Skip to content

AXS Guard UTM Release Notes

About

The release notes provide information on new product features, improvements, known issues, and bug fixes for each AXS Guard version.

Individual software components are documented in the product manuals section. Please review the notes below carefully to avoid configuration difficulties.

Version 11.0.24 - Latest

Networking:

When a DHCP-enabled device obtains a new IP address, ensure that routes, masquerading settings, port forwards, and port redirects are updated accordingly.

Web Access:

An option has been added to the configuration tool, enabling the possibility to configure multiple workers for the proxy server. Distributing the workload among multiple workers allows for more efficient use of system resources, such as CPU and memory, which is especially important on systems where SSL inspection is enabled. Go to Web Access > Proxy Server > Content Scanning to configure the amount of workers for the AXS Guard proxy server.

Web-based configuration tool:

  • Enhance the user experience by making table headers persistently visible at the top.
  • Resolved issues affecting the OpenVPN status overview for improved functionality and accuracy.
  • Improve the monitoring experience ensuring a focused and meaningful dashboard presentation by excluding non-essential information.
  • UPS configuration: Set fields and options as required.

MTA:

  • A quarantine display issue that hindered the presentation of quarantined emails in certain scenarios has been resolved.
  • Introducing the ability to decode hex-encoded ORCPT mail addresses.

Sytem Update:

Optimize the system for a seamless upgrade to version 11.1. This includes performing necessary pre-upgrade checks, ensuring compatibility with new features, and addressing any potential issues to enhance the overall upgrade experience.

Version 11.0.23

Firewall:

A new log only target has been added to the firewall rules page. This new target allows administrators to configure firewall rules that log matching packets without taking any action, such as ACCEPT or DROP.

The log only target is designed to enhance network monitoring and troubleshooting capabilities. Administrators can now gain insights into packet flows by observing logged data without directly impacting the network traffic. This feature facilitates effective rule set development, security auditing, and streamlined troubleshooting processes.

Web-based configuration tool:

  • When activating new software options, the tool will show the number of licensed PAX units.
  • The System Info page now shows the number of licensed PAX units.
  • If you wish to add more PAX units than are currently licensed, please contact our sales team at sales@axsguard.com.

  • Implemented the ability to sort columns on the Services Status page.

  • The menu search now supports the use of the keyword notification to locate all pages where email notifications can be configured.

DNS:

  • When the legacy extranet feature is disabled, a DNS record will no longer be added for www.systemdomain.
  • Some FQDN IPset-related debug messages were removed from the fullevent log.

Reverse Proxy:

  • Addressed an issue in the RDG reverse proxy where disabling TLSv1.1 caused a malfunction.
  • The security of the RDG reverse proxy was enhanced by disabling SSL client renegotiation.

Other improvements:

  • MTA:

    • When an SMTP relay server is configured, AXS Guard will now automatically attempt TCP ports 587, 25, and, if necessary, 2525 in respective order.
    • Added an option to enable SMTPS over TCP port 465 (deprecated protocol).

  • System:

    • Removed harmless ASPM/PCI kernel errors and Snort messages from the Security Events mail notification.
    • Enabled shell arithmetic in BusyBox as part of the preparation for AXS Guard version 11.1.
    • Mitigate the risk of memory leaks by optimizing the handling of (tool) metrics requests.
  • DHCP: Addressed a critical log message related to pool exhaustion not being exported.

  • PKI: Remove HTML tags from notifications sent to administrators about close-to-expiring and/or expired certificates.
Version 11.0.22

System Status: Preparations for AXS Guard Cloud Monitoring

Many metrics and status messages, including configuration errors, warnings, and notices, are now being sent to the AXS Guard Cloud in preparation for the upcoming monitoring dashboard.

This monitoring dashboard will provide instant access to the status information of all your systems. The AXS Guard metrics will also trigger additional alerts, which will be displayed on the Alert dashboard.

New Hardware: Fiber Ready with SFP+ Network Interfaces

We're excited to announce that the AG5 and AG9 series now support SFP+ (Small Form Factor Pluggable) modules, allowing data transmission over various media, including fiber optic and copper cables.

These versatile interfaces enhance your network configurations, offering flexibility for seamless swapping, upgrading, or changing the medium type in use.

Firewall Enhancements: Seamless audio and video calls for WhatsApp

System administrators can now simply enable WhatsApp audio and video calls by using the new predefined fwd-whatsapp firewall rules.

Other improvements

  • Firewall:

    • Allow system administrators to enter a list of source IP addresses in a firewall rule, similar to the destination field.
    • Match subdomains when SLDs are specified in the firewall destination field.
    • Allow for the configuration of the BAD3 DOS packet limit, as the calculated threshold may not adequately accommodate larger network environments.
    • Activate Microsoft Endpoint Manager (Intune) firewall rules when available.
    • Pressing the Enter key will now conclude the edit as list action and update the destination IP field.
  • User Authentication:

    • Ensure OATH tokens are always enabled after (re)assignment, making them ready for use.
    • Fix missing RDG Reverse Proxy authentication deny log messages.
  • DNS:

    • Remove the DNS Agent test domain from the DNS Security logs.
    • Avoid errors while gathering domain information due to ignored DNS requests.
    • Include best practices in DNS filter context-sensitive help, advising the use of TLDs and SLDs.
  • E-mail:

    • Always show the e-mail alias field that is used for sending user notifications.
    • Use the mail domain instead of the system domain as a fallback for sending user notifications when no aliases are available.
    • Reduce the size of the Webmail error log by mitigating PHP warnings associated with the LDAP address book.
  • System:

    • Disable the IPS feature by default on new systems.
    • Fix configuration synchronization issues after enabling or disabling a PAX client.
    • Fix race conditions in logdaemon when a termination signal is raised while data is still being processed.
    • Add support for AXS Guard Cloud services/connections on HA slave nodes.
    • Correct status redirects to models used in various different pages.
    • Enable the numlock LED while booting.
    • Address CVE-2023-4911 in glibc.
    • Disable automatic reboot for AG2 systems that are using the Crucial SSD.
    • Clean up upgrade packages that are older than 28 days with every system update.
    • Improve DHCP error message handling, preventing system overload.
Version 11.0.21

Networking

A new Wake on LAN feature has been added. With this tool, system administrators can wake up dormant devices connected to the Secure LAN or DMZ. This feature allows you to reduce energy costs and extends the hardware lifetime by ensuring that resources are used efficiently.

AXS Guard Cloud Notifications

The AXS Guard cloud will automatically notify you when configuration changes are made to AXS Guard appliances that you manage. These notifications will let you know whether the changes were applied successfully or not, making it easier to keep track of configuration changes, troubleshoot and manage your AXS Guard appliances.

Reverse Proxy

The password auto-learn capabilities for RDG and RDP logins have been enhanced. Many organizations require users to change their passwords regularly, which creates challenges due to the need for immediate password updates. Users frequently opt for appending extensions to their current passwords for convenience.

This practice resulted in issues with the auto-learn function, as it recognized the old password as a match and considered only the added extension as a new password to learn. To address this, we've expanded the password auto-learn feature to recognize multiple passwords and iterate through them, in order to determine which one is eventually accepted by the backend system.

Firewall Logging

The firewall logs have been enhanced to include DHCP hostname information. Reading, remembering, and searching for IP addresses in extensive firewall logs can be challenging. As of now, if a source or destination IP address belongs to a local LAN with DHCP enabled, the log will show the hostnames associated with the active DHCP leases.

Other Improvements

  • Pass version and revision information to the AXS Guard cloud backup service.
  • Write VPN in uppercase in the security settings for OpenVPN service names.
  • Allow underscores in domain names when parsing messages from dnsmasq.
  • Fix the logout functionality for Reverse Proxy HTTP Session Management.
  • Implement IPv6 DNS response filtering to prevent DNS security from being bypassed.
Version 11.0.20

Simplified Firewall Configuration

  • Firewall rules can now be set using a single field for domain names and IP addresses. This makes it easier to create and manage firewall rules.
  • Existing FQDN rules will now apply to the main domain as well as its subdomains. This means that you can create a single rule to match traffic related to a domain and all of its subdomains.

Firewall Logging

We have enhanced our firewall logs to include the domain names associated with the IP addresses found in DNS responses. This makes it easier to identify traffic destinations that are being blocked by the firewall.

Reverse Proxy Login Page

A button has been added to the Reverse Proxy login page allowing users to reveal their password while typing it. This makes it easier to enter their password correctly.

Other Improvements

  • PAX now supports static DHCP leases within VLAN setups. This allows you to assign static IP addresses to devices within a VLAN.
  • Specific warnings related to port redirection have been removed to streamline the user experience.
  • An issue that prevented SecureDNS from resolving domain names when the time was incorrect during boot-up has been addressed.
  • When a certificate is close to expiring, a clickable link will appear on the system dashboard. Clicking the link takes you directly to the relevant certificate page, saving you time and effort.
Version 11.0.19

System Administration Dashboard Improvements

The AXS Guard System Administration Dashboard displays system health messages.

Multiple alerts that are related are now grouped together, and each alert has a link to the corresponding configuration page, making it easier for system administrators to investigate and resolve reported issues. Please note that alerts for configurations that have been disabled or are not in use will no longer appear on the system dashboard.

Personal AXS Guard

An option has been added to allow system administrators to choose which PAX clients should be monitored via the system administration dashboard. While all PAX units are monitored by default, administrators can choose to disable monitoring for specific units by navigating to the PAX client configuration page.

OpenVPN Connect Client 3.4

AXS Guard automatically generates OpenVPN configurations, enabling system administrators to swiftly deploy VPN access for users.

However, there is a bug in OpenVPN Connect Client version 3.4 that triggers an error when used with our OpenVPN configuration files. To rectify this issue, we have implemented modifications to ensure that the generated AXS Guard OpenVPN client configurations remain compatible with version 3.4 of the OpenVPN Connect Client.

Version 11.0.18

Port Forwarding & Port Redirection

The LAN interface is now available for both port forwarding and port redirection. This enhancement enables you to exclude VPN connections when creating rules, providing more flexibility and control over your network configurations.

PKI: Support for ECDSA Certificates

In addition to RSA certificates, you can now upload certificates that make use of elliptic curve cryptography (ECDSA) for deriving the public key and certificate signing keys. ECC offers the advantage of smaller key sizes compared to non-EC cryptography (such as RSA) while maintaining equivalent security levels. Therefore, ECDSA certificates are the preferred choice when higher efficiency is required.

E-mail

  • Resolve a configuration conflict related to the default SMTP authentication port.
  • Prevent legitimate e-mails containing French accents (U+00E9) from being deleted.

Antivirus

  • Whitelist additional Windows update URLs.
  • Remove mandatory locking.

Other improvements and bug fixes

  • System: Load the coretemp kernel module at boot. This module permits reading the DTS (Digital Temperature Sensor) embedded inside Intel CPUs, which is required to monitor system temperatures with htop.
  • User Authentication: Enforce a RADIUS timeout ranging from 3 to 60 seconds, aligned with the specifications of FreeRADIUS.
  • OpenVPN: Prevent OpenVPN from entering a startup loop when attempting to bind to a non-available IP address.
  • NAT: Fix a typo in the validation of NAT rules.
  • AGtunnel: Keep cloud certificate on master and slave units after failover.
Version 11.0.17

DNS Filtering Feature

System administrators now have the flexibility to enhance the existing SecureDNS filters by incorporating additional ones as per their specific requirements.

These supplementary DNS filters are built upon web access filter categories, allowing administrators to exert greater control over the network's DNS resolution process.

Typical use cases include, but are not limited to, blocking domains related to gambling, NSFW content, phishing, malware and more.

Firewall Updates

A firewall rule was added to allow WhatsApp by default.

WhatsApp is widely used for communication purposes, both personal and professional, making it a convenient and familiar platform for users. By allowing WhatsApp, organizations can facilitate seamless communication among employees, clients, and partners, enhancing collaboration and productivity.

Firewall rules for Isabel 6 were added to the fwd-banking policy.

E-mail Authentication

A dedicated smtpd instance has been added to better support SMTP authentication.

Allowing SMTP authentication on another smtpd port provides enhanced security by enforcing stricter measures for authenticated email transmission, enables differentiated access control for authenticated users, and ensures compatibility with certain applications.

Reporting

System administrators can now generate reports for traffic that has been blocked by the GeoIP filtering feature.

Other improvements and bug fixes

  • Tool: Update context-sensitive help & documentation for the Reverse Proxy request filtering option.
  • Application Control: Fix layer7 kernel modules.
  • E-mail: Mark e-mails sent by AXS Guard as local.
  • High Availability: Increase DRBD buffer sizes.
  • Authentication: Increase the ID length for API logins and registrations.
  • System: Seed random while generating Identifier in record.
  • Personal AXS Guard: Route VLAN subnets in 'lan' zone.
  • System: Fix broken pidof package.
Version 11.0.16

IPsec

We are pleased to announce a new release that addresses the instability introduced in verion 11.0.15 due to certain IPsec changes. In response to user feedback and extensive testing, we have decided to revert these changes to ensure system stability and performance.

Version 11.0.15

OpenVPN

AXS Guard has incorporated a feature that verifies the expiration dates of certificates assigned to OpenVPN users and will proactively send email notifications to users when their certificate is about to expire.

This notification is composed of a default subject and default body. However, system administrators have the flexibility to modify the subject and body text of the email, allowing them to personalize the notification or override the default content as needed.

SNMP

System administrators can now configure the SNMP community string under Network > General. This string is used for authentication and access control on SNMP-enabled devices.

Other Improvements & Bug Fixes

  • Configuration Tool:

    • Fix the SecureDNS log export functionality.
    • Display a warning when system administrators configure their GeoIP settings via the AXS Guard cloud, which overwrites the local configuration.
    • Allow domain names that consist of a single character.
  • IPsec:

    • Make items in the IPsec tunnel status overview sortable.
    • Improve the general stability and routing. No longer unroute subnets in the down-client, allowing tunnels to be renegotiated as soon as traffic is detected.
  • System:

    • Add new tools to the console for advanced troubleshooting (iostat, mpstat, pidstat, tapestat, cifsiostat, htop).
    • Disable extra debug logging for kernel Oops, which was fixed in version 11.0.14.
    • Fix missing dependencies for the mtr package.
  • Others:

    • Firewall: Allow logging for traffic that matches a whitelist. Matching traffic will be logged as BLOCKLIST BYPASS.
    • Anti-virus: Whitelist MS Windows update URLs.
    • MTA: Add system information to the mail subject when sending automated notifications to system administrators.
    • Reporting: Only report dropped traffic in the malware connections report.
    • API: Allow the AXS Guard cloud to trigger updates for cloud services.
Version 11.0.14

New Changelog Format

The changelog format has been updated. As of this version, we are transitioning to the HTML format for our changelogs, designed to deliver comprehensive information in a visually appealing and more accessible manner.

Firewall Logging

To better identify the root cause of packet drops, we have implemented a new feature that enables administrators to easily pinpoint the exact rule responsible for dropped packets. Note that this requires the log this rule target option to be enabled in the firewall rule.

Console Tool

Ensure that mount issues cannot be inadvertently triggered while logging into the AXS Guard console tool in order to maintain system integrity and prevent any potential system performance issues.

Configuration Tool

  • The IP configuration for PAX and OpenVPN devices can now be viewed by navigating to Network > Status > Devices. Once you reach the Devices section, you will find detailed information about the IP configuration for PAX and OpenVPN devices.

  • Directory Services context-sensitive help & documentation: Use a more adequate example for the base DN option.

  • Clean up Easter Egg hunt code which was introduced in version 11.0.11.

Other improvements and bug fixes

  • Use wget instead of curl to download AXS Guard add-ons.
  • Central monitoring: Improve the log rotation for filebeat logs.
  • Mail: Fix excessive memory usage when scanning MS Office documents.
  • Antivirus: Improve the reload & restart function for the antivirus feature.
  • IPsec: Fix a syntax error in the updown-netkey script.
  • OpenVPN: Remove the PAM cache when a user is disabled in the GUI.
  • Log check: Ignore internal agtunnel in logcheck notifications.
  • HA: Improve the handling of DRBD unmount errors.
  • System kernel: Address a critical issue involving a kernel oops error in the nf_conntrack module, related to the usage of nfqueue and the IPS.
Version 11.0.13

OpenVPN

Implement support for multiple search domains.

Pushing multiple search domains to OpenVPN clients can be useful in scenarios where clients need to access resources on multiple domains or subdomains. The client's DNS resolver will be able to search for network resources without the need for the user to explicitly specify the domains in URLs or hostnames.

Office 365 Wizard

Add extra steps for appliances with Internet redundancy. System administrators can now route Office 365 traffic through a specific device on systems with redundant Internet connections.

Configuration Tool

  • Feature Activation: The PPTP, Public DNS and SSL Web portal features are now disabled by default.
  • Feature Activation: Remove the custom application option for the reverse proxy.
  • DHCP: Allow basic administrators to view and copy advanced DHCP options.
  • Fix various typos throughout the interface.
  • Fix the column layout on the SNAT & DNAT overview page.

Other System Updates

  • Backup & Restore: Increase the backup timeout to mitigate NT_STATUS_IO_TIMEOUT errors.
  • Anti-virus: Whitelist Microsoft update servers.
  • High Availability: Implement a nightly sync to prevent synchronization errors.
Version 11.0.12

Security Updates

  • Application Control: Add TikTok to blocked applications.
  • IPS: Update snort to the latest patch level.
  • OpenVPN: Allow system administrators to configure the preferred protocols and ciphers to secure and encrypt data transmitted over VPN connections.

System Updates

  • Licensing: Remove the serial number in license.dat files.
  • Personal AXS Guard: Ensure allowed Internet traffic is identical for IPv4 and IPv6.
  • Firewall: Fix connection tracking issues.
  • AXS Guard Cloud: Increase the update interval from 5 to 15 minutes and introduce a random delay between updates.
  • Context-sensitive help: Make all URLs relative.
  • Configuration wizard: Fix a syntax error in the group wizard.
Version 11.0.11

Happy Easter!

As a special treat for our customers, we've hidden a little surprise in our latest software release. Throughout the interface, there are Easter eggs waiting to be found.

We'll leave it up to you to discover. So go ahead, log in and explore the software, click around and see what you can find. And who knows, maybe there are even more surprises waiting for you if you keep digging.

Have fun and enjoy!

Easter

Version 11.0.10

System Updates

  • Update the expat package.
  • Update the libksba package.
  • Update the perl-XML-LibXML package.
  • Update the nettle package.

AXS Guard Cloud

  • Add support for GeoIP filter lists.
  • Reduce the cloud update interval from 3 hours to 5 minutes.

Security Updates

  • Reverse Proxy: To prevent memory violations while processing HTTP/2 connections, httpd was downgraded to version 2.4.54. This will address several vulnerabilities, including CVE-2022-37436, CVE-2022-36760, CVE-2006-20001, CVE-2023-25690 and CVE-2023-27522.
  • Mail: Remove axsguard from the MTA EHLO response.
  • Mail: Fix SPF configuration errors.

Others

  • PAX: Improve the migration process for units with a VLAN configuration (PAX v4.x).
  • Configuration Tool: Update the firewall's connection tracking status page.
  • Filebeat: Parse log lines ending with ', repeated x times'.
Version 11.0.9

Configuraton Tool

  • Allow the use of full regex expressions (PCRE) when searching through the system logs.
  • Show the status of PAX clients on the dashoard.
  • Allow static DHCP leases to be removed via the overview page.

VPN

  • PAX: Don't push VLAN settings for clients without a VLAN configuration.
  • SSTP, PPTP & OpenVPN: Add an idle timeout option to automatically close established connections that have not transmitted any data for a certain period of time.

System Updates

  • Update libarchive package.
  • Update freetype package.

Others

  • Correctly restart services that depend on the AXS Guard firewall service.
  • Allow overruling of the RADIUS Acct-Timeout parameter for PPP.
  • Fix reverse proxy ProxyPassReverse rules (allowed paths).
Version 11.0.8

Application Control

No longer block all traffic by default. HTTP, HTTPS and DNS traffic are now allowed by the factory default policy to simplify the configuration of the appliance. This affects the behavior of the AXS Guard proxy server, firewall and VPN services.

Configuration Tool

Implement a resend button so administrators can easily resend configuration instructions to users who have been assigned an OATH token.

Security Updates

  • Reverse Proxy: Add security fixes to mitigate CVE-2022-37436 and CVE-2022-36760.
  • Kernel: Add security fixes to mitigate CVE-2023-0179 and CVE-2023-23454.

IPsec

Preserve routes when bringing down a tunnel where the source address is unknown.

Network

Remove support for obsolete ISDN technology.

Webmail

Remove the SquirrelMail webmail client, which is now deprecated.

Version 11.0.7

Personal AXS Guard

  • Fix DHCP (host) configuration for older PAX firmware.
  • Fix VLAN DHCP pool size.
  • Fix VLAN interface bridge configuration for older PAX firmware.
  • Disable VLAN support for outdated PAX firmware (v1).

DNS

  • Disable special (bind) metadata that can be queried over DNS.
  • Add new SecureDNS categories to better handle testing and uncategorized traffic.

Others

  • Network: Fix routing issues related to the update of the iproute package. Ensure routes are added in the correct order when the state of a (tunnel) device changes.
  • Cloud: Use UTC for authentication challenges towards the AXS Guard Cloud.
Version 11.0.6

Configuration Tool

  • Add-ons page: Instead of displaying text files in the browser, prompt for download when they are clicked on.
  • Add-ons page: Remove empty parentheses from add-on description when no OS is defined.
  • Fix incorrect values in license wizard summary page.
  • Don't randomize cs-conditional fields, but order them according to the model.

Networking

  • NAT: Allow administrators to configure an input device for masquerading rules with masq target.
  • DHCP: Prevent the configuration of duplicate options through validation.

System

  • Update xz package.
  • Harden patch package.
  • Update curl package.
  • Update vim package.
  • Update gzip package.
  • Update file package.
  • Update rsync package.
  • Suppress certain errors related to web access and reporting.
  • Remove old hotfix, version and revision files to save disk space.
  • Rename python to python_base to avoid dependency issues.
  • Fix ipv4: FIB table does not exist console error.
  • Update bind package.
  • Update openssh package.
  • Anti-Malware: Update ClamAV to version 0.103.8.
  • MTA: Update oletools, a software suite used for analyzing Microsoft OLE2 files.

Others

  • IPS summary logs: Add a link to the rules overview page.
  • Backup & Restore: Fix missing firewall limit_rate field in system backups.
  • Reverse Proxy: Remove obsolete Awingu applications.
  • Remove obsolete LCD feature.
Version 11.0.5

Personal AXS Guard

Implement VLAN support for PAX units. VLANs facilitate network scalability and security by enabling the creation of new logical networks without the need for additional physical hardware.

Version 11.0.4

System

  • Enable kernel driver for new AG4 ethernet controller.
  • Fix tcpdump so it no longer captures network traffic on interface any when multiple VLANs are configured.
  • Add debug logging when the configuration tool returns an error while creating a session.
  • Do not run hotfix install code when systems are running low on disk space.
  • Update irqbalance and disable dependency to prevent build problems.
  • Ignore Network::Port::Model when performing system backups.
  • Remove restrictions for administrative NTP queries that originate from localhost.

Configuration Tool

  • Make reboot text clickable when showing a system reboot notice.
  • Hide please select text in the interval field of the automatic reboot page.
  • Remove the company name, as it is automatically provided by the system license.

PKI

  • Add a log menu item to PKI where changes made to the AXS Guard PKI are recorded.
  • Allow certificates to be valid after the year 2038.

Console Tool

  • Fix iperf and iperf3 commands.
  • Fix dependencies of bstat, ctstat and lnstat binaries from iproute2.
  • Add setuid to mtr-packet binary.

MTA

  • Use 7z instead of unrar, as unrar is vulnerable (CVE-2012-6706)
  • Use mxtoolbox instead of openspf as a source of information for failed SPF checks.

SNMP

  • Provide a custom MIB file via the add-ons page to allow the AXS Guard disk and partition usage to be queried.
  • Allow UPS monitoring over the network. Improve SNMP trapping in order to get faster response times for automatic shutdowns. Update the UPS status page in order to show more detailed information.
  • Fix a defect related to snmpd binary linking.

Other

  • SSH: Use modern hostkey types and allow the ssh-rsa algorithm for older clients.
  • OpenVPN : Don't validate certain fields when the server is disabled.
Version 11.0.3

VPN

  • Fix IPsec service restart for tunnels which rely on PPPoE and 4G connections.
  • Improve the service restart function for OpenVPN and PAX tunnels that are relying on unstable WAN connections and are using IP addresses which are dynamically assigned via PPPoE or DHCP (4G).
  • Disable the PAX server when the feature is disabled in order to avoid potential validation errors on the dashboard or during the execution of test upgrades.

Networking

  • Automatically reconfigure Internet redundancy in configurations where rules are linked to dynamic IP addresses obtained via PPPoE or 4G connections.
  • Update ISC DHCP to the latest version 4.4.3P1.
  • DHCP: Migrate the domain-name option to the text option in order to improve support for non-standard DHCP configurations.

System

  • Enable DNS resolving in the version test upgrade function to eliminate DHCP validation issues.
  • Update the shadow package to the latest version, i.e. 4.11.1 (includes fix for CVE-2017-2616).
  • Add libtool as a dependency for ncurses to produce real binaries rather than wrapper scripts.
  • Remove unused libcap-ng package that was erroneously introduced in version 11.0.2.
  • Adjust Intel's p-state CPU frequency and voltage scaler on all supported platforms.
Version 11.0.2

Configuration Tool

  • Correct the spelling of the word 'separate' on the certificate import page.
  • Add the AXS Guard RDP Login client to the client add-ons page.
  • Add a search keyword for high availability in order to facilitate menu searches related to HA systems.
  • Add missing hints to certificate fields, explaining where administrators can import or issue new certificates.

Reverse Proxy

  • Allow non-secure HTTP connections to port 443 - replace validation error with a warning.
  • Avoid validation errors for configured, but not yet operational, IP addresses in the context of dynamic devices and/or High-Availability virtual IP addresses.
  • Improve the HTTP service reload process by waiting for all related processes to exit gracefully.
  • Implement support for UTF-16 encoded characters in passwords when using NTLM back-end authentication for RDWeb in an SSO context. Disable client auto-reconnect.

Authentication

  • Correctly display the application name for activated DIGIPASS for Mobile instances.
  • Improve application ID validation, allow prefixes other than com. and the use of hyphens.
  • Prevent the automated blocking (brute-force protection) of misconfigured Kerberos clients which generate excessive NTLM authentication requests when attempting to access the AXS Guard proxy server.

System

  • Remove an obsolete disk speed test which only ran every six months.
Version 11.0.1

Various fixes and improvements

MTA

Split TLS policy configuration from database creation.

HA

Fix broken emergency logging.

Firewall

Prevent broadcast traffic from being logged.

Features & Improvements

New System Kernel

The system kernel has been upgraded to version 5.10, improving the general performance, stability and security of the AXS Guard appliance.

  • The Samba package has been updated to mitigate CVE-2022-42898.
  • OpenSSL has been updated to the lastest stable version, which includes fixes for previously discovered security vulnerabilities.
  • OpenLDAP has been updated to the latest stable version.
  • The kerberos package has been updated to mitigate CVE-2022-42898, CVE-2021-36222 and CVE-2021-37750.
  • The reverse proxy and its various modules have been updated to their latest stable versions, which contain fixes for previously discovered security vulnerabilities.
  • The DHCP server has been updated to version 4.4.3.
  • The OpenVPN server has been updated to version 2.5.7.

Highlights

  • New web access filter categories have been added to better reflect and match contemporary Internet traffic.
  • Computer names are now visible in the DHCP used and static lease overview pages.
  • Broadcast traffic is no longer logged in the firewall logs, reducing the log size while also preserving disk space.
  • Requests originating from secure network zones which match a GeoIP filter or a firewall blocklist will be rejected instead of dropped in order to reduce response times.

Minor Enhancements & Corrections

Internet Redundancy

Ensure that configured rules always match if an Internet device goes down.

VPN

Informational logging has been added for the IPsec service in order to facilitate the troubleshooting of misconfigured tunnels.

Mail Server

The issue responsible for incorrect restarts of the mail server has been resolved.

Console Tool

  • Fix a defect with the tcpdump command.
  • Add support for Ed25519 key type.