Skip to content

Version 10.4


This is an old version. We strongly recommend upgrading your appliance to the latest version to ensure optimal performance and security.

Upgrading to the latest version provides enhanced security features, bug fixes, and overall improvements, safeguarding your system against potential vulnerabilities.

Version 10.4.31


Update authentication restrictions for OpenVPN service and OpenVPN Access Server.

Version 10.4.30

System Upgrades

  • Fix test upgrade errors related to the reverse proxy server.
  • Ensure the automatic firewall option is always enabled when IPsec e-tunnel configurations are present.
Version 10.4.29


  • Automatically create directories for add-ons when needed.
  • Remove obsolete disk speed test.
  • Fix DNS resolving in version test upgrade function (DHCP validation).
  • Automatically reconfigure Internet redundancy where rules are linked to dynamic IP addresses obtained via PPPoE or 4G USB modems.


  • Fix IPsec service restart function for VPN tunnel configurations which rely on dynamic IP addresses obtained via PPPoE or 4G.
  • OpenVPN & PAX: Improve service restart for (unstable) WAN connections with dynamic IP addresses obtained via PPPoE or DHCP.
Version 10.4.28

Configuration Tool

  • Make the AXS Guard RDP client available for download via the add-on page.
  • Facilitate menu searches related to high availability.
  • Add hints to configuration pages which rely on certificates.

Reverse Proxy

  • Allow non-secure HTTP connections to port 443; replace the validation error with a warning.
  • Suppress validation errors for configured - but not yet operational - IP addresses which are dynamically assigned, e.g. in a High Availability context.
  • Improve the HTTP service reload process.
  • Implement support for UTF-16 encoded passwords when using (NTLM) back-end authentication for RDWeb SSO. Disable client auto-reconnect.


  • Correctly display the application name of DIGIPASS for Mobile instances which are activated.
  • Make the application ID validation less restrictive to allow the use of other prefixes and hyphens.
  • Ignore excessive NTLM authentication requests made by misconfigured Windows hosts in Kerberos environments when they attempt to authenticate to access the AXS Guard proxy server (Web Access).
Version 10.4.27


Fix a resource exhaustion in the log reporting service when the time jumps into the past.

Configuration Tool

Fix message when initiating a system shutdown or reboot.

Version 10.4.26

Reverse Proxy

  • Enlarge the DIGIPASS Cronto QR image to ease scanning.
  • Add support for WebSocket in combination with RDWeb Single Sign-on.


Import Application ID to configure DIGIPASS for Mobile push notification service by environment.


Remove iptables device markings which limit the number of (VLAN) devices.


Fix IPsec server assertion errors.


Fix resource exhaustion in the log reporting service.

Version 10.4.25

Reverse Proxy

  • Implement Single Sign-On (SSO) feature for Remote Desktop Web Access, using Microsoft's Pluggable Authentication and Authorization (PAA) mechanism via the gateway access token.

  • Fix back-end application server logout when combined with Session Management (regular request or JavaScript-driven).

  • Add support for HTTP/2 application layer protocol to improve network resource efficiency.


Finalize DIGIPASS for Mobile integration: implement configurable UTF-8 messages for login by image, app2app and push notifications, improve automated platform detection (e.g. for iPad and other large-screen tablets), add configurable login timeouts, etc.

Configuration Tool

  • Fix the links for bond and bridge devices on the network status page; link to the parent ethernet device.

  • Fix the IPsec device link on the network status page by ignoring the tunnel type.

  • Fix HTML-encoded space character in the device selection box of the Bandwidth Management Schema page.

  • Correct hint for the Source IP Address field on the Port Redirection page; fix the incorrect reference to Port Forwarding.

  • Fix a typo in Blocked URL error message.

  • Make e-mail antivirus notification tab visible for CTRS.

  • Fix the Test Upgrade version function.

Cloud Reporting

  • Remove harmless filebeat errors from the AXS Guard security reports.
  • Include Cloud Reporting in factory default function.

Console Tool

Disable GeoIP for the dig command.


Use HTTPS by default for the Internet Speed Test, as it seems to be more reliable.

Version 10.4.24


Fix reverse lookup errors for forwarded domains when no ISP DNS server is configured.

Configuration Tool

  • Allow downloading of OpenVPN configuration files with special characters.
  • Improve validation for the default gateway address by verifying its subnet.
  • Redirect the browser to another page when rebooting the appliance via the configuration tool in order to prevent accidental reboots in case of a page refresh or a redirect from the login page.
  • Hide PAX dashboard errors when the PAX feature is disabled.
  • Add support for the QUIC protocol to the firewall (fwd-web policy).
  • Add support for Strict-Transport-Security (HSTS) to the configuration tool and the reverse proxy.
  • Add extra information to the network status page.


  • Increase the maximum amount of characters in RADIUS secrets (new max. is 256).
  • Fix the handling of password-protected CAs.
  • Disable and remove IPsec compression.

Reverse Proxy

  • Automatically delete the logs associated with a reverse proxy entry when it is removed via the configuration tool.
  • Fix the reverse proxy rewrite logs in the console environment.

High Availability

  • Automatically create IPsec firewall rules during service startup.
  • Disable mode 6 and 7 queries towards the NTP server to improve security.

Reporting & Statistics

Add new Cloud Monitoring feature.

Version 10.4.23


  • IPsec: Upgrade Libreswan to version 4.6 for improved IKEv2 support.
  • OpenVPN: Replace deprecated ns-cert-type option in OpenVPN and PAX server configurations.


Improve error handling in the statistics data gathering tool to avoid service interruptions.


Add additional upstream servers to improve redundancy.

Reverse Proxy

Make preconfigured backend credentials optional when the password auto-learn option is enabled in the RDG proxy configuration.


Suppress harmless IPv4 and IPv6 validation errors.

Logging & Reporting

Exclude safe faxcron and collectd errors from security violations reports.

Configuration Tool

  • Firewall: Always include IP addresses when exporting firewall log messages.
  • E-mail: Record removals of quarantined messages in the admin tool log.
  • SecureDNS: Make logs accessible to basic administrators and above.
  • Upgrade: Fix execution errors on the test upgrade page.
  • Web access: Allow advanced administrators to configure URL substitution.
  • IPsec: Hide disabled tunnels on the dashboard.
  • Bandwidth management: Fix a typo in bandwidth definition validation messages.
Version 10.4.22

GeoIP Filtering

Improve the stability of GeoIP database reloads in order to avoid potential execution errors after a system reboot.

Version 10.4.21

GeoIP Filtering

GeoIP filtering has been integrated as a standalone feature and requires a Premium Threat Protection license. See the firewall documentation on this site for additional information.

SecureDNS Categories

The categories have been updated. The ransomware category has been renamed to certs. A new maldom category has been added. Tooltips with detailed category descriptions are now also available. See the system administration guide on this site for additional information about the SecureDNS feature and the various categories.

Network Security Logs & System Reports

The log files and system reports have been refactored to include host and username information, if available. GeoIP logs now also show country flags, allowing system administrators to get better insights into traffic moving through their organization's network.

Various improvements and software fixes

  • Web-based administration tool

    • Add SecureDNS as a meta tag in the menu to facilitate related searches.
    • Allow advanced administrators to configure Characters Allowed in URLs in reverse proxy definitions.
    • Rename Content Scanning to Premium Protection on all relevant pages.
    • Rename Whitelist Client to Whitelist Mail Server in the e-mail greylisting page.
    • Change the default connection mode of Internet devices to DHCP.
    • Treat informative messages about tool user settings as non-critical.
    • Disable all interactions for (basic) administrators lacking permissions.
    • Add screen refresh controls to the network flow viewer.
  • IPsec

    • Correct the digest algorithm in the 3des-md5 description of the standard IPsec IKE profile.
    • Add the possibility to disable automatic management of firewall rules for IPsec tunnels.
  • System

    • Only allow lowercase characters in domain names.
    • Make emergency e-mail address configurable; process like a fail mail otherwise.
    • Update fail mail destination IP address to AG cloud.
  • Users & Groups

    • Fix critical error messages when the out-of-office function is disabled for a user.
  • High Availability

    • Start the CTRS service on HA systems that are running as a slave node.
  • Wizards

    • Relace obsolete Skype application with Teams application in the Fast Lane wizard.
  • Licensing

    • Save the feature flags when a license expires for reuse during relicensing.
  • Webmail

    • Upgrade roundcube to the latest version, i.e. 1.5.2.
  • Anti-Malware

    • Place temporary files in HAVP subdirectory to avoid errors when cleaning up old scanner files.
  • Reverse Proxy

    • Improve throughput and load when multiplexing an increasing number of concurrent RDG connections.
Version 10.4.20

Network Configuration

Hotfix for NAT port forwarding service.

Version 10.4.19


Fix strict OpenVPN authentication for environments with mixed user sources. This solves authentication issues on appliances where multiple AD domains are synchronized and various username formats exist. See the Directory Services manual for details about supported username formats.

Personal AXS Guard

  • Automatically disable client authentication when no Road Warriors are configured.
  • Restore original system hosts file permissions during client connections.

Network Configuration

Fix incomplete activation of port forwarding rules after system reboots.

High Availability

Fix network check errors in security violation reports on HA slave nodes.

Version 10.4.18


Disable ClamAV concurrent database reloads on memory-constrained systems, i.e. AXS Guard appliances with 2GB or less, which prevents these systems from going out of memory during pattern updates.

Version 10.4.17


A reporting feature has been added to allow system administrators to get better insights into malicious DNS activity. Malicious DNS queries are classified by the threat they represent and are organized into 10 distinct threat categories. See Reports > Threats > Malware Detection.

SecureDNS logs are available under Network > DNS > SecureDNS logs. Hosts which generate unusual DNS traffic can be easily identified by their source IP address, allowing you to isolate them from your network for further investigation and troubleshooting.

SecureDNS reports will contain more details in future versions. The cause, source and requested destination FQDNs will also be mentioned, so stay tuned.


A strict authentication option has been added to the OpenVPN server. If enabled, the server will verify if the CN or e-mail address in the client certificate matches the username provided during authentication. If they differ, the connection will be refused. This prevents sharing of client certificates.

Reverse Proxy

A Preserve Hostname option has been added to the Reverse Proxy configuration page. When enabled, the reverse proxy will be instructed to preserve the original Host: header from the client browser when constructing the proxied request to be sent to the target server. Enabling this option is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host: header needs to be evaluated by the backend server.

GeoIP Filtering

The names of the continents have been added to the descriptions of the GeoIP block lists, allowing for easier management.

Various improvements and software fixes

  • Web-based administration tool

    • Bugfix #92978: Improve the context-sensitive help on e-mail filter action.
    • Bugfix #92970: Remove PDF icons from links to the online documentation.
    • Bugfix #92933: Fix a parsing issue causing endless loops in the firewall status page.
    • Bugfix #92929: Improve auto-fill prevention for password input fields using updated autocomplete.
    • Bugfix #92725: Fix an update issue for Internet Redundancy rules in case the rule was previously configured with protocol and port numbers.
    • Bugfix #92814: Add more tags for GeoIP to improve menu search capabilities.
    • Feature #93069: Add expiration date to the certificate overview page.
    • Feature #93063: Add subject information to the e-mail quarantined queue.
    • Feature #93063: Show the order of E-tunnels in the network routing overview.
  • Anti-malware

    • Bugfix #86701: Add Microsoft update URLs to the Anti-Virus Web exceptions list.
    • Bugfix #92243: Ensure CTRS Cloud Web Protection recovers automatically in case the DBus component crashes.
    • Feature #93034: Ugrade ClamAV to version 1.103.5.
  • Licensing

    • Feature 905df254ec: Add new software options to the list of content scanning services.
    • Feature ac4a38aa0b: Add product description for CTRS and disable it when the content scanning license expires.
  • Others

    • Feature a2206769bd - OpenVPN: Reload HTTP server when the OpenVPN server configuration is updated, toggling the access service API.
    • Bugfix #93169 - Logcheck: Ignore named errors caused by disabled DNS update feature.
    • Bugfix #92964 - Sysinit: Avoid using Ipt during sysinit, as the libiptc perl library is not available.
    • Bugfix #92719, 92720, 92741 - System: Reduce fail mail by avoiding (daily) duplicates, license not expired and only on production systems.
    • Bugfix #92957 - System: Reduce fail mails regarding authentication for issues that have been automatically resolved.
    • Bugfix #92173 - MTA: Make integration of Cyrus::IMAP::Admin library more robust in regards to data transfer issues.
    • Bugfix #92727 - Web Access: Improve validation of proxy cache size, max object size, max download size and size fields.
    • Bugfix #92200 - Wizards: Add missing option for SSTP VPN in the user and groups wizards.
    • Bugfix #92977 - DHCP: Ensure gateway routers (IP or FQDN) fall within the specified network range.
    • Bugfix #92546 - DNS: Switch to Secutec DNS upstream servers for systems where SecureDNS is enabled.
    • Bugfix #92680 - Firewall: Change the target for incoming ident rules to REJECT.
    • Bugfix #93062 - Statistics: Reconfigure netdata to disable health mails.
    • Bugfix #92973 - Reverse Proxy RDG: Prevent infinite loops when the RDG server unexpectedly closes the connection and fix memory leak.
Version 10.4.16

DNS Cache

The AXS Guard DNS cache service has been refactored to support DNSSSEC and TSIG when forwarding queries.


Improve the safety and reliability of the AXS Guard firewall while it's being managed via various concurrent processes.

Version 10.4.15


System administrators can now use FQDNs in firewall rules. FQDN rules are based on DNS resolution and allow you to easily filter inbound and outbound traffic for any protocol. Note that this feature is only supported for through and towards rules.

Various improvements and software fixes

  • Email

    • Bugfix #92442: Use the inline LibFile::Magic module in the MTA filter for extension blocking.
    • Feature #89516: Add TLS support for SMTP relays on appliances without a content scanning license, e.g. when using the Office 365 SMTP server.
  • Firewall

    • Bugfix #91988: Optimise IP block list management to minimise delays during automated list updates or HA failovers.
  • Others

    • Bugfix #92682: Inprove the readability of the admin tool log for system configuration changes made to parameters with a large value.
    • Fix inconsistencies in SecureDNS labels.
    • Set the year in the configuration page footer to 2022.
Version 10.4.14

Various improvements and software fixes

  • Web-based administrator tool & configuration

    • Bugfix #92481: Show the first rather than the last page while searching through log files; implement behavior that is consistent with other pages.
    • Bugfix #f282617269: Fix attribute references in RADIUS server configuration file.
    • Bugfix #92479: Use the correct link for appliance licensing & registration.
  • Personal AXS Guard

    • Bugfix #b84e755b51: Patch PAX client refusal for OpenVPN authentication.
  • Other

    • Bugfix #87a4f9e3a5: Use the documentation URL as specified in the environment variable.
Version 10.4.13


SecureDNS protects users from inadvertently accessing malware, ransomware, malicious domains, botnet infrastructure and more. It is an essential component of cybersecurity.

Research by industry leaders indicates that more than 91% of malware attacks use DNS exploits in one way or another. Despite this, many organizations don't monitor DNS traffic, leaving them vulnerable to attacks.

SecureDNS is available for customers with a premium content scanning license. To use SecureDNS, activate the feature and then enable the option in Network => General.


HTTPS processing has been optimized. Established and safe HTTPS connections are no longer being further analyzed by the IPS in order to save AXS Guard system resources.

Directory Services

Active Directory synchronization has been improved by removing WINS dependencies. Operations now entirely rely on the Kerberos protocol. Note that the Kerberos server must be accessible. The clocks of AXS Guard and the Kerberos server must also be properly synchronized with a time server.

Anti-Malware & Web Content Scanning

  • Download threads

    Downloads via the web content scanning engine have been optimized. Slow download threads are now being prevented from causing delays in accessing the AXS Guard Cloud threat protection service in favor of other, faster threads. The timeout for connecting to the AXS Guard cloud has also been reduced to 5 seconds.

  • High Availability

    Improve support for HTTPS inspection. The HTTPS inspection certificate cache has been moved to the replicated DRBD filesystem, allowing it to be used more efficiently by the other cluster node. In the event of a failover, certificates will no longer have to be regenerated, as they are available and kept in sync on all HA nodes.

  • HTTPS Inspection

    Clear the HTTPS inspection certificate cache when the built-in CA is reinitialized. The HTTPS inspection feature uses the built-in CA to build a cache of trusted server certificates.

    These certificates are signed by the built-in CA, and are considered valid as long as the built-in CA is trusted by the user's browser.

    However, when the built-in CA is reinitialized, all certificates residing in that cache will no longer be trusted by clients. For this reason, the cache is now also cleared when the built-in CA is being reinitialized.


Adjust the fwd-edr firewall rule to allow connections to the ReaQta endpoint security service in the AXS Guard cloud.


Fix 'out of office' messages. Out of office notifications stopped working after a regression in the previous AXS Guard version. This issue was related to the host domain name being used to configure 'out of office' message recipients in HA environments. Due to misconfiguration, the notifications could not be delivered.


Fix log warnings. Warnings are reported in the logs when a certificate is being imported without a certificate chain or when a certificate is missing the Common Name (CN) field.

System Administration Tool

Fix HTML escaping to prevent HTML injection. Other changes include corrections in labels, links, casing, descriptions and more.


  • OpenVPN Service

    Prevent the AXS Guard OpenVPN service from accepting connections made by PAX clients. PAX clients can automatically use TCP port 443 as a fallback for UDP port 1194, e.g. when sitting behind a restrictive corporate firewall.

    However, this port cannot be shared with the OpenVPN service, which will now deny PAX clients from establishing a successful connection when PAX and OpenVPN client certificates are signed by the same CA.

  • OpenVPN Client Configuration Export

    Fix client configuration export with encrypted private key protection when the use deprecated ciphers option is enabled on the server side.

Version 10.4.12

Various improvements and software fixes

  • E-mail

    • Bug #92105: Fix domain masquerading.
  • Configuration Tool

    • Bug #0bd10e4ef: Fix visual glitch in certificate export labels.
    • Bug #ae4a0a306: Fix visual glitch in tool access type labels.
Version 10.4.11

HTTP Reverse Proxy Access Control

System administrators now have the possibility to restrict access to applications and services based on the IP address of the remote client. This is especially useful for applications and websites where user authentication is not enforceable or desired.

OpenVPN System Legacy Options

The following options have been relocated in the OpenVPN Server configuration screen:

  • Allow Deprecated Ciphers
  • Use small Subranges
  • Accept Compressed Data

Note that these options are only present for legacy reasons, i.e. to support outdated client software and/or obsolete OpenVPN configurations. The use of obsolete server and client options is insecure. System administrators should upgrade old OpenVPN client software and configurations ASAP.

Personal AXS Guard

The PAX diagnostic tool has been refactored and improved, so system administrators can identify problems and detect network issues more easily.

Various improvements and software fixes

  • E-Mail

    • Bug #91274: Keep original From-address when it doesn't contain a domain name.
    • Bug #92041: Correctly deliver Virus E-mail notifications when multiple System Administrator E-mail Addresses are configured.
    • Bug #91920: Only include E-mail domains in mail configuration when E-mail transfer feature is enabled.
    • Rfe #92081: Validate the response code of the real time blacklist lookups to prevent false positives.
  • Firewall

    • Rfe #91052: Add static policy and forward rule to allow communication with EDR.
  • High Availability

    • Bug #90871: Service failed to start when DHCP device failed to obtain a lease.
    • Rfe #90372: Disable automatic updates.
  • OpenVPN

    • Bug #86617: Include login attempts of users with no OpenVPN access in the authentication summary log.
    • Rfe #90873: Add checkbox to disable 'Receive compression'. It's recommended to disable this option but this requires distributing new configurations files to all clients.
    • Rfe #90872: Add checkbox to remove the - deprecated - cipher option from client configuration files. It's recommended to disable this option but this requires all OpenVPN users to use OpenVPN 2.4+.
  • Proxy

    • Bug #88401: Only allow users that are configured on the AXS Guard to authenticate using Kerberos.
  • Reporting

    • Rfe #86826: Group similar reject reasons in the E-mail reports.
  • Reverse Proxy

    • Rfe #187a1e: Verify if configured port is available during a system configuration check.
    • Rfe #f4ae84: Show warning when the configured certificate is expired.
  • SSTP

    • Rfe #85379: Extend the SSTP validation to detect configuration conflicts.
  • Tool

    • Bug #91241: Clear the 'changed' flag after restoring a backup.
    • Rfe #85548: Fine-tune 'Port already in use' errors.
    • Bug #87549: Reduce number of validation errors when an invalid authentication policy is configured.
    • Bug #90333: Correct information-links of IPS Rules.
    • Bug #86482: Fix for excluding a previously included IPS rule.
    • Rfe #91226: Update title of the IPS Rules page.
    • Rfe #87331: Enhance IPsec Status page when no tunnels are configured.
    • Rfe #86203: Include the blocked reason when viewing a quarantined e-mail.
    • Bug #87867: Correct invalid link on Personal AXS Guard status page.
    • Rfe #86825: Add a scrollbar in the legends of Web Access and E-Mail reports.
    • Rfe #91794: Speed-up loading of DHCP used leases overview.
    • Rfe #90801: Include device description in Device Statistics.
Version 10.4.10

Trend Micro Antivirus

Resolve Bug #130743 - Antivirus : Ensure only one instance of trophie is running after upgrade to 10.4.9.

Prevent more than one trophie process to accept new connections for antivirus processing in order to avoid the use of outdated pattern files and HA failover issues.

On HA systems, failovers will not succeed as only one trophie process is terminated while others still hold references to the trophie socket residing on the DRBD filesystem. As long as this socket continues to exist, the DRBD filesystem will fail to unmount, stalling the HA failover.

Version 10.4.9

Antivirus Protection

  • Web Access
    • Bug #92003 - Antivirus : Remove application/pdf from HAVP skip mime list.
    • Bug #92001 - Antivirus : Update HAVP to version 0.93.7 with ICAP quick-process loop fix and preview support.
Version 10.4.8

Advanced Threat Protection for all web traffic

The AXS Guard premium content scanning license has been updated to support advanced threat intelligence and content scanning for HTTP and HTTPS traffic. To use this feature, simply enable the 'Advanced Threat Protection AXS Guard Cloud - Web' option in the Feature Activation page of your appliance.

Personal AXS Guard

PAX clients are sometimes used in environments where access to the Internet is restricted and where you cannot simply change firewall settings for outbound connections. An option to traverse restrictive firewalls has been implemented to facilitate connections for any PAX unit that is sitting behind a corporate firewall which is beyond your control. This new 'Support HTTPS Firewall Passthrough' option can be found in the PAX > Server page.

Various improvements and software fixes

  • PAX

    • Bug #91414: Fix race conditions and deadlocks in the PAX client management service, which caused delays and/or unexpected client disconnects.
  • Web Access

    • Bug 3b2eaa9fe5: Fix high CPU usage spikes by disabling partial (un)locking when scanning Microsoft Cabinet (.cab) files with ClamAV.
  • Documentation & context-sensitive help

    • All PDF documents have been replaced with a link to the online documentation.
    • Add context-sensitive help for new PAX firewall traversal option.
Version 10.4.7


AXS Guard now features an OpenVPN Access Server which facilitates the rapid deployment of secure remote access for OpenVPN users. The OpenVPN Access Server is fully compatibile with the OpenVPN Connect Client, which is freely available for Windows, Android and iOS.

With this client, users can easily download and import their OpenVPN configuration and certificate via a secure connection to the AXS Guard Cloud. This new feature considerably alleviates administrative burden for system administrators, as they no longer have to manually distribute OpenVPN certificates and configuration files to authorized users.

Various improvements and software fixes

  • Blocklists

    • Bug #90466: Extend backup with blocklists configuration.
  • Network

    • Rfe #90903: Upgrade network speed test.
  • Reports

    • Rfe #90319: Increase visbility of system reports.
  • Reverse Proxy RDG

    • Bug #90929: Fix issues with some characters in backend password.
  • System

    • Rfe #1d658c44b2: Upgrade OpenSSL library.
    • Rfe #90847: Also perform time synchronization when there is a large time drift.
    • Rfe #90392: Add support for TLSv1.3.
Version 10.4.6

Various improvements and software fixes

  • edb946ddc7: Remove syntax errors in RADIUS configuration when secrets contain spaces or quotes.

  • cf248bf44d: Remove DIGIPAS API models from backup validation to eliminate error messages on systems without licensed tokens.

  • 19a4b8889b: Remove DIGIPASS API login and registration background jobs when the DIGIPASS feature is no longer used.

Version 10.4.5

Various improvements and software fixes

  • Defect #90711: Change the default service port of the DIGIPASS App server to avoid port conflicts.

  • Rfe #125917: Optimize the activation of all IP address lists at boot time, in order to speed up the boot process on slower systems. This means a considerable reduction of the total boot time from a little over 6 mins to just about 6 seconds.

  • Rfe #84772: Collect all SSTP VPN log messages into a single file for a better user experience. The updated log consists of relevant HTTP reverse proxy entries, SSTP server and PPP events.

Version 10.4.4

Various improvements and software fixes

  • Rfe #90764: Fine-tune e-mail security checks for whitelisted e-mail addresses.
  • Rfe #90765: Automatically disable anti-spoofing for VPN clients.
  • Rfe #90753: Reduce excessive logging in Webmail error logs.
Version 10.4.3

Various improvements and software fixes

  • Rfe #89897 IPsec: Add default IKE profiles for SHA-256.
  • Rfe #133d575c E-mail: Include the reason why spam was deleted by AXS Guard (extra column in 'deleted spam' overview).
  • Rfe #89192 E-mail: Improve anti-spoofing capabilities.
  • Rfe #82697 Directory Services: Disable users on AXS Guard when they are disabled in the LDAP backend.
Version 10.4.2

Application Control

Introduce a software fix to prevent system failures (kernel panics) when malformed packets occur.

Virtual AXS Guard

Added support for oVirt, an open-source distributed virtualization solution.


Added new functionality to the Intrusion Prevention System to automatically detect whether a system CPU supports SSSE3, a SIMD instruction set created by
Intel (for increased performance).


Ignore the IP address of a DHCP device during the validation of a static route.

Reverse Proxy RDG

A new authentication policy was added, which supports logins with a back-end password, followed by a one-time password generated with either an OATH or DIGIPASS token (back-end password + OATH or DIGIPASS).

Version 10.4.1

Various improvements and software fixes

Version 10.4.1 contains various software fixes to improve the overall quality, stability and security of the AXS Guard appliance.

Contact for additional information.

New Features

Strong Authentication with Push Notifications for Web Applications

The AXS Guard reverse proxy now supports Push Notification Authentication.

Push Notification Authentication enables user authentication by sending a push notification directly to the user’s smartphone, alerting them that an authentication attempt is taking place.

Users can now use their mobile devices as the second required factor for secure two-factor authentication; there is no need for client-side tokens or additional devices.

When users log into a secured web application, they will automatically receive an authentication request based on their username. Users can then view the authentication details and approve or deny access, via the simple press of a button.

To use this feature, you need the mobile application, which can be personalized and branded according your requirements, a DIGIPASS server license, the AXS Guard Enterprise bundle and a web application to be secured.

Please note that in order to use this feature, some custom development is required. Contact for more information.

Firewall Geo-blocking

Geo-blocking is a technology which limits Internet traffic based on geographic location. You determine whether users can access your network or application based on their specific location.

This new feature allows system administrators to easily block malicious traffic - such as automated cyberattacks & port scanners - coming from unauthorized locations. It can also be used to prevent users from accessing potentially dangerous and questionable services hosted abroad.

Geo-blocking is an effective tool to prevent your system logs from being flooded with unnecessary information and eases administrative burden.

AXS Guard NTP Cloud Service

A precise time is necessary to be able to efficiently compare log files between various IT systems, for example in the event of a security incident. Many AXS Guard services, such as 2FA, Kerberos and scheduled tasks also rely on a precise time.

AXS Guard has gone through the validation process and is now officially part of the global NTP network.

NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to some time reference. NTP is an Internet standard.

Reconfiguring the NTP settings of your computers is relatively easy. This setting can also be configured centrally so that you don’t have to manually reconfigure each and every individual computer in your network.

CEO Fraud Protection

CEO Fraud is a type of spear-phishing email attack.

Typically, attackers identify themselves as high-level executives (CFO, CEO, CTO, etc.), lawyers or other types of legal representatives and purport to be handling confidential or time-sensitive matters, attempting to trick staff into transferring money to a bank account they control.

The AXS Guard content scanning engine has been updated to detect and block such attacks more effectively.

System Updates and Improvements

EAP-MSCHAP v2 Support for SSTP Server

Support for the Extensible Authentication Protocol (EAP-MSCHAP v2) has been added to the AXS Guard SSTP server to improve security.

RDG Password Auto-learning

This reverse proxy feature already existed for HTTP back-ends, but has now also been implemented for Remote Desktop Gateways. It offers a better UX to end users and allows for a swifter integration of secure AXS Guard authentication methods, such as 2FA.

Network Connectivity Checks

Connectivity checking is a functionality which periodically tests whether the AXS Guard network interfaces still have connectivity or not. This option has been refactored in the web-based administrator tool for a better user experience.

OpenVPN and PAX Server

The server binding options have been refactored to improve the user experience. Administrators who are looking to (re)configure the PAX or OpenVPN service are now presented with a clear selection of binding options.

Semi-Persistent IP Addresses for OpenVPN Clients

The OpenVPN server has been updated to maintain a persistent list of IP addresses handed out to different clients. When a client reconnects at a later time, the IP address that was used previously will automatically be reassigned by the server.

Samba Updates

Samba is a standard Windows interoperability suite of programs used on AXS Guard. Various components of this suite have been upgraded to improve security for the following services:

  • System backups on network shares

  • Directory services & authentication (LDAP)


The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in the PDF and HTML format.

The following manuals have been added or updated:

  • AXS Guard Authentication Guide

  • AXS Guard Firewall Guide

  • AXS Guard OpenVPN Guide

  • AXS Guard PAX Installation Guide

  • AXS Guard Reverse Proxy Guide

  • AXS Guard System Administration Guide

  • AXS Guard SSTP Guide

The following KB articles have been added or updated:

  • AXS Guard WPAD Configuration

  • AXS Guard Remote Workspace