AXS Guard UTM Release Notes
The release notes provide information on new product features, improvements, known issues, and bug fixes for each AXS Guard version.
Individual software components are documented in the product manuals section. Carefully review this document to avoid configuration difficulties.
Version 11.1.13 - Latest
VLAN Configuration
- A system reboot is no longer required when changing VLAN settings (adding, deleting, or updating).
- IP addresses are updated automatically.
-
Services are restarted to match the new configuration.
Microsoft Entra ID
- Seamless integration with Microsoft Entra ID (formerly known as Azure Active Directory).
- Sync groups and users directly from Microsoft Entra ID.
- Authenticate and authorize users with their Microsoft Entra ID credentials.
-
Go to Directory Services > Profiles to configure your Microsoft Entra ID settings.
DKIM
DKIM (DomainKeys Identified Mail) is now supported for outgoing mail traffic. This e-mail authentication method helps detect forged sender addresses, a technique often used in phishing and spam.
To configure DKIM settings for your e-mail domains, go to E-mail > DKIM Keys.
Version 11.1.12
PAX
Resolved an issue where PAX units failed to retrieve their configuration post-connection from appliances with a large number of certificates.
Web Access
Implemented performance improvements to the Kerberos client authentication process, reducing latency under high load conditions.
Version 11.1.11
PKI
- The expiry date is now highlighted in the certificate details if a certificate has expired or is close to expiring.
-
The PAX feature now logs the last 5 uses of client certificates, including the time and client IP address of each connection.
This information, similar to that of OpenVPN client certificates, can be found under PKI > Certificates.Color Status Red Certificate expired Orange Certificate will expire in less than 28 days Black Certificate is not close to expiry
The mail queue now includes a column displaying the subject of each email waiting to be sent, aligning it with the Quarantined Queue and Deleted Spam overviews.
You can find this information under E-mail > Status > Queue.
Logging
- The Firewall, Application Control, and Network Security logs now feature color-coded action cells, allowing system administrators to quickly identify whether an action was blocked or accepted.
-
The service column will be consistently displayed in the authentication summary logs.
System Improvements
- Rebooting or shutting down the appliance will be automatically delayed during system updates or other critical processes. In such cases, the administrator will see a notification in the top pane of the configuration tool.
- IP addresses in Azure are now assigned based on the MAC addresses.
-
Additionally, when changing IP settings in Azure, an error will now appear on the dashboard, notifying the administrator that the AXS Guard configuration is out of sync. It will also prompt the administrator to schedule a reboot to resolve the issue.
Firewall
- The source and destination fields of DMZ filter rules now include an edit as list button, making it easier to copy and paste IP lists and aligning it with the configuration options of other firewall rules.
- FQDNs can now be used in the destination field of DMZ filter rules.
- The default
fwd-isabel-6
firewall rule now includes Isabel FQDN destinations. With our FQDN-resolving service, this rule will stay automatically up to date whenever there is a change in any of the associated IP addresses. -
Port Forwarding now has an additional option to enable logging. The log entries can be found in the Firewall and Network Security logs. Each new connection is logged as
FORWARD ACCEPT
with a link to the port forward details.
Dynamic DNS
Allow the use of the external IP address instead of the device IP address when using a Dynamic DNS provider. If configured, AXS Guard will check the external IP address by connecting to a server from your provider. This is necessary when the AXS Guard appliance is sitting behind a NAT layer. Updates will occur every hour.
Version 11.1.10
Summary Logs
We've implemented a new feature to capture additional information about devices that request DHCP leases. This enhancement provides more granular visibility into network traffic and can aid in identifying potential security risks or network anomalies. If a device provides a hostname
during its DHCP lease request, the information is recorded in the following summary logs:
- Application Control: For application-layer traffic analysis.
- DNS Security: For DNS-related security events.
-
Web Access: For recording web-based activity.
System Health
The system dashboard has been enhanced to include the affected network device type in connection problem error messages, providing more detailed information for troubleshooting.
Other System Enhancements
- Automated SSTP Server Restart: The SSTP server now automatically restarts after its certificate is updated, ensuring uninterrupted service.
- Enhanced Alert Messages: Alert messages on AXS Guard Cloud now include the version and hotfix number for more precise troubleshooting.
- Real-time Update Notifications: AXS Guard Cloud immediately reports the new version after installing software updates, providing timely information.
Version 11.1.9
OATH Tokens
The OATH token time skew can now be adjusted manually. Manual configuration allows system administrators to set the time skew to a specific value.
This feature is primarily intended for users with hardware tokens that may have slightly different time synchronization compared to the AXS Guard appliance. Unlike software tokens, which rely on NTP for timekeeping, hardware tokens can introduce discrepancies. This update addresses potential issues arising from these time differences.
System
- Enhanced performance when working with extensive domain filters.
- Updated multiple packages to address reported vulnerabilities (CVE).
Version 11.1.8
OATH Tokens
We're pleased to introduce support for Time-Based One-Time Password (TOTP) hardware authenticators. This new feature enables administrators to import TOTP secrets directly, streamlining the management of OATH tokens and improving overall convenience and security.
To add TOTP secrets, log in to your AXS Guard appliance and navigate to Authentication > Authenticators > OATH > Tokens. Then click the +
button.
Version 11.1.7
OATH Tokens
- Added an OATH configuration page to allow customization of the default label and issuer. The issuer identifies the provider or service associated with the account. It's displayed in supported OATH authenticator apps like Microsoft Authenticator or Google Authenticator.
-
Additionally, the OATH token detail page now also shows the secret and QR code, allowing to arrange alternative delivery methods for the QR code to the user.
DNS Security
- Expanded DNS security logs to include blocked proxy requests, providing comprehensive visibility into potential threats and improving incident response capabilities.
-
Introduced a Type column in the DNS security logs that describes the event triggering the block, enabling granular analysis and troubleshooting of security incidents.
NAT
- Port Redirection: Enhanced flexibility for source and destination IP address management. Admins can now specify multiple source and destination IP addresses and networks for port redirection rules. Additionally, the ability to exclude specific source and destination IP addresses and network ranges has also been added.
-
SNAT & DNAT: Enhanced SNAT and DNAT rule granularity. Rules can now be defined with specific protocols and ports, providing finer control over network traffic. Additionally, IANA port information and usage details are now displayed to aid in rule configuration.
PKI
Implemented bulk revocation for the efficient management of certificates, providing flexibility in addressing various revocation scenarios.
Firewall Block Lists
Introduced the ability to block domains and FQDNs in addition to IP addresses or networks. The AXS Guard appliance automatically resolves blocked domains to IP addresses, dynamically updating the block list based on DNS record changes. This provides more flexible and effective protection against evolving threats compared to traditional IP-based blocking.
OpenVPN
- Added support for OpenVPN Data Channel Offload (DCO), which offloads the data transfer portion of OpenVPN to a kernel module. This can significantly boost performance and optimize resource usage. DCO is only available in TUN mode and requires disabling all legacy OpenVPN Server settings in the Security Settings tab.
- The legacy Accept Compressed Data option now works with OpenVPN Connect version 3.5.
IPsec
Introduced a summary log that tracks IPsec tunnel up and down events, providing detailed metadata such as tunnel uptime, data transferred, and peer IP addresses.
Web Access
-
A custom error page was implemented to inform users when DNS security blocks a domain, improving the user experience.
-
Enhanced log entries with detailed user and host information to improve troubleshooting and security analysis capabilities.
- Optimized memory consumption to handle high traffic loads efficiently, improving system performance and stability.
System
Updated multiple packages to address critical vulnerabilities (CVEs).
Version 11.1.6
Update OpenSSH to Address regreSSHion Vulnerability (CVE-2024-6387)
A critical remote code execution (RCE) vulnerability, known as regreSSHion (CVE-2024-6387), has been identified in the OpenSSH server on glibc-based Linux systems.
Risk Assessment for AXS Guard:
While this vulnerability is severe, the risk on AXS Guard is considered minimal due to the following reasons:
- AXS Guard operates on a 64-bit system with Address Space Layout Randomization (ASLR) enabled.
- AXS Guard's SSH access is restricted and not exposed to the public internet.
Additional Information:
For further details on this vulnerability, please refer to the following resource: regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server.
Version 11.1.5
Streamlined OpenVPN Access Server Setup
-
We've simplified the OpenVPN connection process for end-users! They can now import certificates directly using your company domain within the OpenVPN Connect application. For example, they can use
openvpn.mycompany.com
instead of the0000-000XXXXX.appliances.axsguard.cloud
URL provided by AXS Guard. This makes connecting to the company network through OpenVPN easier and more user-friendly. To configure the hostname of the OpenVPN access server and other Local Access Server settings, go to VPN > OpenVPN > Server, then select the Access Server tab. -
System administrators can now customize the sender address for OpenVPN certificate expiry notifications, allowing them to be sent from a more recognizable address (e.g.,
admin@example.com
) instead of the defaultroot
address. This improves transparency and user trust in the notification process.
MTA & Mail Filtering Improvements
-
Enhanced Spam Filtering with SecureDNS: We've boosted our email security with SecureDNS. When enabled, AXS Guard will analyze domains within emails using SecureDNS and DNS filters. If a domain is flagged as malicious, the spam score of the email will be automatically increased, ensuring it lands in the spam folder. The Deleted Spam info page now provides even greater detail, highlighting the specific malicious domains identified in each deleted email, along with their corresponding category.
-
Improved mail server stability: The mail server now handles restarts more gracefully, minimizing downtime. It can now efficiently handle large bursts of emails, ensuring smooth operation during peak usage.
Streamlined Internet Redundancy Checks for HA Setups
We've improved redundancy checks for High Availability (HA) setups to ensure optimal performance. AXS Guard will now automatically verify if your internet redundancy configuration is fully compatible. If any inconsistencies are detected (e.g., different device configurations on master and slave nodes, or mismatched filter priorities), an error message will be displayed on the dashboard. This proactive approach helps you identify and address potential issues before they impact your network's redundancy.
Scheduled Reboots and Filesystem Checks
We've empowered you with greater control over system maintenance! You can now schedule reboots at your convenience, ensuring minimal disruption during business hours. Simply access the tool under System > Tools > Actions and plan your reboot for a time that best suits your needs. A convenient countdown timer will appear in the top toolbar, keeping you informed of upcoming reboots.
Additionally, you can now customize the filesystem check interval. By default, AXS Guard automatically performs a filesystem check every 10 automatic reboots. This setting can be adjusted to meet your specific needs. Go to System > Tools > Automatic Reboot to configure the filesystem check interval.
Enhanced Configuration Management with Sortable Tables
We've improved usability within the configuration tool by making key tables sortable. This includes the Processes table under System > Status and the Mail Quota table under Email > Status. Now, you can easily organize and filter data for a more streamlined management experience.
Version 11.1.4
DNS Security
The DNS security logs now include the queried record types for better analysis.
Web Access
Enhanced browsing experience. WebSockets are now enabled for users accessing the web behind the proxy.
Statistics
We've expanded the proxy group and added dedicated groups for DNS and IPS, providing more granular insights into your network activity. To see the expanded process statistics, log in to your appliance and navigate to Statistics > Processes.
Version 11.1.3
Introducing the all-new Comfort Threat Protection Pack!
Formerly known as Cont. Scan Plus, our enhanced protection suite is now packed with even more robust features to shield you from cyber threats. And here's the best part: it's all yours at no extra cost!
- DNS Filtering: Explore the web with confidence as our advanced DNS blacklists, centrally managed in the AXS Guard Cloud, ensure a safer browsing experience.
- GeoIP Filtering: Take command of your network traffic by selectively blocking connections to and from specific regions.
Firewall Updates
- The classification of
DNS resolving failed for firewall rule
status messages has been adjusted from error to notice. - DNS over TCP is now permitted within the default secure and forward policies.
MAC Address Spoofing
MAC address spoofing is now accessible in the administration tool. This feature enables you to replace devices without needing to update the authorized MAC address with your service provider. The original MAC address can be viewed on the Network > Status > Devices page. If the MAC address change process encounters an error, it will be shown on the dashboard.
OpenVPN Certificates
OpenVPN now records certificate usage, simplifying the identification and updating of outdated certificates within the PKI > Certificates section.
Other Improvements & Bug Fixes
- DHCP client errors now on the dashboard: Easily identify issues with DHCP clients directly on the dashboard.
- OpenVPN status page improved: See traffic in Mb/Gb, country flags for connections, and relative timestamps for a more user-friendly experience.
- Authentication log streamlined: Less clutter in the authentication log with the removal of some debug messages.
- The CPU statistics now accurately reflect the current time.
- Mailbox upgrades: All mailboxes will be automatically upgraded to the latest metadata version.
- IPv6 disabled for legacy VPNs: SSTP, L2TP, and PPTP VPN.
Version 11.1.2
Web-based Configuration Tool
Any field that accepts network information input will now feature a calculator icon. Hovering over this icon will reveal comprehensive details about the network.
AXS Guard Cloud Advanced Threat Protection
- Enhance performance by optimizing requests to the AXS Guard cloud.
- Include transaction timing information for Cloud anti-virus.
Version 11.1.1
Lock down your admin account with free 2FA:
We're pleased to offer a free OATH license (1 token) in this release, which can be used to secure your administrator account. This enables you to activate 2FA for logging in to the web-based administration tool.
Web-based Configuration Tool:
Changes made in configuration pages with an Edit as list
button will now be saved automatically, eliminating the need to save the field separately before saving the entire page.
OpenVPN & PAX:
Improve network stability for VPN connections by increasing the default Dead Pear Detection values. This leads to less unneeded reconnections when ping packets are accidentally dropped. The new default values are shown below.
Web Access:
Include timing information in Web Access logs for every request processed by the AXS Guard proxy. This feature assists in troubleshooting slow proxy issues.
Version 11.1.0
Increased SSL/TLS security:
Support for legacy protocols such as SSLv3, TLS 1.0, and TLS 1.1 has been removed. Only TLS 1.2 and 1.3 are now supported, along with HIGH-type ciphers. This may affect AXS Guard configurations where old Windows versions and clients are still being used (Windows Vista/Server 2008 and older). Navigate to System -> Security -> TLS for details.
Extended root partition:
The AXS Guard root partition size has been increased from 10GB to 15GB, to mitigate disk space issues and warnings.
Updated Base System:
Various software packages have been updated to their latest versions for improved security, performance, and stability.
Package Removals:
The following legacy features have been removed and are no longer supported:
- SSL Web Portal (Adito)
- SSL VPN (SSL explorer)
- Sumo Logic SIEM
Reverse Proxy:
The following backends are deprecated and have been removed:
- OWA2003
- OWA2007
- OWA2010