and deleted DFL 160 1 Enabling POP3 on the Inbound Traffic page did not have any effect 2 26 01 DFL 210 260 800 860 1600 1660 2500 2560 2560G 1 A configuration that contains a routing table loop could lead to the watchdog being triggered Now the configuration will fail to be activated with the following message Dynamic routing configuration error possible configuration loop 2 Setting both IKE Lifetime and IPsec Lifetime to 0 seconds in an IPsec tunnel triggered a warning message on the console referring incorrectly to another property 3 Proposal lists were not properly listed in command line ipsectunnel iface output 4 When using a user authentication rule for HTTPS with LDAP an SSL socket was sometimes not closed possibly resulting in instability 5 It was not possible to use certificates that had no alternative name set 6 Due to memory corruption occurring in some setups the internal timers z l D Link NetDefend Firewall Firmware Release Notes caused the firewall to restart unexpectedly Depending on the traffic load the reboots occurred period
59. he Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance 3 HA No state synchronization for ALGs No aspects of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node 5 Inactive HA member cannot send log events over tunnels oe 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming
60. hich used object arguments from within a script file did not work It is now possible to execute such commands from within script files 20 IP4HAAddress peer address was not shown in the WebUI and CLI address book views The HA peer address is now displayed in address book listings 21 Idling system backup download for more than 5 seconds aborted the download It is now possible to idle up to two minutes without having the download being aborted 22 When the SMTP ALG anti virus engine detected multiple infected files within a single ZIP file the name of the zip file was incorrectly added to the D F hae NJ z l D Link NetDefend Firewall Firmware Release Notes BlockedAttachments txt file each time a virus was found The zip file name is now only added once no matter of the number of infected files within the zip file 23 An HA node sometimes froze and had to be physically rebooted after updating IDP signatures via updatecenter 24 The authentication method for IPsec tunnels was set to PSK as default value When adding such tunnels from the CLI this was unclear When using the CLI to create IPsec tunnels the user must now explicitly specify the wanted authentication method 25 Microsoft Windows LT2P over IPsec sessions could fail in the sequence of re keys 26 When using the CLI it was possible to add objects to already disabled folders It is no longer possible to add objects to disabled folders
61. hould now correctly still be there and highlight IPsec status 145 NATed traffic sometimes used an old source IP address for connections opened prior to a dynamic update of the IP address of the outgoing interface 146 The configurable minimum lease time of the DHCP server was incorrectly set to 0 seconds This has now been changed to 30 seconds 147 ndsnoop messages would sometimes show the firewall s MAC address as 00 00 00 00 00 00 148 The system could in some situations misbehave when parsing malformed SNMP packets on the remote management interface 149 Advisory links were missing on the IDP log event list in the web interface and when listing a large amount of IDP log events the system could become unresponsive 150 A space was placed before REDIRHOST in HTTP banner files leading to bad URLs 151 The switch driver used on DFL 260E rev a2 appliances had a faulty default configuration which lead to performance issues 152 Service custom timeouts did not trigger when used by an IP Policy 153 Forcibly logging out authenticated users via the CLI command userauth remove did not generate a log event 154 The TFTP ALG would stop forwarding packets after 65535 blocks 155 The CLI commands ippool and idppipes had no default usage and they were always in need of an argument Now they can be used without any argument which implicitly means running them with the show argument Furthermore the max option for ippool ha
62. ically from a few hours up to several days This issue has been corrected together with fixes in the loader 7 The establishment of SYN flood protected TCP connection could be unnecessarily delayed due to the firewall dropping all the packets sent by the client side while waiting for the completion of the three way handshaking between the firewall and the server 8 Updates of the Anti Virus database could only be done when the Anti Virus functionality was enabled The database can now be updated even though no Anti Virus functionality is enabled 9 The license page showed an incorrect value for maximum number of PPP tunnels 10 Running certain sequences of CLI commands or performing corresponding actions in the Web User Interface involving multiple reject commands could cause a critical malfunction in some cases 11 After running the CLI command reject with a configuration object as parameter activation of configuration changes could fail with an error message but show errors would say that there were no errors The show errors command has been updated to correctly display these errors 12 Keep alive SIP pings were not handled correctly and would generate drop logs The SIP pings are now handled correctly and a response pong is sent 13 The console command always printed that it showed the events for the last 30 days even though nothing had happened The command has been updated so it will print the date of the oldest entry I
63. in rare circumstances lead to unexpected behavior 21 An error in the configuration module could in rare occasions lead to unexpected behavior during the deployment of a new configuration 22 The output of the CLI command ifstat has been extended to list the shared MAC addresses on the interfaces of High Availability cluster nodes 23 Passwords for newly added users were not encrypted in the configuration file 4 i S z l D Link NetDefend Firewall Firmware Release Notes 24 OSPF MD5 authentication misbehaved when using ID other than 2 25 The RADIUS accounting session ID string could under some circumstances be reused for a later session 26 A prompt was not printed in the CLI after activating a new configuration 27 Arecent security patch for CVE 2011 3389 in some popular web browsers made the firewall s SSL VPN client download page unreachable 2 40 00 1 Some VPN configurations using Radius Accounting did not report in out octet statistics to the Radius Accounting server 2 The H 323 ALG did not allow FACILITY messages to be sent during the ALERTING state 3 In certain scenarios traffic originating from LDAP could lead to unexpected behavior by the firewall 4 If SSL VPN was configured to listen on a proxy ARPed IP it was not possible to log in to the SSL VPN portal 5 Browsing to certain pages in the WebUI would lead to unexpected behavior for the firewall Affected models
64. in some rare cases report an incorrect round trip time 83 When using a routing table with the Ordering setting configured to Default the named table was sometimes incorrectly consulted first instead of the default routing table during route lookup 84 Using SCP to download a file from the firewall whose filename included a hyphen e g my cap cap would fail with a Permission denied error message 85 The CLI prompt was not shown after the pipes show CLI command 86 In some situations the system would send an extra TCP ACK packet when it did not need to 87 The pcapdump command did not print a warning message in the CLI when the buffer was full 88 The descriptions of custom timeout settings in the WebUI were not consistent and have been changed from timeout to idle lifetime 89 When using a service group which contained overlapping services there was no warning message that this may cause undefined behavior 90 When arp notify was used in an HA setup the firewall incorrectly used its private MAC address instead of the shared MAC address 4 i S lli hi z l D Link NetDefend Firewall Firmware Release Notes 91 The setting for SLB HTTP monitoring erroneously required a value and can now be left blank in the configuration without an error being generated 92 Changes made to the HTTP normalization parameters on an IDP rule were ignored unless other settings were changed on the same IDP
65. ist now validates the extension for the first packet when the content type could not be determined in the first packet In certain scenarios the voice transmitted through the SIP ALG terminated suddenly two minutes after the call was established Office xlsm files were blocked by the SMTP ALG Encrypted xIsm files are embedded in an Office 97 2000 Compatible container which results in an 8 9 10 11 12 13 incorrect file typ according to file integrity control The file integrity control has been updated to handle encrypted xIsm files A faulty model check made the Switch Management not display all the switch ports in the WebUI for the DFL 860E model The Realtek 8169 interface reported link down incorrectly This caused route monitor to not work properly Affects DFL 260E and DFL 860E The HTTP ALG failed to load web pages from certain web servers correctly The HTTP ALG will now respond with a TCP RESET should the server continue to send packets after the client has closed the connection Anti virus scanning of zip files containing files with a large compressed size could sometimes lead to unexpected behavior Using HTTP web authentication with a RADIUS server as authentication source could in very rare scenarios cause the firewall to malfunction during save amp activate reconfigure Two HTTP ALGs with the same name but with different case e g MYHTTPALG and myhttpalg could sometimes cause
66. itical logs and is used to help troubleshooting of internal problems within the system To ease access to the Diagnostic Console it is now available under Status gt Maintenance gt Diagnostic Console in the web user interface 11 DHCP Client Enhancements The DHCP Client is now supported on VLAN interfaces 12 PPPoE Client Enhancements It is now possible to use the PPPoE client over VLAN as well as Ethernet Interfaces 13 RADIUS Enhancements This release has added support for the Framed IP Netmask attribute This attribute together with the Framed IP attribute can be combined to generate a route This enables customers to set up VPN tunnels using RADIUS authentication with L2TPv2 IPsec 14 Command Line Interface CLI Enhancements The Command Line Interface CLI now supports viewing and filtering the Memory Log using CLI commands 15 User Identity Awareness Enhancement The User Identity Awareness Agent has been updated with a protocol that supports a larger number of group memberships for a user Note NetDefendOS 10 21 02 and up is required for use with this new 1 01 00 Agent version 16 ZoneDefense with Universal MIB ZoneDefense now supports switches that use the Universal MIB 17 Diagnostics amp Quality Improvements To improve the quality of the product anonymous usage information is sent to the manufacturer The data sent is encrypted and contains information such as firmware version UTM database versions upti
67. ject didn t handle excluded addresses correctly It s now possible to use excluded and included objects in the correct way 2 Certain SIP option messages with high values for the expires header field failed to be properly parsed When that occurred incoming calls to phones placed behind the firewall failed 3 Some HTTP headers could cause HTTP connections through the HTTP ALG to 2 27 00 be closed down prematurely 4 On DFL 260 DFL 860 some specific high stressed Intrusion Detection and Protection scenarios using a hardware accelerator could drain the memory of the firewall 5 The SMTP ALG did not accept response codes that only contained numeric data 6 Browsing the Web User Interface over HTTPS would sometimes result in 4 SF z l D Link NetDefend Firewall Firmware Release Notes Error 500 Internal server error 7 On DFL 1600 DFL 1660 DFL 2500 DFL 2560 G after a reconfiguration using a HA configuration the interface synchronization list for the Inactive node contained invalid interface references which could cause problems when connections were synchronized before the list was rebuilt The references are now properly cleared during a reconfiguration 8 In the Web User Interface when defining an IDP Rule the check box to enable or disable the option Protect against insertion evasion attacks was not visible 9 The CLI techsupport command always sent a sesmgr file error log message even when
68. l redundancy for service critical installations where z l D Link NetDefend Firewall Firmware Release Notes IPsec tunnels are used Fully established IKE and IPsec SAs are now synchronized to the inactive HA cluster node making it possible to keep tunnels up and running throughout a node failure restart or upgrade eliminating the need to renegotiate the tunnel after HA system fail over Fail over times should be less than a second and the impact on routed packets over the tunnel is minimal Note only available on DFL 1660 DFL 2560 and DFL 2560G 4 IKE IPsec Virtual Routing support Virtual Routing for IKE IPsec tunnels is now supported which allows for flexible usage of IKE IPsec tunnels in more complex networks with overlapping IP ranges or where multiple routing tables are used In practice this means that you can now terminate or initiate IKE and IPsec traffic in any routing table and not only in the main routing table It also allows for a more flexible configuration of an IKE IPsec tunnel where it is possible to configure any ARP or core routed IP to listen on for incoming IKE IPsec traffic and not only the interface IP address 5 Link Aggregation support IEEE 802 1AX 2008 and 802 3ad Link Aggregation for 1 Gbps Ethernet links with static link aggregation and LACP negotiated link aggregation is now supported 6 Improved anti virus scanning The anti virus engine has been improved to support the latest streamin
69. ls as such tunnels are established to from the active node A Inactive HA member cannot send log events over tunnels B Inactive HA member cannot be managed monitored over tunnels C OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 5 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 2 40 04 1 SSL VPN Outer interface any limitation If the SSL VPN interface is configured with the outer interface any option SSL VPN will be disabled 2 The Oray net Peanut Hull client does not work after they changed the protocol A LAA Ex DE S z l D Link NetDefend Firewall Firmware Release Notes 3 HA Transparent Mode won t work in HA mode There is no state synchronizati
70. mation missing incoming traffic could not make ARP resolutions correctly 42 In rare circumstances during HA hand over the inactive HA node could erroneously send neighbor solicitations for its own shared IP 43 There was no error or warning generated when trying to configure switchroutes in an HA cluster 44 If an authenticated user had a lot of privileges the CLI command userauth was printing unaligned output Furthermore the CLI command userauth user lt user gt has been extended to show all the privileges the lt user gt has 45 There were no logs about destination port destination IP or name of SSL VPN interface for incoming SSL VPN connections 46 It is now possible to use route as an alias to the CLI command routes 47 The Request URL property of an HTTP host to monitor required the http prefix before the actual URL This is now fixed by appending it automatically if not given 48 The firewall failed to match an HTTP Monitoring response with the expected response value given by the user in case special characters existed spaces tabs line feeds carriage returns 49 If DNS resolution of an HTTP monitored host failed the respective route was always declared up and no other connection attempts were made The fix allows proper action on the route and re attempts for DNS resolution 50 On systems with multiple active IPsec tunnels configured to add dynamic routes the memory usage increased for every reco
71. me and memory usage The type of diagnostic data sent can be tuned in the configuration and can also be completely disabled 18 Source IP selection for RADIUS requests The RADIUS server configuration has been enhanced with the possibility to manually specify the source IP for RADIUS requests 19 DHCPv6 Server support The system now includes support for DHCPv6 Server which can be used to 4 si 3 aye lli hi z l D Link NetDefend Firewall Firmware Release Notes configure IPv6 hosts with IP addresses IP prefixes and or other configuration required to operate on an IPv6 network 20 RADIUS Relayer The system now supports acting as a RADIUS Relayer which can provide user information and DHCP IP provisioning for RADIUS based authenticated users for example when a user roams over from a cellular network to an Enterprise WiFi network for data access This is useful as it allows for granular user and group based policing of traffic controlling access to network resources 21 ARP Authentication A new authentication agent has been added that makes it possible to authenticate users based on the MAC address in the firewall s ARP cache as username Supported authentication sources are external RADIUS and LDAP databases 22 RADIUS server retry Configuration options have been added to make the firewall able to retry contacting the primary RADIUS server if failing to contact the backup servers config
72. n IPsec tunnels not properly being set up Now most of those errors make the tunnel be disabled and a warning message be displayed For the most severe ones the configuration will be rejected by the system 5 Running FTP ALG in hybrid mode could result in the first packet being dropped when the connection to the server isn t established and this leads to a three seconds delay The connection from the ALG to the client will now not be initiated until the server connection is established towards the ALG 6 It was not possible to move a rule up or down in the list if the rule was disabled EGG 7 The command ipsecstats could in some circumstances not show all tunnels when a tunnel name was given as an argument The command now displays all the tunnels when tunnel name is given as an argument 8 The command ipsecstats only listed the first matching IPsec SA when a tunnel name was given as an argument The command now displays all IPsec SAs that are connected to the specified tunnel name 9 The FTP ALG virus scanner triggered an unexpected restart if the virus signature database was updated while files were being processed by an FTP ALG configured with fail mode set to allow 10 The ippool show CLI command output showed all configured pools which could be a very long list Now only the first ten are listed by default The max lt num gt option can be used to display more items 11 The SIP ALG didn t handle 183 Session Message when
73. n failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 1 If the IPSec encapsulation was configured as both when upgrade firmware to v2 25 01 22 it will cause device into cycle reboot This problem has been 2 25 01 22 fixed in v2 25 01 28 2 The Oray net Peanut Hull client does not work after they changed the protocol 3 HA Transparent Mode won t work in HA mode There is no state f LAA SJ z l D Link NetDefend Firewall Firmware Release Notes synchronization for Transparent Mode and there is no loop avoidance 4 HA No state synchronization for ALGs No aspect of ALGs are state synchronized This means that all traffic handled by ALGs willfreeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 5 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP
74. nfiguration 51 Memory management in configurations with IPsec where Xauth and RADIUS was used was not always correctly done 52 Using RADIUS for authentication and or accounting under certain rare conditions could sometimes lead to use of previously released memory and system instability 53 On systems with OSPF configured an unexpected restart could in rare occasions happen after a large number of reconfigurations 54 The system could in rare occasions restart unexpectedly when doing configuration changes related to IPsec tunnel s that uses XAuth for authentication 55 Extensive memory usage occurred after a very large number of users having been logged in to system 56 The system showed configuration warnings about overlapping services when a service group is configured as the member of another service group even 4 Ke S lnk z l D Link NetDefend Firewall Firmware Release Notes if the actual services don t overlap with each other 57 It was possible to add an Authentication Agent object without specifying a name for it 58 The DirectedBroadcasts drop log message was missing information about the source IP of the host sending the broadcast and the destination IP network broadcast it was attempting to use 59 There was no check whether IPv6 was globally enabled when trying to send IPv6 ping messages so the user could send pings without knowing this would not work 60 The PPTP subsy
75. ns with short lifetime 47 There were no warnings about changed IPRules or IPPolicies due to configuration changes 48 ZoneDefense did not log the unblocking events 49 The firewall sent IPsec initial contact notification when rekeying an IPsec SA without an existing IKE SA This could case the responder to first delete the IPsec SA before the rekey request was processed and lead to interruptions in traffic going through the tunnel since whole new IKE and IPsec SA could be established as a result instead of a rekey 50 The span for the Update Center s Hourly setting was not correct and has been changed from 11 to 12 hours 51 When using the Hourly interval for Update Center the updates ran every hour despite the setting s value 52 The blacklist show command displayed all blacklisted and whitelisted hosts It has been updated to display a default of 20 blacklisted and whitelisted hosts or the specified number of hosts using the num argument 53 The NAT pool IP range setting used to accept very wide ranges gt 65535 of IPv4 addresses if such an address started at 0 0 0 0 54 Spaces in passwords were incorrectly interpreted as signs when using F Ex vm SU z l D Link NetDefend Firewall Firmware Release Notes Web Authentication 55 An incorrect date was displayed in the Update Center section of the management WebUI when an Anti Virus or IDP database was deleted manually 56 The pcapd
76. nterface now displays information for simple objects as tooltip an example is a reference to an IP4Address which would show the address value as a tooltip 2 26 02 DFL 210 260 800 860 1600 1660 2500 2560 2560G 1 Added the possibility to disable and enable Ethernet interfaces using WebUser Interface 2 Separate icon for User Authentication enabled objects 3 Improved file names for backup packages including the configuration version number 4 Connection Rate Statistic Values can be viewed using SNMP 2 26 01 DFL 210 260 800 860 1600 1660 2500 2560 2560G 1 The name of the authenticated user is logged together with the requested URL in HTTP ALG log messages z l D Link NetDefend Firewall Firmware Release Notes DFL 160 1 DHCP relaying through the firewall in transparent mode is supported 2 DH Group and PFS can be configured on IPsec interfaces 2 26 00 1 The name of the authenticated user is logged together with the requested URL in HTTP ALG log messages 2 DFL 210 and DFL 800 support anti virus and dynamic web content filtering 2 25 01 28 No new features in this version This firmware version is positioned to replace v2 25 01 22 because the v2 25 01 will cause device into cycle reboot when IPSec encapsulation was set as Both 2 25 01 22 1 Added version check for external language files 2 Improved logging for Anti SPAM 3 New log mess
77. om the DHCP server and the old user was logged in via MAC authentication the DHCP server sends a logout message to log out the old user from the system 13 High Availability role switch improvement The role change between High Availability nodes has been enhanced with a seamless transition to ensure uninterrupted traffic in the network 14 Added IPA as recognized MIME type An ipa file is an iPhone application archive file which stores an iPhone app 15 Support for hardware acceleration of IKE negotiations Hardware acceleration of IKE negotiations is now possible on the DFL 2560 and DFL 2560G models to offload the CPU and make IPsec tunnel setup faster 16 Chain of certificates The use of certificates has been enhanced to support configuring a chain of X509 root certificates to use with the HTTPS Web f L ST z l D Link NetDefend Firewall Firmware Release Notes Administrator page SSL VPN Portal TLS ALG and Use Authentication Rules 17 Enhanced ICMPv6 configuration A setting was added to control the maximum number of ICMPv6 Neighbor Discovery Options allowed and hence improve network security 18 New PPP configuration settings A new Advanced Settings PPP settings row is created in WebUI A new Initial Resend Time value is added and the existing Max PPP Resends value has been moved to this new dialog page 19 Ping CLI parameter renaming The ping CLI command has been updated with a more logi
78. ome problems for pseudo reassembly 3 The behavior of the TCP reassembly has been changed slightly to avoid causing orcontributing to ACK loops 4 The firewall could generate multicast_ethernet_ip_address_mismatch log messages if itwas deployed in setups where another HA cluster was present The heartbeats from the other HA setup were not recognized and triggered a log 2 25 01 22 message Heartbeats from other HA setups are now identified and silently dropped 5 Configuration errors in SSH management setup were not reported to the user 6 Ability to configure a source port for a NAT rule has been removed This could be configured but would be ignored and the source port would still be randomly selected 7 Log messages regarding denied update of anti virus or IDP signatures were incorrectly generated when no valid subscription existed for that service The log messages have been removed 8 Redirecting HTTP users to the web authentication login page did not work correctly Sy S f z SY 1 z l D Link NetDefend Firewall Firmware Release Notes 9 Achange of an interface s name could lead to the drainage of free buffers that eventually caused the firewall to stop handling traffic The root cause of the leakage has been identified and fixed 10 The functionality of the CLI command urlcache has been moved into the httpalg wcfcache command The new httpalg flag wcfcache lists the hosts which hav
79. on when configured to handle user credentials via one or several RADIUS servers it could cause an unexpected abort if no RADIUS server was reachable This issue has been fixed 15 The web user interface the properties in Dynamic Black Listing were incorrectly enabled when action was set to something else than protect 16 The icon for removing IKE SA was missing hence making it impossible to remove an IKE SA using the web user interface 17 DNS Blacklist CLI command showed wrong status of blacklist servers on inactive HA member Inactive HA member does not perform any anti spam inspection so the inactive node is unaware of the status of the blacklist servers 18 Email attachments with very long file names could cause memory corruption in the SMTP ALG 19 Log string sent to syslog receivers was not always correctly formatted Some log arguments were not separated by a whitespace resulting in invalid parsing by syslog receivers 20 When restarting an interface on the DFL 1600 or DFL 2500 there has been a theoretical possibility of memory corruption This issue has been fixed from F W v2 20 02 and later 21 Connections were under certain circumstances incorrectly dropped by the IDP scanning engine when audit mode was used 22 After IPSec tunnels were modified the reconfiguration of the gateway was not done correctly The result was that the gateway could go into unexpected abort state 23 A configured external log receiver
80. on and upgrade instructions please refer to the Firmware Upgrades chapter in the NetDefend Firewall v10 21 02 User Manual New Features Firmware New Features Version 10 22 01 1 RADIUS Management Authentication Remote management with the WebUI and CLI now supports using RADIUS as the authentication source 10 21 02 1 True Application Control The addition of Application Content Control allows for granular policies using application attributes to control the contents of data streams for applications This will not only allow for granular policies on an application level but also on an application content level such as restricting access to certain usage of application functions such as web browser version control blocking of DNS queries for certain domains and blocking of mail transfers containing certain keywords in the subject field This will also allow for granular logging of the contents of data streams generated by the applications and protocols providing an unprecedented audit view of data that applications in the network transmit 2 SSL Inspection for Application Control This new feature provides D Link NetDefendOS the capability to identify applications that use the HTTPS protocol Based on the result the applications can be bandwidth managed blocked and or logged 3 IKE IPsec HA synchronization Full HA synchronization of established IKE negotiated IPsec tunnels are now supported providing ful
81. on for Transparent Mode and there is no loop avoidance 4 HA No state synchronization for ALGs No aspect of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 5 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node D Inactive HA member cannot send log events over tunnels E Inactive HA member cannot be managed monitored over tunnels F OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 6 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 7 HA No sta
82. oreRules settings i e bypassing rules this registered as a default rule in syslogs for IPsec and L2TP Now it the correct specific rule is logged for both categories respectively 26 Comments were not visible on folders in the WebUI address book 27 DHCP Relay did not forward DHCPACK messages if they were received on port 68 28 Some scenarios with static route insertion removal through OSPF did not work in a High Availability setup 29 Values for advanced IPsec settings DPDExpireTime and DPDKeepTime were missing from the WebUI and could only be changed using the CLI 30 Some HTTP operations could under certain situations result in second long lockups 31 NAT T Vendor ID was sent even when NAT T setting on IPsec tunnel was set to OFF 32 The firewall could in rare occasions reboot unexpectedly when checking IPsec connections during a reconfiguration 33 DHCP Server configured with Relayer Filter erroneously dropped the unicast DHCP request renewal messages from DHCP clients 34 The firewall failed to match an HTTP Monitoring response when it was used in SLB and the expected response value given by the user contained special characters like spaces tabs line feeds carriage returns 35 TCP segments with RST flag did not have 0x00000000 as acknowledge number 36 Interoperability issues regarding NAT T sometimes caused IPsec traffic to be incorrectly dropped 37 After receiving large LSA the OSPF module reported memo
83. ork If the network parameter is not set the network parameter is copied from the configured interface 66 The PPPoE client option Force Unnumbered PPPoE did not force Unnumbered PPPoE to be used 67 Under certain Traffic Sapping settings lower precedences stop forwarding traffic when higher precedences start forwarding traffic 68 Configurations containing names or comments using certain special characters could cause the firewall to fail reading the configuration during startup 1 ICMP Destination Unreachable packets were not sent when UDP packets hit a Reject rule 2 Web authentication and web server connections were not closed correctly at reconfiguration 3 The DHCP Server did just send replies back on the receiving interface without regarding routing decisions The DHCP Server now performs a route lookup if the reply is destined for a host address i e not an IP broadcast 4 HA setups with IDP scanning enabled packets could be lost during a failover 5 Some services were using the private IP in HA setups for communicating This is now changed and the shared IP is used 2 20 03 6 The DNS lookup of the IP address to a remote gateway failed under certain circumstances for IPSec interfaces 7 The CLI command for displaying updatecenter AV IDP update status did not show enough information It has now been improved 8 TCP connections could sometimes fail due to an incorrect sequence number check 9 A missing
84. other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive nodeThe inactive node in an HA cluster cannot communicate over IPSec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node Inactive HA member cannot send log events over tunnels z l D Link NetDefend Firewall Firmware Release Notes Inactive HA member cannot be managed monitored over tunnels e OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 5 HA No state synchronization for L2TP PPTP and IPSec tunnels There is no state synchronization for L2TP PPTP and IPSec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 6 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP
85. otiation needed to pass through an IPsec tunnel established by the firewall and a peer 42 Netobject groups were not updated if the groups contained a dynamically changed DHCP PPPoE etc address 43 IPsec tunnels using DNS resolving of the remote gateway could sometimes not be established The dynamic routes are now set properly for tunnels using DNS resolving of remote gateway 44 Certain device parameters such as the device name were previously synchronized between the members of a HA cluster To make it easier to distinguish between the members of a HA cluster these parameters are no longer synchronized 45 Route load balancing method spillover didn t take disabled routes into account 46 When reclassifying a Web Content Filtering blocked site the new category for the site was not immediately updated in the local cache It could take up to five hours before the cached entry was updated The local cache is now immediately updated once a site has been reclassified 47 When activating HA in the WebUI the browser was redirected to the shared IP address of the management interface Now the web browser is redirected to the private IP of the management interface 48 The HTTP ALG could fail to reconnect to Web Content Filter servers after a HA F Ex DS SU z l D Link NetDefend Firewall Firmware Release Notes fail over The unit will now reconnect to the server when URLs need to be resolved 49
86. ould cause unexpected reboots of the firewall 13 The edit alternative for Comment Groups was not shown 14 The Web GUI page for interface status showed the Send Rate and Receive Rate as average for the last 24h The values have been updated to use the average for the last 2 minutes 15 The ping verbose CLI command did not print the correct translated port if the packet was affected by a SAT rule in some cases 16 Some statistics on IXP interfaces were not correctly printed on the firewall console Affected models DFL 160 260E 860E 5 37 96 1 The usage column in the DHCP Server status page has been updated to show active clients z l D Link NetDefend Firewall Firmware Release Notes 7 References to UserAuth privileges for authenticated users could change when modifying the number of configured privileges The web server could under certain conditions deadlock and print a 500 Internal Server Error message when trying to access the web user interface The web server has been extended with better error handling to prevent this kind of deadlock The interface traffic counters were only of size 32 bit and often wrapped around when the throughput was high Corresponding 64 bit counters have been added to ensure that wrapping will not occur as often as the corresponding 32 bit values The block list file verification failed for files with a size smaller than one packet The blockl
87. over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node 5 Inactive HA member cannot send log events over tunnels 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no z l D Link NetDefend Firewall Firmware Release Notes state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typically in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an H
88. put 4 A configuration with the now obsolete selection of Log And Event Receiver category 36 USAGE would send out empty log data The configuration is now silently updated to exclude this category s La NYSE i kia z l D Link NetDefend Firewall Firmware Release Notes 5 The shared IP was not used in LDAP server queries for High Availability cluster nodes 6 The realm string for HTTP basic authentication was incorrectly not optional in the configuration 7 The unit for the OSPF memory max usage in the WebUI was kilobytes but has now been corrected to bytes 8 The Local Gateway configured in an IPsec tunnel was not shown in the CLI command ipsectunnels iface printout 9 The link status of the DMZ WAN1 and WAN2 interfaces on the DFL 860E model and DMZ and WAN on the DFL 260E would disappear shortly during the reconfigure process 10 The filename for an attachment was incorrectly required for the SMTP ALG and POP3ALG The ALGs have now been updated to handle attachments without filenames according to the RFCs 11 The SIP ALG did not use the 420 Bad Extension response in certain circumstances 12 The built in L2TP client did not work correctly when put behind a NAT device 13 The configuration was not always updated correctly when upgrading to a newer version 14 HTTPS webauth using Internet Explorer versions 8 and older did not show the logged in page after the user had logged
89. put status feedback when invoked Now there is CLI output indicating what interfaces arpsnoop and ndsnoop are active on 20 The dhcpserver CLI command did not obey the num or fromentry options in combination with the mappings flag 21 The firewall would in some cases fail to update its ND cache after receiving a valid Neighbor Solicitation 4 i S z l D Link NetDefend Firewall Firmware Release Notes 22 IPv6 network address validation in the WebUI did not allow the usage of network size of 100 and larger 23 It was not possible to use a DNS object from the address book on the L2TP PPTP client s remote endpoint 24 Some of the filter options in the Status gt Run time information gt Connections page were not applied when selected 25 The CLI command sipalg connection did not show information under the appropriate columns 26 No IPv6 interface routes were added in the routing table specified by the interface s routing table membership parameter if the selected routing table was different from the main routing table 27 Users authenticated by an Identity Awareness Agent were not synchronized to the inactive node in an HA cluster 28 In certain SIP configuration scenarios the SIP ALG could cause an unexpected reboot of the firewall 29 Users could be logged out if a large number of PPTP clients were trying to connect simultaneously 30 The SIP vendor Aastra was not supported by the SIP ALG
90. ronized in HA modes 2 27 03 1 The Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance z l D Link NetDefend Firewall Firmware Release Notes 3 HA No state synchronization for ALGs No aspects of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node 5 Inactive HA member cannot send log events over tunnels 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization
91. rule 93 A static DHCP lease was not treated as static anymore if the IP had been blacklisted and then being released from the blacklist The static leases are now always kept static and related temporarily assigned leases during blacklist are cleared from the lease pool 94 The WebUI status page for IDP Log always printed No IDP or Threshold rules are currently logging even though such rules were configured 95 When the UTM service expired on one of the members in an HA cluster there was an infinite loop of sending databases from the active node to the inactive node 96 The Log and Event receivers did not support using another routing table than main 97 Hardware statistics for Realtek interfaces of type 8169SC and 8110SC was incorrectly represented in the CLI and could not be reset 98 The HostMonitor subsystem could cause an unexpected restart during reconfiguration when used together with Server Load Balancing 99 One of the nodes in a High Availability cluster was entering a reconfiguration loop if the antivirus subscription had expired for at least one of the nodes and there was an IDP database to be synchronized 100 When using a NAT Pool with a large amount of addresses the performance was affected in a negative way 101 It was not possible to send IPv6 packets through an L2TPv3 Server interface 102 The update center ping requests to update servers were incorrectly sent when no ALG was in use 103 The CLI tab
92. ry error despite having enough available memory to use 38 Some log messages did not correctly display the access_level for some users 39 Unsupported ISAKMP and IPsec Security Association Attributes received D F hae NJ z l D Link NetDefend Firewall Firmware Release Notes during IPsec tunnel setup resulted in a failed setup even if configured attributes also were sent 40 Some rare URLs were incorrectly forbidden by the Web Content Filtering WCF functionality 41 The H323 ALG could in rare occasions cause a system reboot 42 ICMPv6 error message Packet too big was not passed through NetDefendOS causing traffic to be blocked in certain scenarios 43 In rare occasions the firewall s sysmsgs console command could report FAT chain inconsistence for its internal media for instance when using Anti Virus 44 Modern browsers were not correctly identified in the Web User Interface causing a message to be displayed that an unsupported browser version was being used 45 The wrong IPsec Authentication Algorithm SHA was sometimes added to an IPsec tunnel configuration if it was set in the same tunnel s IKE Algorithms i e if for instance SHA1 was configured in the IKE Algorithm it would also be automatically added to the IPsec Algorithm 46 In certain scenarios the number of Active flows reported by the ipsecglobalstats CLI command always reached the maximum value even for connectio
93. s been renamed to num to be consistent with other CLI commands 156 When using trace route through the firewall the responses were not forwarded correctly to the initiating client 157 The icons for the collapsible search filters on log pages were not following user interface standards The down arrow is now shown when the filter is expanded instead of the opposite 158 The ALG didn t handle SSLv2 compatibility mode with new TLS protocols 4 5 lli hi 27 z l D Link NetDefend Firewall Firmware Release Notes The ALG has been updated to handle compatibility mode correctly 159 Some statistics for rejected DHCP Relay packets was increased even though nothing was rejected 160 The ipsecstats ike CLI command would output a lot of unnecessary more entries not displayed lines 161 When using the HTTP ALG together with Anti Virus scanning the system would sometimes make an unexpected restart 162 On rare occasions certain IP addresses in blacklist could lead to faulty behavior 163 Port Based VLAN did not work on DFL 260E rev a2 model 164 An incorrect PPPoE interface name could be logged in closed open events with certain configurations 165 PPPoE interfaces could in rare circumstances make the firewall restart unexpectedly 166 It was not possible to disable Port Based VLAN without rebooting the device 167 Port Based VLAN didn t properly forward packets according to switch routes 16
94. se the same authentication method as the SSL VPN Client when RADIUS authentication was enabled 178 In rare circumstances when using High Availability and OSPF there could be a flood of OSPF packets on the sync interface 179 A RADIUS Accounting session was closed if the reply from the RADIUS server contained RADIUS Attributes 180 The ifstat CLI command did not show the chip information for some E1000 based interfaces 181 Phase one rekey negotiations in the cases where peer Xauth authentication is required were removed 182 Under rare circumstances an IPsec configuration could cause the firewall to run out of buffers 183 The traffic shaping subsystem consumed a large amount of CPU resources when processing packets that could not fit within a configured pipe 184 The system could in rare cases perform an unexpected restart when IPsec clients were connected behind a NAT gateway 185 The handling of large amounts of hosts in blacklist has been optimized 186 The clone option was not always available on the WebUI objects 187 The IP protocols 33 and 48 were logged with incorrect names and IP protocols 131 to 142 were missing names The IP protocol list has been updated according to the current IANA definition 188 Receiving ESP packets for a new IPsec security association before the last IKE message in the negotiation was received could cause the firewall to drop the ESP packets for that security association during its entire lif
95. situations most noticeably HTTP traffic This change will by default loosen the restrictions when an attempt to reopen a closed connection is received ValidateSilent ValidateLogBad while still enforcing RFC correctness 11 The SMTP ALG could not tell the difference between the new Microsoft Office 2007 document file types and file type ZIP This is because there is no difference that can be easily discovered the new Microsoft Office files are in fact ZIP files with a different extension An ALG configured to make file z l D Link NetDefend Firewall Firmware Release Notes integrity checks would therefore signal these files as invalid wrong mime type wrong file suffix The ALG will now identify Office 2007 files as ZIP files Anti virus checks will if enabled scan the contents of the new Office 2007 files just like it would with a regular ZIP file 12 IP address with suffixes 0 and or 255 could incorrectly be assigned to IPSec config mode clients 13 Nested MIME bodies could in some scenarios be blocked by the SMTP ALG For example the SMTP ALG could block images inserted as inline with an error message indicating base64 decoding error The recipient received the email without the attached image but an error message saying The attachment xxxx has been blocked by the Security Gateway The ALG has been updated with better support for nested MIME blocks 14 A user logging in via Web based user Authenticati
96. st could potentially write to media up to five times each minute The delay between possible writes has been increased to two hours 21 It was not possible to configure maximum authentication retries for the SSH server in the web user interface Configuration support has now been added 22 There was a problem when multiple IPsec SAs referenced the same XAuth context 23 If a DHCP lease of a reserved IP address was manually released in the DHCP server and the host requested a new lease the host was not given the reserved IP again 24 The UDP checksum was not correctly updated when the multiplex rule was used together with address translation SAT SETDEST NAT 25 On some models a data alignment error in the Route Load Balancing system could cause the firewall to malfunction 26 Old configurations had an incorrect definition of the all_tcpudp service Upgrading from an older version to a newer version could cause problems This problem has now been fixed and the old service will be converted during the upgrade 27 In some scenarios login attempts using the web user interface failed with the error message Error 500 Internal Server Error No new login attempts were allowed until the system had been restarted A synchronization lock for an internal buffer failed to reset during reconfigure and caused this issue 28 Scripts created by script create could previously have problems to run D F hae NJ
97. stem could in rare circumstances cause unexpected system reboots 61 The CLI command ifstat omitted a line break at the end of the output for certain types of interfaces 62 The firewall could run out of packet buffers when trying to send too many packets on an R8169 interface with no link The R8169 driver will now drop packets if no link is detected Affects DFL 260E 860E 63 There was no warning issued if the user added an IPv6 route and IPv6 had not been enabled in the configuration 64 ncorrect or outdated RADIUS Accounting responses could cause an increase in memory consumption 65 The pcapdump functionality couldn t capture the outgoing packets flowing through a VLAN when the capturing target was its base interface 66 On rare occasions the firewall restarted unexpectedly when performing a reconfiguration following a previous IDP database update 67 The last part of an ICMP packet sent through an IPsec tunnel was sometimes dropped 68 IPv6 groups would in certain rare cases create wrong IPv6 address ranges 69 The help section for SwitchManagement in the CLI was missing proper descriptions for some properties 70 The configuration warning shown when a service group contains overlapping services was confusing and has been refined to more clearly show the problem and how it can be resolved 71 Users being logged out after a timeout could in some rare cases appear to log out multiple times 72 The pie chart describing
98. tDefend Firewall Firmware Release Notes 20 When restarting an interface on the DFL 1600 or DFL 2500 there has been a theoretical possibility of memory corruption This issue has been fixed from F W v2 20 02 and later 21 Connections were under certain circumstances incorrectly dropped by the IDP scanning engine when audit mode was used 22 After IPSec tunnels were modified the reconfiguration of the gateway was not done correctly The result was that the gateway could go into unexpected abort state 23 A configured external log receiver that does not accept log messages might send ICMP destination unreachable packets to the firewall These packets would trigger new log messages resulting in high CPU utilization Logging is now connection based and the sending rate of log messages will be decreased by the firewall when it receives ICMP destination unreachable packets regarding log receiver connections 24 TCP connections with SYN relay were not synchronized correctly In case of HA failover traffic on these connections would freeze 25 Unnecessary DynDNS and HTTP Poster re posts were triggered during reconfigure This is now avoided by always considering if the local interface IP address has been changed or if the HTTP Poster DynDNS configuration has been changed 26 Some H 323 messages were incorrectly disallowed by the ALG The H 323 Status Enquiry message is now allowed to be forwarded through the H 323 ALG 27 The Fail
99. te synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 2 40 02 1 Ifthe SSL VPN interface is configured with the outer interface any option SSL VPN will be disabled Don t support the latest protocol used by oray net Peanut Hull clients Transparent Mode won t in HA mode ALGs won t synchronize states in HA mode L2TP PPTP IPSec won t synchronize states in HA mode aa GN The inactive node in an HA cluster cannot be reachable over IPSec PPTP L2TP and GRE tunnels 7 If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over VPN tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more z l D Link NetDefend Firewall Firmware Release Notes aggressively tuned OSPF timings 8 No aspects of the IDP signature states are synchronized in HA modes 2 40 01 If the SSL VPN interface is configured with the outer interface any option SSL VPN will be disabled Don t support the latest protocol used by oray net Peanut Hull clients Transparent Mode won t in HA mode ALGs won t synchronize states in HA mode L2TP PPTP IPSec won t synchronize states in HA mode DA BG
100. tem 2 Added IPA as recognized MIME type 3 Support for hardware acceleration of IKE negotiations for DFL 2560 2560G to offload the CPU and make IPsec setup faster 2 40 02 No new features are introduced in the 2 40 02 release 2 40 01 1 Support the Cisco IPSec client on iPhone 2 Double Web Content Filtering local cache size on all models to accommodate more categorized sites L NT z l D Link NetDefend Firewall Firmware Release Notes 3 Support CHAP MS CHAP MS CHAPv2 and No authentication mechanisms for SSL VPN 4 Web Content Filtering Configuration Improvement When filtering override is enabled it is now possible to enter a custom timeout of the override period 1 Support for IPv6 in routing IPRules and Policy Based Routing in Ethernet as well as VLAN interfaces 2 Remove restrictions on the number of HTTP posters All other network clients listed in Misc Clients also benefit from this restriction removal 3 Support authenticating users using the Ethernet MAC address over HTTP S 2 40 00 4 Update password field when focus is moved to a text input field which contains a password the field will now be cleared so the user can type in a new password directly 5 The WebUI page Reset now also contains a method for normal shutdown same action as the CLI command shutdown This method will gracefully close down tunnels hand over to other HA unit in HA s
101. the configuration 21 Web Content Filtering did not work for HTTPS when the traffic was directed to a proxy 4 i S lli hie z l D Link NetDefend Firewall Firmware Release Notes 22 Descriptions were missing for some advanced settings alternatives 23 The DHCP Server Custom Option parameter value was possible to leave empty but gave an error message during Save amp Activate An error message is now shown if the value is left empty when clicking Ok on the Custom Option page 24 Application Control frequently failed to recognize Skype Changes have been made to improve the classification of Skype 25 Application Control sometimes identified the application as just TCP or just UDP 26 Using an IP4Address object with a DNS name as Remote Endpoint for an IPsec tunnel could lead to IPsec traffic problems 27 In rare occasions some applications such as Skype or RDP could not be allowed by Application Control 28 The background colors of the row on the connection page in the Web UI were not alternating after a filter had been applied 29 Traffic using routing rules with routing tables where the Ordering setting was set to Default was sometimes routed incorrectly 30 Accessing certain HTTPS sites sometimes failed if the HTTP ALG was configured to do Web Content Filtering 31 The classified value in the Application Control statistics table suffered from duplicate and premature updates This has be
102. ump show command displayed all the captured packets Now the pcapdump show command displays a default of 20 packets or the specified number of packets using the num argument 57 Using certain addresses as IPv6AddressPool in the DHCPv6 Server caused the system to not give out any IP addresses 58 IPsec tunnel setup could fail with certain configurations despite matching IPsec proposals 59 The system sometimes experienced high memory consumption and sometimes rebooted due to low available memory when using IDP 60 The Anti Virus log message ID 115 and Application Control log message ID 4 had swapped the event and the action The log revisions have been updated for both messages 61 There was no log or notification shown when IDP scanning was disabled because of the license expiration 62 Received ICMPv6 Neighbor Advertisements containing multiple options were incorrectly interpreted by the firewall 63 L2TP IPsec traffic to multiple clients behind the same NAT device could in rare scenarios be mixed up 64 Full system backup files did not include files related to SSL VPN and Application Control 65 Connecting a second L2TP Client located behind a NAT gateway could in rare occasions disconnect the first client 66 In rare occasions the SMTP and POP3 ALG configured with Anti Virus did not detect malicious email attachments 67 In rare High Availability scenarios a restart of the nodes would be necessary in order to finish confi
103. ured 23 Web Content Filtering update Web Content Filtering category 31 has been changed from Spam to Remote control desktop 24 Improved certificate information in the CLI The CLI has been improved to show more detailed information about the IPsec certificate cache 25 Alias for routes It is now possible to use route as an alias to the CLI command routes 26 High Availability Status in the Web User Interface The current High Availability status is now visible in the System Information list on the main status page in the web user interface 2 60 02 1 New Web User Interface The Web User Interface has been reworked with a more user friendly touch Administrative tasks can now be performed faster with less work and is more intuitive even for the less experienced user 2 Application Control Support has been added to control what applications users behind the firewall are using It is now possible to select what applications should be allowed and the administrator can monitor data transfer and other statistics for the applications accessing the Internet 3 IPv6 Numerous changes have been implemented in order to improve interoperability and protocol compliance 4 User Identity Awareness The administrator of a firewall now has the z l D Link NetDefend Firewall Firmware Release Notes possibility to control the access of users authenticated to a Windows Active Directory Domain 5 Ro
104. uting support in SSL VPN Client It is now possible to configure routing information for SSL VPN clients In addition to the default use of all nets explicit routing information can be supplied to the client 6 Web Content Filtering for HTTPS Web Content Filtering support has been added for HTTPS traffic 7 L2TPv3 server support Support had been added to create L2TPv3 server interfaces With these Ethernet and VLAN interfaces can be interconnected through the networks using the L2TPv3 protocol 8 URL filter for HTTPS URL filter support has been added to the HTTP ALG when using the HTTPS protocol 9 Route Fail Over Enhancement A Route Fail Over setting has been added Gratuitous Proxy ARP On Fail that enables the transmission of gratuitous ARP packets on fail over to alert hosts about changed interface Ethernet address of Proxy ARPed hosts 10 Search filter enhancement The search filter on the memory log pages was using a lot of space at the top of the page The filter is now by default hidden only showing the free text search form The entire filter can be shown by clicking its header 11 WebUI speed improvement The speed of browsing through the WebUI in particular pages where there is a large number of objects has been improved 12 Logout message for DHCP server A new feature has been added to the DHCP server when used with MAC address authentication to enable automatic logout of users When an IP address is being reused fr
105. voidance 3 HA No state synchronization for ALGs No aspects of ALGs are state 4 es r z l D Link NetDefend Firewall Firmware Release Notes synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node 5 Inactive HA member cannot send log events over tunnels 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state OSPF failover over tunnels uses normal OSPF failover rather than accelerated lt 1s failover This means 20 30 seconds with default settings and 3 4 seconds with more aggressively tuned OSPF timings 8 HA No state synchronization for L2TP PPTP and IPsec tunnels There is no state synchronization for L2TP PPTP and IPsec tunnels On failover incoming clients will re establish their tunnels after the tunnels are deemed non functional This timeout is typicall
106. x i D Link NetDefend Firewall Firmware Release Notes We NetDefendOS Version 10 22 01 Published Date 2015 08 03 Copyright 2015 Copyright Notice This publication including all photographs illustrations and software is protected under international copyright laws with all rights reserved Neither this manual nor any of the material contained herein may be reproduced without written consent of the author Disclaimer The information in this document is subject to change without notice The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK STOPPAGE LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D LINK PRODUCT OR FAILURE OF THE PRODUCT EVEN IF D LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES FURTHERMORE D LINK WILL NOT BE LIABLE FOR THIRD PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES D LINK WILL IN NO EVENT BE LIA
107. y in the 30 120 seconds range 9 HA No state synchronization for IDP signature scan states No aspects of the IDP signature states are synchronized This means that there is a small chance that the IDP engine causes false negatives during an HA failover 10 The function StateKeepAlive of NAT Pool is not working 1 The Oray net Peanut Hull client does not work after they changed the protocol 2 HA Transparent Mode won t work in HA mode There is no state synchronization for Transparent Mode and there is no loop avoidance 3 HA No state synchronization for ALGs No aspects of ALGs are state synchronized This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer if however the cluster fails back over to the original peer within approximately half a minute frozen sessions and associated 2 27 01 transfers should begin working again Note that such failover and consequent fallback occurs each time a new configuration is uploaded 4 HA Tunnels unreachable from inactive node The inactive node in an HA cluster cannot communicate over IPsec PPTP L2TP and GRE tunnels as such tunnels are established to from the active node 5 Inactive HA member cannot send log events over tunnels 6 Inactive HA member cannot be managed monitored over tunnels 7 OSPF If the cluster members do not share a broadcast interface so that the 2 F Ex hl ae 4 N z l D
108. z l D Link NetDefend Firewall Firmware Release Notes even when executed with script execute force because the generated script would sometimes incorrectly reference an object before it had been added This has been solved in such way that script create always generates a script that will not reference an object before it has been created Circular dependencies are resolved by first adding the objects without the problematic references then later modifying the object to its final state 29 Since the web user interface uses UTF 8 encoding a PSK containing ASCII characters with value of 128 255 would be stored as UTF 8 characters UTF 8 characters are now converted back to ASCII characters when it is possible 1 If the IPSec encapsulation was configured as Both then upgrade firmware to v2 25 01 22 it will cause device into cycle reboot 2 The WCF tab is shown on Non UTM Firewall models Basically Non UTM 2 25 01 28 firewalls don t support dynamic WCF feature It is no longer visible on non UTM firewall models after upgrade to firmware v2 25 01 28 3 Startup Wizard is not displayed after reset configuration to default via WebGUI 1 The advanced setting Block0000Src Drop DropLog Ignore Log has been renamed toLog0000Src Drop DropLog The actions Log andIgnore have now been converted into DropLog and Drop 2 UpdateCenter caused problems in HA setups sometimes locking up an HA node HA alsocaused s
Download Pdf Manuals
Related Search