Release Notes
AXS Guard Versions
The release notes contain information about new product features, improvements, known issues and bug fixes for each version. The individual software components are documented in the product manuals section. Carefully review the notes below to avoid configuration difficulties.
Version 11.0
Version 11.0.21
Networking
A new Wake on LAN feature has been added. With this tool, system administrators can wake up dormant devices connected to the Secure LAN or DMZ. This feature allows you to reduce energy costs and extends the hardware lifetime by ensuring that resources are used efficiently.
AXS Guard Cloud Notifications
The AXS Guard cloud will automatically notify you when configuration changes are made to AXS Guard appliances that you manage. These notifications will let you know whether the changes were applied successfully or not, making it easier to keep track of configuration changes, troubleshoot and manage your AXS Guard appliances.
Reverse Proxy
The password auto-learn capabilities for RDG and RDP logins have been enhanced. Many organizations require users to change their passwords regularly, which creates challenges due to the need for immediate password updates. Users frequently opt for appending extensions to their current passwords for convenience.
This practice resulted in issues with the auto-learn function, as it recognized the old password as a match and considered only the added extension as a new password to learn. To address this, we've expanded the password auto-learn feature to recognize multiple passwords and iterate through them, in order to determine which one is eventually accepted by the backend system.
Firewall Logging
The firewall logs have been enhanced to include DHCP hostname information. Reading, remembering, and searching for IP addresses in extensive firewall logs can be challenging. As of now, if a source or destination IP address belongs to a local LAN with DHCP enabled, the log will show the hostnames associated with the active DHCP leases.
Other Improvements
- Pass version and revision information to the AXS Guard cloud backup service.
- Write VPN in uppercase in the security settings for OpenVPN service names.
- Allow underscores in domain names when parsing messages from
dnsmasq
. - Fix the logout functionality for Reverse Proxy HTTP Session Management.
- Implement IPv6 DNS response filtering to prevent DNS security from being bypassed.
Version 11.0.20
Simplified Firewall Configuration
- Firewall rules can now be set using a single field for domain names and IP addresses. This makes it easier to create and manage firewall rules.
- Existing FQDN rules will now apply to the main domain as well as its subdomains. This means that you can create a single rule to match traffic related to a domain and all of its subdomains.
Firewall Logging
We have enhanced our firewall logs to include the domain names associated with the IP addresses found in DNS responses. This makes it easier to identify traffic destinations that are being blocked by the firewall.
Reverse Proxy Login Page
A button has been added to the Reverse Proxy login page allowing users to reveal their password while typing it. This makes it easier to enter their password correctly.
Other Improvements
- PAX now supports static DHCP leases within VLAN setups. This allows you to assign static IP addresses to devices within a VLAN.
- Specific warnings related to port redirection have been removed to streamline the user experience.
- An issue that prevented SecureDNS from resolving domain names when the time was incorrect during boot-up has been addressed.
- When a certificate is close to expiring, a clickable link will appear on the system dashboard. Clicking the link takes you directly to the relevant certificate page, saving you time and effort.
Version 11.0.19
System Administration Dashboard Improvements
The AXS Guard System Administration Dashboard displays system health messages.
Multiple alerts that are related are now grouped together, and each alert has a link to the corresponding configuration page, making it easier for system administrators to investigate and resolve reported issues. Please note that alerts for configurations that have been disabled or are not in use will no longer appear on the system dashboard.
Personal AXS Guard
An option has been added to allow system administrators to choose which PAX clients should be monitored via the system administration dashboard. While all PAX units are monitored by default, administrators can choose to disable monitoring for specific units by navigating to the PAX client configuration page.
OpenVPN Connect Client 3.4
AXS Guard automatically generates OpenVPN configurations, enabling system administrators to swiftly deploy VPN access for users.
However, there is a bug in OpenVPN Connect Client version 3.4 that triggers an error when used with our OpenVPN configuration files. To rectify this issue, we have implemented modifications to ensure that the generated AXS Guard OpenVPN client configurations remain compatible with version 3.4 of the OpenVPN Connect Client.
Version 11.0.18
Port Forwarding & Port Redirection
The LAN interface is now available for both port forwarding and port redirection. This enhancement enables you to exclude VPN connections when creating rules, providing more flexibility and control over your network configurations.
PKI: Support for ECDSA Certificates
In addition to RSA certificates, you can now upload certificates that make use of elliptic curve cryptography (ECDSA) for deriving the public key and certificate signing keys. ECC offers the advantage of smaller key sizes compared to non-EC cryptography (such as RSA) while maintaining equivalent security levels. Therefore, ECDSA certificates are the preferred choice when higher efficiency is required.
- Resolve a configuration conflict related to the default SMTP authentication port.
- Prevent legitimate e-mails containing French accents (U+00E9) from being deleted.
Antivirus
- Whitelist additional Windows update URLs.
- Remove mandatory locking.
Other improvements and bug fixes
- System: Load the
coretemp
kernel module at boot. This module permits reading the DTS (Digital Temperature Sensor) embedded inside Intel CPUs, which is required to monitor system temperatures withhtop
. - User Authentication: Enforce a RADIUS timeout ranging from 3 to 60 seconds, aligned with the specifications of FreeRADIUS.
- OpenVPN: Prevent OpenVPN from entering a startup loop when attempting to bind to a non-available IP address.
- NAT: Fix a typo in the validation of NAT rules.
- AGtunnel: Keep cloud certificate on master and slave units after failover.
Version 11.0.17
DNS Filtering Feature
System administrators now have the flexibility to enhance the existing SecureDNS filters by incorporating additional ones as per their specific requirements.
These supplementary DNS filters are built upon web access filter categories, allowing administrators to exert greater control over the network's DNS resolution process.
Typical use cases include, but are not limited to, blocking domains related to gambling, NSFW content, phishing, malware and more.
Firewall Updates
A firewall rule was added to allow WhatsApp by default.
WhatsApp is widely used for communication purposes, both personal and professional, making it a convenient and familiar platform for users. By allowing WhatsApp, organizations can facilitate seamless communication among employees, clients, and partners, enhancing collaboration and productivity.
Firewall rules for Isabel 6 were added to the fwd-banking
policy.
E-mail Authentication
A dedicated smtpd
instance has been added to better support SMTP authentication.
Allowing SMTP authentication on another smtpd
port provides enhanced security by enforcing stricter measures for authenticated email transmission, enables differentiated access control for authenticated users, and ensures compatibility with certain applications.
Reporting
System administrators can now generate reports for traffic that has been blocked by the GeoIP filtering feature.
Other improvements and bug fixes
- Tool: Update context-sensitive help & documentation for the Reverse Proxy request filtering option.
- Application Control: Fix layer7 kernel modules.
- E-mail: Mark e-mails sent by AXS Guard as
local
. - High Availability: Increase DRBD buffer sizes.
- Authentication: Increase the ID length for API logins and registrations.
- System: Seed random while generating Identifier in record.
- Personal AXS Guard: Route VLAN subnets in 'lan' zone.
- System: Fix broken
pidof
package.
Version 11.0.16
IPsec
We are pleased to announce a new release that addresses the instability introduced in verion 11.0.15 due to certain IPsec changes. In response to user feedback and extensive testing, we have decided to revert these changes to ensure system stability and performance.
Version 11.0.15
OpenVPN
AXS Guard has incorporated a feature that verifies the expiration dates of certificates assigned to OpenVPN users and will proactively send email notifications to users when their certificate is about to expire.
This notification is composed of a default subject and default body. However, system administrators have the flexibility to modify the subject and body text of the email, allowing them to personalize the notification or override the default content as needed.
SNMP
System administrators can now configure the SNMP community string under Network > General. This string is used for authentication and access control on SNMP-enabled devices.
Other Improvements & Bug Fixes
-
Configuration Tool:
- Fix the SecureDNS log export functionality.
- Display a warning when system administrators configure their GeoIP settings via the AXS Guard cloud, which overwrites the local configuration.
- Allow domain names that consist of a single character.
-
IPsec:
- Make items in the IPsec tunnel status overview sortable.
- Improve the general stability and routing. No longer unroute subnets in the down-client, allowing tunnels to be renegotiated as soon as traffic is detected.
-
System:
- Add new tools to the console for advanced troubleshooting (
iostat
,mpstat
,pidstat
,tapestat
,cifsiostat
,htop
). - Disable extra debug logging for kernel Oops, which was fixed in version 11.0.14.
- Fix missing dependencies for the
mtr
package.
- Add new tools to the console for advanced troubleshooting (
-
Others:
- Firewall: Allow logging for traffic that matches a whitelist. Matching traffic will be logged as
BLOCKLIST BYPASS
. - Anti-virus: Whitelist MS Windows update URLs.
- MTA: Add system information to the mail subject when sending automated notifications to system administrators.
- Reporting: Only report dropped traffic in the malware connections report.
- API: Allow the AXS Guard cloud to trigger updates for cloud services.
- Firewall: Allow logging for traffic that matches a whitelist. Matching traffic will be logged as
Version 11.0.14
New Changelog Format
The changelog format has been updated. As of this version, we are transitioning to the HTML format for our changelogs, designed to deliver comprehensive information in a visually appealing and more accessible manner.
Firewall Logging
To better identify the root cause of packet drops, we have implemented a new feature that enables administrators to easily pinpoint the exact rule responsible for dropped packets. Note that this requires the log this rule target
option to be enabled in the firewall rule.
Console Tool
Ensure that mount issues cannot be inadvertently triggered while logging into the AXS Guard console tool in order to maintain system integrity and prevent any potential system performance issues.
Configuration Tool
-
The IP configuration for PAX and OpenVPN devices can now be viewed by navigating to Network > Status > Devices. Once you reach the
Devices
section, you will find detailed information about the IP configuration for PAX and OpenVPN devices. -
Directory Services context-sensitive help & documentation: Use a more adequate example for the
base DN
option. -
Clean up Easter Egg hunt code which was introduced in version 11.0.11.
Other improvements and bug fixes
- Use
wget
instead ofcurl
to download AXS Guard add-ons. - Central monitoring: Improve the log rotation for filebeat logs.
- Mail: Fix excessive memory usage when scanning MS Office documents.
- Antivirus: Improve the reload & restart function for the antivirus feature.
- IPsec: Fix a syntax error in the
updown-netkey
script. - OpenVPN: Remove the PAM cache when a user is disabled in the GUI.
- Log check: Ignore internal
agtunnel
in logcheck notifications. - HA: Improve the handling of DRBD unmount errors.
- System kernel: Address a critical issue involving a kernel oops error in the
nf_conntrack
module, related to the usage ofnfqueue
and the IPS.
Version 11.0.13
OpenVPN
Implement support for multiple search domains.
Pushing multiple search domains to OpenVPN clients can be useful in scenarios where clients need to access resources on multiple domains or subdomains. The client's DNS resolver will be able to search for network resources without the need for the user to explicitly specify the domains in URLs or hostnames.
Office 365 Wizard
Add extra steps for appliances with Internet redundancy. System administrators can now route Office 365 traffic through a specific device on systems with redundant Internet connections.
Configuration Tool
- Feature Activation: The PPTP, Public DNS and SSL Web portal features are now disabled by default.
- Feature Activation: Remove the custom application option for the reverse proxy.
- DHCP: Allow basic administrators to view and copy advanced DHCP options.
- Fix various typos throughout the interface.
- Fix the column layout on the SNAT & DNAT overview page.
Other System Updates
- Backup & Restore: Increase the backup timeout to mitigate
NT_STATUS_IO_TIMEOUT
errors. - Anti-virus: Whitelist Microsoft update servers.
- High Availability: Implement a nightly sync to prevent synchronization errors.
Version 11.0.12
Security Updates
- Application Control: Add TikTok to blocked applications.
- IPS: Update snort to the latest patch level.
- OpenVPN: Allow system administrators to configure the preferred protocols and ciphers to secure and encrypt data transmitted over VPN connections.
System Updates
- Licensing: Remove the serial number in
license.dat
files. - Personal AXS Guard: Ensure allowed Internet traffic is identical for IPv4 and IPv6.
- Firewall: Fix connection tracking issues.
- AXS Guard Cloud: Increase the update interval from 5 to 15 minutes and introduce a random delay between updates.
- Context-sensitive help: Make all URLs relative.
- Configuration wizard: Fix a syntax error in the group wizard.
Version 11.0.11
Happy Easter!
As a special treat for our customers, we've hidden a little surprise in our latest software release. Throughout the interface, there are Easter eggs waiting to be found.
We'll leave it up to you to discover. So go ahead, log in and explore the software, click around and see what you can find. And who knows, maybe there are even more surprises waiting for you if you keep digging.
Have fun and enjoy!
Version 11.0.10
System Updates
- Update the
expat
package. - Update the
libksba
package. - Update the
perl-XML-LibXML
package. - Update the
nettle
package.
AXS Guard Cloud
- Add support for GeoIP filter lists.
- Reduce the cloud update interval from 3 hours to 5 minutes.
Security Updates
- Reverse Proxy: To prevent memory violations while processing HTTP/2 connections,
httpd
was downgraded to version 2.4.54. This will address several vulnerabilities, including CVE-2022-37436, CVE-2022-36760, CVE-2006-20001, CVE-2023-25690 and CVE-2023-27522. - Mail: Remove
axsguard
from the MTAEHLO
response. - Mail: Fix SPF configuration errors.
Others
- PAX: Improve the migration process for units with a VLAN configuration (PAX v4.x).
- Configuration Tool: Update the firewall's connection tracking status page.
- Filebeat: Parse log lines ending with
', repeated x times'
.
Version 11.0.9
Configuraton Tool
- Allow the use of full regex expressions (PCRE) when searching through the system logs.
- Show the status of PAX clients on the dashoard.
- Allow static DHCP leases to be removed via the overview page.
VPN
- PAX: Don't push VLAN settings for clients without a VLAN configuration.
- SSTP, PPTP & OpenVPN: Add an idle timeout option to automatically close established connections that have not transmitted any data for a certain period of time.
System Updates
- Update
libarchive
package. - Update
freetype
package.
Others
- Correctly restart services that depend on the AXS Guard firewall service.
- Allow overruling of the RADIUS
Acct-Timeout
parameter for PPP. - Fix reverse proxy
ProxyPassReverse
rules (allowed paths).
Version 11.0.8
Application Control
No longer block all traffic by default. HTTP, HTTPS and DNS traffic are now allowed by the factory default policy to simplify the configuration of the appliance. This affects the behavior of the AXS Guard proxy server, firewall and VPN services.
Configuration Tool
Implement a resend
button so administrators can easily resend configuration instructions to users who have been assigned an OATH token.
Security Updates
- Reverse Proxy: Add security fixes to mitigate CVE-2022-37436 and CVE-2022-36760.
- Kernel: Add security fixes to mitigate CVE-2023-0179 and CVE-2023-23454.
IPsec
Preserve routes when bringing down a tunnel where the source address is unknown.
Network
Remove support for obsolete ISDN technology.
Webmail
Remove the SquirrelMail webmail client, which is now deprecated.
Version 11.0.7
Personal AXS Guard
- Fix DHCP (host) configuration for older PAX firmware.
- Fix VLAN DHCP pool size.
- Fix VLAN interface bridge configuration for older PAX firmware.
- Disable VLAN support for outdated PAX firmware (v1).
DNS
- Disable special (bind) metadata that can be queried over DNS.
- Add new SecureDNS categories to better handle testing and uncategorized traffic.
Others
- Network: Fix routing issues related to the update of the
iproute
package. Ensure routes are added in the correct order when the state of a (tunnel) device changes. - Cloud: Use UTC for authentication challenges towards the AXS Guard Cloud.
Version 11.0.6
Configuration Tool
- Add-ons page: Instead of displaying text files in the browser, prompt for download when they are clicked on.
- Add-ons page: Remove empty parentheses from add-on description when no OS is defined.
- Fix incorrect values in license wizard summary page.
- Don't randomize
cs-conditional
fields, but order them according to the model.
Networking
- NAT: Allow administrators to configure an input device for masquerading rules with
masq
target. - DHCP: Prevent the configuration of duplicate options through validation.
System
- Update
xz
package. - Harden
patch
package. - Update
curl
package. - Update
vim
package. - Update
gzip
package. - Update
file
package. - Update
rsync
package. - Suppress certain errors related to web access and reporting.
- Remove old hotfix, version and revision files to save disk space.
- Rename
python
topython_base
to avoid dependency issues. - Fix
ipv4: FIB table does not exist
console error. - Update
bind
package. - Update
openssh
package. - Anti-Malware: Update
ClamAV
to version0.103.8
. - MTA: Update
oletools
, a software suite used for analyzing Microsoft OLE2 files.
Others
- IPS summary logs: Add a link to the rules overview page.
- Backup & Restore: Fix missing firewall
limit_rate
field in system backups. - Reverse Proxy: Remove obsolete Awingu applications.
- Remove obsolete LCD feature.
Version 11.0.5
Personal AXS Guard
Implement VLAN support for PAX units. VLANs facilitate network scalability and security by enabling the creation of new logical networks without the need for additional physical hardware.
Version 11.0.4
System
- Enable kernel driver for new AG4 ethernet controller.
- Fix
tcpdump
so it no longer captures network traffic on interfaceany
when multiple VLANs are configured. - Add debug logging when the configuration tool returns an error while creating a session.
- Do not run hotfix install code when systems are running low on disk space.
- Update
irqbalance
and disable dependency to prevent build problems. - Ignore
Network::Port::Model
when performing system backups. - Remove restrictions for administrative NTP queries that originate from
localhost
.
Configuration Tool
- Make reboot text clickable when showing a system reboot notice.
- Hide
please select
text in the interval field of the automatic reboot page. - Remove the company name, as it is automatically provided by the system license.
PKI
- Add a log menu item to PKI where changes made to the AXS Guard PKI are recorded.
- Allow certificates to be valid after the year 2038.
Console Tool
- Fix
iperf
andiperf3
commands. - Fix dependencies of
bstat
,ctstat
andlnstat
binaries fromiproute2
. - Add
setuid
to mtr-packet binary.
MTA
- Use 7z instead of unrar, as unrar is vulnerable (CVE-2012-6706)
- Use
mxtoolbox
instead ofopenspf
as a source of information for failed SPF checks.
SNMP
- Provide a custom MIB file via the
add-ons
page to allow the AXS Guard disk and partition usage to be queried. - Allow UPS monitoring over the network. Improve SNMP trapping in order to get faster response times for automatic shutdowns. Update the UPS status page in order to show more detailed information.
- Fix a defect related to
snmpd
binary linking.
Other
- SSH: Use modern hostkey types and allow the
ssh-rsa
algorithm for older clients. - OpenVPN : Don't validate certain fields when the server is disabled.
Version 11.0.3
VPN
- Fix IPsec service restart for tunnels which rely on PPPoE and 4G connections.
- Improve the service restart function for OpenVPN and PAX tunnels that are relying on unstable WAN connections and are using IP addresses which are dynamically assigned via PPPoE or DHCP (4G).
- Disable the PAX server when the feature is disabled in order to avoid potential validation errors on the dashboard or during the execution of test upgrades.
Networking
- Automatically reconfigure Internet redundancy in configurations where rules are linked to dynamic IP addresses obtained via PPPoE or 4G connections.
- Update ISC DHCP to the latest version
4.4.3P1
. - DHCP: Migrate the
domain-name
option to thetext
option in order to improve support for non-standard DHCP configurations.
System
- Enable DNS resolving in the version test upgrade function to eliminate DHCP validation issues.
- Update the shadow package to the latest version, i.e.
4.11.1
(includes fix for CVE-2017-2616). - Add
libtool
as a dependency forncurses
to produce real binaries rather than wrapper scripts. - Remove unused
libcap-ng
package that was erroneously introduced in version11.0.2
. - Adjust Intel's
p-state
CPU frequency and voltage scaler on all supported platforms.
Version 11.0.2
Configuration Tool
- Correct the spelling of the word 'separate' on the certificate import page.
- Add the AXS Guard RDP Login client to the client add-ons page.
- Add a search keyword for high availability in order to facilitate menu searches related to HA systems.
- Add missing hints to certificate fields, explaining where administrators can import or issue new certificates.
Reverse Proxy
- Allow non-secure HTTP connections to port 443 - replace validation error with a warning.
- Avoid validation errors for configured, but not yet operational, IP addresses in the context of dynamic devices and/or High-Availability virtual IP addresses.
- Improve the HTTP service reload process by waiting for all related processes to exit gracefully.
- Implement support for UTF-16 encoded characters in passwords when using NTLM back-end authentication for RDWeb in an SSO context. Disable client auto-reconnect.
Authentication
- Correctly display the application name for activated DIGIPASS for Mobile instances.
- Improve application ID validation, allow prefixes other than
com.
and the use of hyphens. - Prevent the automated blocking (brute-force protection) of misconfigured Kerberos clients which generate excessive NTLM authentication requests when attempting to access the AXS Guard proxy server.
System
- Remove an obsolete disk speed test which only ran every six months.
Version 11.0.1
Various fixes and improvements
MTA
Split TLS policy configuration from database creation.
HA
Fix broken emergency logging.
Firewall
Prevent broadcast traffic from being logged.
System Kernel
The system kernel has been upgraded to version 5.10, improving the general performance, stability and security of the AXS Guard appliance.
- The Samba package has been updated to mitigate CVE-2022-42898.
- OpenSSL has been updated to the lastest stable version, which includes fixes for previously discovered security vulnerabilities.
- OpenLDAP has been updated to the latest stable version.
- The kerberos package has been updated to mitigate CVE-2022-42898, CVE-2021-36222 and CVE-2021-37750.
- The reverse proxy and its various modules have been updated to their latest stable versions, which contain fixes for previously discovered security vulnerabilities.
- The DHCP server has been updated to version
4.4.3
. - The OpenVPN server has been updated to version
2.5.7
.
New Features
- New web access filter categories have been added to better reflect and match contemporary Internet traffic.
- Computer names are now visible in the DHCP used and static lease overview pages.
- Broadcast traffic is no longer logged in the firewall logs, reducing the log size while also preserving disk space.
- Requests originating from secure network zones which match a GeoIP filter or a firewall blocklist will be rejected instead of dropped in order to reduce response times.
Miscellaneous Improvements and Fixes
Internet Redundancy
Ensure that configured rules always match if an Internet device goes down.
Console Tool
- Fix a defect with the
tcpdump
command. - Add support for
Ed25519
key type.
VPN
Informational logging has been added to the IPsec service in order to facilitate the troubleshooting of misconfigured tunnels.
Mail Server
An issue causing the mail server not to correctly restart after a service restart was issued has been fixed.
Version 10.4
Version 10.4.31
Authentication
Update authentication restrictions for OpenVPN service and OpenVPN Access Server.
Version 10.4.30
System Upgrades
- Fix test upgrade errors related to the reverse proxy server.
- Ensure the
automatic firewall
option is always enabled when IPsec e-tunnel configurations are present.
Version 10.4.29
System
- Automatically create directories for add-ons when needed.
- Remove obsolete disk speed test.
- Fix DNS resolving in version test upgrade function (DHCP validation).
- Automatically reconfigure Internet redundancy where rules are linked to dynamic IP addresses obtained via PPPoE or 4G USB modems.
VPN
- Fix IPsec service restart function for VPN tunnel configurations which rely on dynamic IP addresses obtained via PPPoE or 4G.
- OpenVPN & PAX: Improve service restart for (unstable) WAN connections with dynamic IP addresses obtained via PPPoE or DHCP.
Version 10.4.28
Configuration Tool
- Make the AXS Guard RDP client available for download via the add-on page.
- Facilitate menu searches related to
high availability
. - Add hints to configuration pages which rely on certificates.
Reverse Proxy
- Allow non-secure HTTP connections to port 443; replace the validation error with a warning.
- Suppress validation errors for configured - but not yet operational - IP addresses which are dynamically assigned, e.g. in a High Availability context.
- Improve the HTTP service reload process.
- Implement support for UTF-16 encoded passwords when using (NTLM) back-end authentication for RDWeb SSO. Disable client auto-reconnect.
Authentication
- Correctly display the application name of DIGIPASS for Mobile instances which are activated.
- Make the application ID validation less restrictive to allow the use of other prefixes and hyphens.
- Ignore excessive NTLM authentication requests made by misconfigured Windows hosts in Kerberos environments when they attempt to authenticate to access the AXS Guard proxy server (Web Access).
Version 10.4.27
Statistics
Fix a resource exhaustion in the log reporting service when the time jumps into the past.
Configuration Tool
Fix message when initiating a system shutdown or reboot.
Version 10.4.26
Reverse Proxy
- Enlarge the DIGIPASS Cronto QR image to ease scanning.
- Add support for WebSocket in combination with RDWeb Single Sign-on.
Authentication
Import Application ID to configure DIGIPASS for Mobile push notification service by environment.
Networking
Remove iptables device markings which limit the number of (VLAN) devices.
VPN
Fix IPsec server assertion errors.
Statistics
Fix resource exhaustion in the log reporting service.
Version 10.4.25
Reverse Proxy
-
Implement Single Sign-On (SSO) feature for Remote Desktop Web Access, using Microsoft's Pluggable Authentication and Authorization (PAA) mechanism via the gateway access token.
-
Fix back-end application server logout when combined with Session Management (regular request or JavaScript-driven).
-
Add support for HTTP/2 application layer protocol to improve network resource efficiency.
Authentication
Finalize DIGIPASS for Mobile integration: implement configurable UTF-8 messages for login by image, app2app and push notifications, improve automated platform detection (e.g. for iPad and other large-screen tablets), add configurable login timeouts, etc.
Configuration Tool
-
Fix the links for bond and bridge devices on the network status page; link to the parent ethernet device.
-
Fix the IPsec device link on the network status page by ignoring the tunnel type.
-
Fix HTML-encoded space character in the device selection box of the Bandwidth Management Schema page.
-
Correct hint for the Source IP Address field on the Port Redirection page; fix the incorrect reference to Port Forwarding.
-
Fix a typo in Blocked URL error message.
-
Make e-mail antivirus notification tab visible for CTRS.
-
Fix the
Test Upgrade version
function.
Cloud Reporting
- Remove harmless filebeat errors from the AXS Guard security reports.
- Include Cloud Reporting in factory default function.
Console Tool
Disable GeoIP for the dig
command.
Networking
Use HTTPS by default for the Internet Speed Test, as it seems to be more reliable.
Version 10.4.24
DNS
Fix reverse lookup errors for forwarded domains when no ISP DNS server is configured.
Configuration Tool
- Allow downloading of OpenVPN configuration files with special characters.
- Improve validation for the default gateway address by verifying its subnet.
- Redirect the browser to another page when rebooting the appliance via the configuration tool in order to prevent accidental reboots in case of a page refresh or a redirect from the login page.
- Hide PAX dashboard errors when the PAX feature is disabled.
- Add support for the QUIC protocol to the firewall (
fwd-web
policy). - Add support for Strict-Transport-Security (HSTS) to the configuration tool and the reverse proxy.
- Add extra information to the network status page.
VPN
- Increase the maximum amount of characters in RADIUS secrets (new max. is 256).
- Fix the handling of password-protected CAs.
- Disable and remove IPsec compression.
Reverse Proxy
- Automatically delete the logs associated with a reverse proxy entry when it is removed via the configuration tool.
- Fix the reverse proxy
rewrite
logs in the console environment.
High Availability
- Automatically create IPsec firewall rules during service startup.
- Disable mode 6 and 7 queries towards the NTP server to improve security.
Reporting & Statistics
Add new Cloud Monitoring feature.
Version 10.4.23
VPN
- IPsec: Upgrade Libreswan to version 4.6 for improved IKEv2 support.
- OpenVPN: Replace deprecated
ns-cert-type
option in OpenVPN and PAX server configurations.
Statistics
Improve error handling in the statistics data gathering tool to avoid service interruptions.
SecureDNS
Add additional upstream servers to improve redundancy.
Reverse Proxy
Make preconfigured backend credentials optional when the password auto-learn
option is enabled in the RDG proxy configuration.
Firewall
Suppress harmless IPv4 and IPv6 validation errors.
Logging & Reporting
Exclude safe faxcron
and collectd
errors from security violations reports.
Configuration Tool
- Firewall: Always include IP addresses when exporting firewall log messages.
- E-mail: Record removals of quarantined messages in the admin tool log.
- SecureDNS: Make logs accessible to basic administrators and above.
- Upgrade: Fix execution errors on the test upgrade page.
- Web access: Allow advanced administrators to configure URL substitution.
- IPsec: Hide disabled tunnels on the dashboard.
- Bandwidth management: Fix a typo in bandwidth definition validation messages.
Version 10.4.22
GeoIP Filtering
Improve the stability of GeoIP database reloads in order to avoid potential execution errors after a system reboot.
Version 10.4.21
GeoIP Filtering
GeoIP filtering has been integrated as a standalone feature and requires a Premium Threat Protection license. See the firewall documentation on this site for additional information.
SecureDNS Categories
The categories have been updated. The ransomware category has been renamed to certs. A new maldom category has been added. Tooltips with detailed category descriptions are now also available. See the system administration guide on this site for additional information about the SecureDNS feature and the various categories.
Network Security Logs & System Reports
The log files and system reports have been refactored to include host and username information, if available. GeoIP logs now also show country flags, allowing system administrators to get better insights into traffic moving through their organization's network.
Various improvements and software fixes
-
Web-based administration tool
- Add SecureDNS as a meta tag in the menu to facilitate related searches.
- Allow advanced administrators to configure Characters Allowed in URLs in reverse proxy definitions.
- Rename Content Scanning to Premium Protection on all relevant pages.
- Rename Whitelist Client to Whitelist Mail Server in the e-mail greylisting page.
- Change the default connection mode of Internet devices to DHCP.
- Treat informative messages about tool user settings as non-critical.
- Disable all interactions for (basic) administrators lacking permissions.
- Add screen refresh controls to the network flow viewer.
-
IPsec
- Correct the digest algorithm in the
3des-md5
description of the standard IPsec IKE profile. - Add the possibility to disable automatic management of firewall rules for IPsec tunnels.
- Correct the digest algorithm in the
-
System
- Only allow lowercase characters in domain names.
- Make emergency e-mail address configurable; process like a fail mail otherwise.
- Update fail mail destination IP address to AG cloud.
-
Users & Groups
- Fix critical error messages when the out-of-office function is disabled for a user.
-
High Availability
- Start the CTRS service on HA systems that are running as a slave node.
-
Wizards
- Relace obsolete Skype application with Teams application in the Fast Lane wizard.
-
Licensing
- Save the feature flags when a license expires for reuse during relicensing.
-
Webmail
- Upgrade roundcube to the latest version, i.e. 1.5.2.
-
Anti-Malware
- Place temporary files in HAVP subdirectory to avoid errors when cleaning up old scanner files.
-
Reverse Proxy
- Improve throughput and load when multiplexing an increasing number of concurrent RDG connections.
Version 10.4.20
Network Configuration
Hotfix for NAT port forwarding service.
Version 10.4.19
OpenVPN
Fix strict OpenVPN authentication for environments with mixed user sources. This solves authentication issues on appliances where multiple AD domains are synchronized and various username formats exist. See the Directory Services manual for details about supported username formats.
Personal AXS Guard
- Automatically disable client authentication when no Road Warriors are configured.
- Restore original system hosts file permissions during client connections.
Network Configuration
Fix incomplete activation of port forwarding rules after system reboots.
High Availability
Fix network check errors in security violation reports on HA slave nodes.
Version 10.4.18
ClamAV
Disable ClamAV concurrent database reloads on memory-constrained systems, i.e. AXS Guard appliances with 2GB or less, which prevents these systems from going out of memory during pattern updates.
Version 10.4.17
SecureDNS
A reporting feature has been added to allow system administrators to get better insights into malicious DNS activity. Malicious DNS queries are classified by the threat they represent and are organized into 10 distinct threat categories. See Reports > Threats > Malware Detection
.
SecureDNS logs are available under Network > DNS > SecureDNS logs
. Hosts which generate unusual DNS traffic can be easily identified by their source IP address, allowing you to isolate them from your network for further investigation and troubleshooting.
SecureDNS reports will contain more details in future versions. The cause, source and requested destination FQDNs will also be mentioned, so stay tuned.
OpenVPN
A strict authentication
option has been added to the OpenVPN server. If enabled, the server will verify if the CN or e-mail address in the client certificate matches the username provided during authentication. If they differ, the connection will be refused. This prevents sharing of client certificates.
Reverse Proxy
A Preserve Hostname
option has been added to the Reverse Proxy configuration page. When enabled, the reverse proxy will be instructed to preserve the original Host: header
from the client browser when constructing the proxied request to be sent to the target server. Enabling this option is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host: header
needs to be evaluated by the backend server.
GeoIP Filtering
The names of the continents have been added to the descriptions of the GeoIP block lists, allowing for easier management.
Various improvements and software fixes
-
Web-based administration tool
- Bugfix #92978: Improve the context-sensitive help on e-mail filter action.
- Bugfix #92970: Remove PDF icons from links to the online documentation.
- Bugfix #92933: Fix a parsing issue causing endless loops in the firewall status page.
- Bugfix #92929: Improve auto-fill prevention for password input fields using updated autocomplete.
- Bugfix #92725: Fix an update issue for Internet Redundancy rules in case the rule was previously configured with protocol and port numbers.
- Bugfix #92814: Add more tags for GeoIP to improve menu search capabilities.
- Feature #93069: Add expiration date to the certificate overview page.
- Feature #93063: Add subject information to the e-mail quarantined queue.
- Feature #93063: Show the order of E-tunnels in the network routing overview.
-
Anti-malware
- Bugfix #86701: Add Microsoft update URLs to the Anti-Virus Web exceptions list.
- Bugfix #92243: Ensure CTRS Cloud Web Protection recovers automatically in case the DBus component crashes.
- Feature #93034: Ugrade ClamAV to version 1.103.5.
-
Licensing
- Feature 905df254ec: Add new software options to the list of content scanning services.
- Feature ac4a38aa0b: Add product description for CTRS and disable it when the content scanning license expires.
-
Others
- Feature a2206769bd - OpenVPN: Reload HTTP server when the OpenVPN server configuration is updated, toggling the access service API.
- Bugfix #93169 - Logcheck: Ignore named errors caused by disabled DNS update feature.
- Bugfix #92964 - Sysinit: Avoid using Ipt during sysinit, as the libiptc perl library is not available.
- Bugfix #92719, 92720, 92741 - System: Reduce fail mail by avoiding (daily) duplicates, license not expired and only on production systems.
- Bugfix #92957 - System: Reduce fail mails regarding authentication for issues that have been automatically resolved.
- Bugfix #92173 - MTA: Make integration of
Cyrus::IMAP::Admin
library more robust in regards to data transfer issues. - Bugfix #92727 - Web Access: Improve validation of proxy cache size, max object size, max download size and size fields.
- Bugfix #92200 - Wizards: Add missing option for SSTP VPN in the user and groups wizards.
- Bugfix #92977 - DHCP: Ensure gateway routers (IP or FQDN) fall within the specified network range.
- Bugfix #92546 - DNS: Switch to Secutec DNS upstream servers for systems where SecureDNS is enabled.
- Bugfix #92680 - Firewall: Change the target for incoming ident rules to
REJECT
. - Bugfix #93062 - Statistics: Reconfigure netdata to disable health mails.
- Bugfix #92973 - Reverse Proxy RDG: Prevent infinite loops when the RDG server unexpectedly closes the connection and fix memory leak.
Version 10.4.16
DNS Cache
The AXS Guard DNS cache service has been refactored to support DNSSSEC and TSIG when forwarding queries.
Firewall
Improve the safety and reliability of the AXS Guard firewall while it's being managed via various concurrent processes.
Version 10.4.15
Firewall
System administrators can now use FQDNs in firewall rules. FQDN rules are based on DNS resolution and allow you to easily filter inbound and outbound traffic for any protocol. Note that this feature is only supported for through and towards rules.
Various improvements and software fixes
-
Email
- Bugfix #92442: Use the inline LibFile::Magic module in the MTA filter for extension blocking.
- Feature #89516: Add TLS support for SMTP relays on appliances without a content scanning license, e.g. when using the Office 365 SMTP server.
-
Firewall
- Bugfix #91988: Optimise IP block list management to minimise delays during automated list updates or HA failovers.
-
Others
- Bugfix #92682: Inprove the readability of the admin tool log for system configuration changes made to parameters with a large value.
- Fix inconsistencies in SecureDNS labels.
- Set the year in the configuration page footer to 2022.
Version 10.4.14
Various improvements and software fixes
-
Web-based administrator tool & configuration
- Bugfix #92481: Show the first rather than the last page while searching through log files; implement behavior that is consistent with other pages.
- Bugfix #f282617269: Fix attribute references in RADIUS server configuration file.
- Bugfix #92479: Use the correct link for appliance licensing & registration.
-
Personal AXS Guard
- Bugfix #b84e755b51: Patch PAX client refusal for OpenVPN authentication.
-
Other
- Bugfix #87a4f9e3a5: Use the documentation URL as specified in the environment variable.
Version 10.4.13
SecureDNS
SecureDNS protects users from inadvertently accessing malware, ransomware, malicious domains, botnet infrastructure and more. It is an essential component of cybersecurity.
Research by industry leaders indicates that more than 91% of malware attacks use DNS exploits in one way or another. Despite this, many organizations don't monitor DNS traffic, leaving them vulnerable to attacks.
SecureDNS is available for customers with a premium content scanning license. To use SecureDNS, activate the feature and then enable the option in Network => General.
IPS
HTTPS processing has been optimized. Established and safe HTTPS connections are no longer being further analyzed by the IPS in order to save AXS Guard system resources.
Directory Services
Active Directory synchronization has been improved by removing WINS dependencies. Operations now entirely rely on the Kerberos protocol. Note that the Kerberos server must be accessible. The clocks of AXS Guard and the Kerberos server must also be properly synchronized with a time server.
Anti-Malware & Web Content Scanning
-
Download threads
Downloads via the web content scanning engine have been optimized. Slow download threads are now being prevented from causing delays in accessing the AXS Guard Cloud threat protection service in favor of other, faster threads. The timeout for connecting to the AXS Guard cloud has also been reduced to 5 seconds.
-
High Availability
Improve support for HTTPS inspection. The HTTPS inspection certificate cache has been moved to the replicated DRBD filesystem, allowing it to be used more efficiently by the other cluster node. In the event of a failover, certificates will no longer have to be regenerated, as they are available and kept in sync on all HA nodes.
-
HTTPS Inspection
Clear the HTTPS inspection certificate cache when the built-in CA is reinitialized. The HTTPS inspection feature uses the built-in CA to build a cache of trusted server certificates.
These certificates are signed by the built-in CA, and are considered valid as long as the built-in CA is trusted by the user's browser.
However, when the built-in CA is reinitialized, all certificates residing in that cache will no longer be trusted by clients. For this reason, the cache is now also cleared when the built-in CA is being reinitialized.
Firewall
Adjust the fwd-edr
firewall rule to allow connections to the ReaQta endpoint security service in the AXS Guard cloud.
Fix 'out of office' messages. Out of office notifications stopped working after a regression in the previous AXS Guard version. This issue was related to the host domain name being used to configure 'out of office' message recipients in HA environments. Due to misconfiguration, the notifications could not be delivered.
PKI
Fix log warnings. Warnings are reported in the logs when a certificate is being imported without a certificate chain or when a certificate is missing the Common Name (CN) field.
System Administration Tool
Fix HTML escaping to prevent HTML injection. Other changes include corrections in labels, links, casing, descriptions and more.
VPN
-
OpenVPN Service
Prevent the AXS Guard OpenVPN service from accepting connections made by PAX clients. PAX clients can automatically use TCP port 443 as a fallback for UDP port 1194, e.g. when sitting behind a restrictive corporate firewall.
However, this port cannot be shared with the OpenVPN service, which will now deny PAX clients from establishing a successful connection when PAX and OpenVPN client certificates are signed by the same CA.
-
OpenVPN Client Configuration Export
Fix client configuration export with encrypted private key protection when the
use deprecated ciphers
option is enabled on the server side.
Version 10.4.12
Various improvements and software fixes
-
E-mail
- Bug #92105: Fix domain masquerading.
-
Configuration Tool
- Bug #0bd10e4ef: Fix visual glitch in certificate export labels.
- Bug #ae4a0a306: Fix visual glitch in tool access type labels.
Version 10.4.11
HTTP Reverse Proxy Access Control
System administrators now have the possibility to restrict access to applications and services based on the IP address of the remote client. This is especially useful for applications and websites where user authentication is not enforceable or desired.
OpenVPN System Legacy Options
The following options have been relocated in the OpenVPN Server configuration screen:
- Allow Deprecated Ciphers
- Use small Subranges
- Accept Compressed Data
Note that these options are only present for legacy reasons, i.e. to support outdated client software and/or obsolete OpenVPN configurations. The use of obsolete server and client options is insecure. System administrators should upgrade old OpenVPN client software and configurations ASAP.
Personal AXS Guard
The PAX diagnostic tool has been refactored and improved, so system administrators can identify problems and detect network issues more easily.
Various improvements and software fixes
-
E-Mail
- Bug #91274: Keep original From-address when it doesn't contain a domain name.
- Bug #92041: Correctly deliver Virus E-mail notifications when multiple System Administrator E-mail Addresses are configured.
- Bug #91920: Only include E-mail domains in mail configuration when E-mail transfer feature is enabled.
- Rfe #92081: Validate the response code of the real time blacklist lookups to prevent false positives.
-
Firewall
- Rfe #91052: Add static policy and forward rule to allow communication with EDR.
-
High Availability
- Bug #90871: Service failed to start when DHCP device failed to obtain a lease.
- Rfe #90372: Disable automatic updates.
-
OpenVPN
- Bug #86617: Include login attempts of users with no OpenVPN access in the authentication summary log.
- Rfe #90873: Add checkbox to disable 'Receive compression'. It's recommended to disable this option but this requires distributing new configurations files to all clients.
- Rfe #90872: Add checkbox to remove the - deprecated - cipher option from client configuration files. It's recommended to disable this option but this requires all OpenVPN users to use OpenVPN 2.4+.
-
Proxy
- Bug #88401: Only allow users that are configured on the AXS Guard to authenticate using Kerberos.
-
Reporting
- Rfe #86826: Group similar reject reasons in the E-mail reports.
-
Reverse Proxy
- Rfe #187a1e: Verify if configured port is available during a system configuration check.
- Rfe #f4ae84: Show warning when the configured certificate is expired.
-
SSTP
- Rfe #85379: Extend the SSTP validation to detect configuration conflicts.
-
Tool
- Bug #91241: Clear the 'changed' flag after restoring a backup.
- Rfe #85548: Fine-tune 'Port already in use' errors.
- Bug #87549: Reduce number of validation errors when an invalid authentication policy is configured.
- Bug #90333: Correct information-links of IPS Rules.
- Bug #86482: Fix for excluding a previously included IPS rule.
- Rfe #91226: Update title of the IPS Rules page.
- Rfe #87331: Enhance IPsec Status page when no tunnels are configured.
- Rfe #86203: Include the blocked reason when viewing a quarantined e-mail.
- Bug #87867: Correct invalid link on Personal AXS Guard status page.
- Rfe #86825: Add a scrollbar in the legends of Web Access and E-Mail reports.
- Rfe #91794: Speed-up loading of DHCP used leases overview.
- Rfe #90801: Include device description in Device Statistics.
Version 10.4.10
Trend Micro Antivirus
Resolve Bug #130743 - Antivirus : Ensure only one instance of trophie is running after upgrade to 10.4.9.
Prevent more than one trophie process to accept new connections for antivirus processing in order to avoid the use of outdated pattern files and HA failover issues.
On HA systems, failovers will not succeed as only one trophie process is terminated while others still hold references to the trophie socket residing on the DRBD filesystem. As long as this socket continues to exist, the DRBD filesystem will fail to unmount, stalling the HA failover.
Version 10.4.9
Antivirus Protection
- Web Access
- Bug #92003 - Antivirus : Remove application/pdf from HAVP skip mime list.
- Bug #92001 - Antivirus : Update HAVP to version 0.93.7 with ICAP quick-process loop fix and preview support.
Version 10.4.8
Advanced Threat Protection for all web traffic
The AXS Guard premium content scanning license has been updated to support advanced threat intelligence and content scanning for HTTP and HTTPS traffic. To use this feature, simply enable the 'Advanced Threat Protection AXS Guard Cloud - Web' option in the Feature Activation page of your appliance.
Personal AXS Guard
PAX clients are sometimes used in environments where access to the Internet is restricted and where you cannot simply change firewall settings for outbound connections. An option to traverse restrictive firewalls has been implemented to facilitate connections for any PAX unit that is sitting behind a corporate firewall which is beyond your control. This new 'Support HTTPS Firewall Passthrough' option can be found in the PAX > Server page.
Various improvements and software fixes
-
PAX
- Bug #91414: Fix race conditions and deadlocks in the PAX client management service, which caused delays and/or unexpected client disconnects.
-
Web Access
- Bug 3b2eaa9fe5: Fix high CPU usage spikes by disabling partial (un)locking when scanning Microsoft Cabinet (.cab) files with ClamAV.
-
Documentation & context-sensitive help
- All PDF documents have been replaced with a link to the online documentation.
- Add context-sensitive help for new PAX firewall traversal option.
Version 10.4.7
OpenVPN
AXS Guard now features an OpenVPN Access Server which facilitates the rapid deployment of secure remote access for OpenVPN users. The OpenVPN Access Server is fully compatibile with the OpenVPN Connect Client, which is freely available for Windows, Android and iOS.
With this client, users can easily download and import their OpenVPN configuration and certificate via a secure connection to the AXS Guard Cloud. This new feature considerably alleviates administrative burden for system administrators, as they no longer have to manually distribute OpenVPN certificates and configuration files to authorized users.
Various improvements and software fixes
-
Blocklists
- Bug #90466: Extend backup with blocklists configuration.
-
Network
- Rfe #90903: Upgrade network speed test.
-
Reports
- Rfe #90319: Increase visbility of system reports.
-
Reverse Proxy RDG
- Bug #90929: Fix issues with some characters in backend password.
-
System
- Rfe #1d658c44b2: Upgrade OpenSSL library.
- Rfe #90847: Also perform time synchronization when there is a large time drift.
- Rfe #90392: Add support for TLSv1.3.
Version 10.4.6
Various improvements and software fixes
-
edb946ddc7: Remove syntax errors in RADIUS configuration when secrets contain spaces or quotes.
-
cf248bf44d: Remove DIGIPAS API models from backup validation to eliminate error messages on systems without licensed tokens.
-
19a4b8889b: Remove DIGIPASS API login and registration background jobs when the DIGIPASS feature is no longer used.
Version 10.4.5
Various improvements and software fixes
-
Defect #90711: Change the default service port of the DIGIPASS App server to avoid port conflicts.
-
Rfe #125917: Optimize the activation of all IP address lists at boot time, in order to speed up the boot process on slower systems. This means a considerable reduction of the total boot time from a little over 6 mins to just about 6 seconds.
-
Rfe #84772: Collect all SSTP VPN log messages into a single file for a better user experience. The updated log consists of relevant HTTP reverse proxy entries, SSTP server and PPP events.
Version 10.4.4
Various improvements and software fixes
- Rfe #90764: Fine-tune e-mail security checks for whitelisted e-mail addresses.
- Rfe #90765: Automatically disable anti-spoofing for VPN clients.
- Rfe #90753: Reduce excessive logging in Webmail error logs.
Version 10.4.3
Various improvements and software fixes
- Rfe #89897 IPsec: Add default IKE profiles for SHA-256.
- Rfe #133d575c E-mail: Include the reason why spam was deleted by AXS Guard (extra column in 'deleted spam' overview).
- Rfe #89192 E-mail: Improve anti-spoofing capabilities.
- Rfe #82697 Directory Services: Disable users on AXS Guard when they are disabled in the LDAP backend.
Version 10.4.2
Application Control
Introduce a software fix to prevent system failures (kernel panics) when malformed packets occur.
Virtual AXS Guard
Added support for oVirt, an open-source distributed virtualization solution.
IPS
Added new functionality to the Intrusion Prevention System to automatically
detect whether a system CPU supports SSSE3, a SIMD instruction set created by
Intel (for increased performance).
Networking
Ignore the IP address of a DHCP device during the validation of a static route.
Reverse Proxy RDG
A new authentication policy was added, which supports logins with a back-end password, followed by a one-time password generated with either an OATH or DIGIPASS token (back-end password + OATH or DIGIPASS).
Version 10.4.1
Various improvements and software fixes
Version 10.4.1 contains various software fixes to improve the overall quality, stability and security of the AXS Guard appliance.
Contact support@axsguard.com for additional information.
Strong Authentication with Push Notifications for Web Applications
The AXS Guard reverse proxy now supports Push Notification Authentication.
Push Notification Authentication enables user authentication by sending a push notification directly to the user’s smartphone, alerting them that an authentication attempt is taking place.
Users can now use their mobile devices as the second required factor for secure two-factor authentication; there is no need for client-side tokens or additional devices.
When users log into a secured web application, they will automatically receive an authentication request based on their username. Users can then view the authentication details and approve or deny access, via the simple press of a button.
To use this feature, you need the mobile application, which can be personalized and branded according your requirements, a DIGIPASS server license, the AXS Guard Enterprise bundle and a web application to be secured.
Please note that in order to use this feature, some custom development is required. Contact sales@axsguard.com for more information.
Firewall Geo-blocking
Geo-blocking is a technology which limits Internet traffic based on geographic location. You determine whether users can access your network or application based on their specific location.
This new feature allows system administrators to easily block malicious traffic - such as automated cyberattacks & port scanners - coming from unauthorized locations. It can also be used to prevent users from accessing potentially dangerous and questionable services hosted abroad.
Geo-blocking is an effective tool to prevent your system logs from being flooded with unnecessary information and eases administrative burden.
AXS Guard NTP Cloud Service
A precise time is necessary to be able to efficiently compare log files between various IT systems, for example in the event of a security incident. Many AXS Guard services, such as 2FA, Kerberos and scheduled tasks also rely on a precise time.
AXS Guard has gone through the validation process and is now officially part of the global NTP network.
NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to some time reference. NTP is an Internet standard.
Reconfiguring the NTP settings of your computers is relatively easy. This setting can also be configured centrally so that you don’t have to manually reconfigure each and every individual computer in your network.
CEO Fraud Protection
CEO Fraud is a type of spear-phishing email attack.
Typically, attackers identify themselves as high-level executives (CFO, CEO, CTO, etc.), lawyers or other types of legal representatives and purport to be handling confidential or time-sensitive matters, attempting to trick staff into transferring money to a bank account they control.
The AXS Guard content scanning engine has been updated to detect and block such attacks more effectively.
System Updates and Improvements
EAP-MSCHAP v2 Support for SSTP Server
Support for the Extensible Authentication Protocol (EAP-MSCHAP v2) has been added to the AXS Guard SSTP server to improve security.
RDG Password Auto-learning
This reverse proxy feature already existed for HTTP back-ends, but has now also been implemented for Remote Desktop Gateways. It offers a better UX to end users and allows for a swifter integration of secure AXS Guard authentication methods, such as 2FA.
Network Connectivity Checks
Connectivity checking is a functionality which periodically tests whether the AXS Guard network interfaces still have connectivity or not. This option has been refactored in the web-based administrator tool for a better user experience.
OpenVPN and PAX Server
The server binding options have been refactored to improve the user experience. Administrators who are looking to (re)configure the PAX or OpenVPN service are now presented with a clear selection of binding options.
Semi-Persistent IP Addresses for OpenVPN Clients
The OpenVPN server has been updated to maintain a persistent list of IP addresses handed out to different clients. When a client reconnects at a later time, the IP address that was used previously will automatically be reassigned by the server.
Samba Updates
Samba is a standard Windows interoperability suite of programs used on AXS Guard. Various components of this suite have been upgraded to improve security for the following services:
-
System backups on network shares
-
Directory services & authentication (LDAP)
Documentation
The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in the PDF and HTML format.
The following manuals have been added or updated:
-
AXS Guard Authentication Guide
-
AXS Guard Firewall Guide
-
AXS Guard OpenVPN Guide
-
AXS Guard PAX Installation Guide
-
AXS Guard Reverse Proxy Guide
-
AXS Guard System Administration Guide
-
AXS Guard SSTP Guide
The following KB articles have been added or updated:
-
AXS Guard WPAD Configuration
-
AXS Guard Remote Workspace
Version 10.3
Version 10.3.15
Application Control
Introduce a software fix to prevent system failures (kernel panics) when malformed packets occur.
Version 10.3.14
E-mail Services
Move e-mails containing ".rar" attachments to the quarantine queue if they match a blocked extension filter.
Reporting and Statistics
- Include SSTP server logins in the Remote Access reports.
- Show collectd errors in the full event log.
VPN
- Improve the PAX and OpenVPN server documentation.
- Update the certificate hint in the IPsec server configuration page.
Reverse Proxy
- Update the copyright notes in the Session Management login page.
- Update the certificate hints in the reverse proxy server configuration pages.
System Administration Tool
Remove obsolete product items from the License > General page.
Version 10.3.13
Administrator Tool
Fixed the 'Operation Not Permitted' message when using the ping network utility under Network -> Tools -> Ping.
Allow system administrators to configure IP addresses with a /31 subnet for network devices.
Add a description field to facilitate the management of computers in the network.
Reverse Proxy
Fix RDG broken pipe errors and related system performance issues. The client/server socket write channel will now remain open as long as there is outstanding data.
VPN Services
Increase the maximum number of concurrent VPN connections for PPTP, SSTP and L2TP.
Web Access
Correct the handling of Kerberos authentication failures for the proxy server, preventing the invocation of an excessive number of 'negotiate_kerberos_auth' helpers.
Webmail
Improve the general responsiveness of the webmail service when used by a large amount of concurrent users.
Version 10.3.12
Clarified instructions in License Wizard
The license wizard allows system administrators to upload a system license to the AXS Guard appliance, which is required to get it to full operational, in-service status.
The wizard now contains clearer instructions to guide administrators through the entire licensing process.
New authentication policies for VPN services
A second authentication factor can now be used in combination with one-time passwords generated by OATH (Google or Microsoft) authenticators.
DIGIPASS tokens already offered this possibility in the form of a PIN. However, this option was not available for users with an OATH authenticator.
To further strengthen the authentication process and allow greater flexibility in the deployment of strong authentication for VPN access, new authentication policies are now available for PPTP, L2TP and SSTP.
The 'PasswordAndOATHOrDIGIPASS' policy requires users to log in with their password and a one-time password generated by their OATH authenticator or DIGIPASS token.
The 'PasswordAndOATHorPasswordAndDIGIPASS' policy requires users to log in with their password and a one-time password generated by their OATH authenticator or with their password and a one-time password generated by their DIGIPASS token.
System Dashboard improvements
New badges have been introduced to indicate the status of various feature licenses. While hovering over them, more detailed license information will appear automatically.
A widget showing blocked users and hosts has also been added. This widget allows system administrators to unlock accounts and unblock hosts with greater ease, while providing additional details about the listed items.
Various VPN Fixes
The OpenVPN topology has been changed so that the full virtual IP range is available for VPN clients.
The number of pseudo-terminal devices for PPP tunnels has been increased to avoid client 'port' failures.
IP addresses allocated to clients by SSTP are now freed correctly after SSTP clients disconnect. This prevents premature depletion of the IP address pool.
Version 10.3.11
AXS Guard SSL Proxy Feature Release
The SSL filtering feature is no longer in its experimental phase and is now available for customers with a Premium Content Scanning license.
Information and configuration instructions pertaining to this new feature are available on this website (see system administration > web access).
Contact sales@axsguard.com to upgrade your existing content scanning license or to purchase a new license.
Fix SSTP Authentication Failures Make AXS Guard wait for LCP configuration requests from clients, rather than initiating them on the server side.
This avoids a race condition in (samba) PPP causing LCP configuration requests to stop prematurely and fail due to authentication proposals that were perceived as invalid.
Fix Firewall Policy Rendering Issue In some cases, very long firewall policy descriptions caused the browser to hide other policy data. The readability of the firewall policy page has been improved and the issue has been resolved.
Version 10.3.10
Transparent Proxy for SSL Inspection
Transparent proxies are commonly used to prevent users from abusing or bypassing company web access policies and to ease administrative burden, since no client-side browser configuration is required.
SSL Inspection can now be enabled transparently. If enabled, client traffic towards TCP port 443 will be intercepted and redirected to port 3130 for further processing.
For this to work seemlessly, the CA certificate used by the SSL proxy must be added as a trusted root CA on all clients that will be scanned.
Note that certain web applications may not function properly when decrypted. You may also want to exclude certain domains and networks for any other reason, including legal or privacy reasons, e.g. sites which provide online banking services.
For this purpose, the AXS Guard cloud service provides a global SSL exception list which will be available on all systems with a Premium Content Scanning license. We highly recommend using this list for best performance and results.
System Dashboard Improvements
All widgets will show dummy data when the dashboard is being loaded to avoid reported flickering and layout issues.
The basic system load information on the dashboard has been replaced by a more detailed system load graph, showing various system loads over time.
Version 10.3.9
Gradual rollout of the new SSL Inspection feature
Over the last few years, many popular web sites including Google, Youtube, Reddit and Facebook have started enabling HTTPS encryption by default.
This means that without configuring SSL inspection, proxies have limited filtering, monitoring and logging capabilities.
In this new version, we implemented support for man-in-the-middle SSL filtering, which will allow system administrators to more effectively control and monitor web traffic passing through the AXS Guard proxy server.
System Dashboard Improvements
The AXS Guard system dashboard represents key performance indicators and metrics and is constantly reworked based on customer feedback.
A tooltip showing IPsec tunnel status information has been added to the system dashboard to improve the user experience.
Personal AXS Guard logs are now grouped per client, allowing system administrators to locate various client logs with greater ease.
DNS over HTTPS
DNS over HTTPS is problematic for the analysis and monitoring of DNS traffic for cyber security purposes, as it can be used to bypass company content-control software and DNS policies.
Firefox implemented a mechanism to automatically disable or enable DNS over HTTPS based on a canary domain. This canary domain is enabled by default on AXS Guard to block DNS over HTTPS.
Also see the KB article on this site, which covers all client implementations (Knowledge Base > Networking).
Version 10.3.8
Export system metrics to AXS Guard cloud
Some important system metrics have been made available in the AXS Guard cloud so system administrators can easily access vital information pertaining to all their deployed systems in a secure fashion.
Add option to set SMTP authentication policy
AXS Guard can be intergrated into an Office 365 environment to scan all incoming and outgoing mail traffic for malicious content and viruses.
To allow AXS Guard to also scan outgoing messages, mail clients must be configured to use the AXS Guard SMTP server instead of the Office 365 SMTP server.
This will ensure that all outgoing mail traffic is logged by AXS Guard and that its mail policies can be enforced.
The new option allows system administrators to restrict user access to protect the AXS Guard MTA against brute-force attempts and to implement a more strict TLS policy.
Disable IP forwarding when license is expired
AXS Guard will automatically put itself in "safe mode" when its license expires. As the system will no longer be able to download critical software updates without a valid license, all Internet traffic will be blocked for security purposes.
Version 10.3.7
New System Dashboard
In the first version of the new dashboard, we represent the same data of the "old dashboard" using new and interactive widgets.
For the sake of convenience, the former dashboard can still be accessed.
The AXS Guard dashboard will remain a focus for improvement; administrators can expect a lot more interesting widgets and functionalities in the near future.
Previous versions
Various improvements and software fixes
Versions 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5 and 10.3.6 contain small feature changes and software fixes to improve the overall quality, stability and reliability of the AXS Guard appliance.
Contact support@axsguard.com for details.
New Dashboard
The AXS Guard system dashboard has been reworked extensively to better represent key performance indicators and metrics.
In the first version, we represent the same data of the "old dashboard" with new and interactive widgets. For the sake of convenience, the former dashboard is still easily accessible.
In the next iteration, extra widgets will be added to adequately respresent information about the system’s disk usage, the status of IPsec tunnels and VPN client connections.
The AXS Guard dashboard will remain a focus for improvement; administrators can expect a lot more interesting widgets and functionalities in the near future.
Microsoft Azure
AXS Guard is now available as a cloud platform in Microsoft Azure. With this PaaS (platform as a service) solution, organizations can safely build and host Microsoft-based products and configurations in their data centers.
The AXS Guard UTM virtual appliance is available in the Microsoft Azure Market place, the online store that offers applications and services either built on or designed to integrate with Microsoft’s Azure public cloud.
AXS Guard provides improved Azure cloud data access security by leveraging its multi-layered defense that crosses network, VPN, e-mail, web and content security. Hence you can easily and securely extend your on-premise hosted data and services to the Azure cloud.
From the Azure Market place, AXS Guard UTM virtual appliances can be easily set up with just a few clicks and deployed in a matter of minutes. Remember the public IP address of the newly deployed virtual machine, and use it in a web browser to access the AXS Guard configuration tool where you can start the configuration wizards to complete the setup process.
Documentation
The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in PDF and HTML.
The following AXS Guard manuals have been updated:
-
System Administration Guide
-
Installation Guide (Getting started)
-
Personal AXS Guard Server Guide
The following manual has been added:
- Personal AXS Guard Industrial all-in-one Guide
New Features
Microsoft Azure Ready
The AXS Guard virtual appliance can now be easily deployed from within the Azure Market place to operate on the Microsoft Azure platform. AXS Guard integrates the Microsoft Azure Linux Agent which manages provisioning and Virtual Machine interaction with the Azure Fabric Controller.
Office 365 Fast Lane
According to a Computable Magazine article of 17 June 2019: "Office 365 issues with legacy networks" - excessive network latency causes major delays in Office 365 implementations. Additionally, 63% of 250 surveyed companies agree that project collaboration in an Office 365 environment suffers from network-related problems.
As a response to these complaints, Microsoft recommended its "ExpressRoute" solution, which allows companies to optimize their connection speeds for Microsoft cloud services. However, this solution is rather expensive and complex to configure, making it often prohibitive for SMEs.
This is why AXS Guard developed the "Office 365 Fast Lane" solution, a cheaper alternative that is technically similar. The solution consists of a simple setup wizard which allows system administrators to correctly configure firewall, security and other Office 365 network settings in no time.
This way, employees can benefit from faster, optimized Office 365 connection speeds and profit from the increased responsiveness of frequently-used Office 365 applications.
Optimal network speeds are calculated in function of the total available Internet bandwidth, which is automatically measured by AXS Guard. After completing the wizard, users will immediately notice the result.
E-mail filtering incorporates Google Safe Browsing
Google Safe Browsing helps to protect users on the internet against malicious sites by showing warnings when they attempt to visit such sites or download dangerous files.
AXS Guard integrates Google Safe Browsing as an extension to its adaptive e-mail filter. Every URL present in e-mails is processed by the AXS Guard cloud URL threat protection service (CTRS) using Google’s Safe Browsing technology. Messages containing potentially dangerous URLs will be marked as unsafe and quarantined.
Dynamic hostnames in IPsec tunnel definitions
Traditionally IPsec site-to-site tunnel definitions require fixed IP addresses for host identification and policy matching. In order to support IPsec tunnels for sites where one side has a dynamic IP address, AXS Guard can now be configured with a template or wild-card definition to accept any connection with the right credentials. Security-wise this is not an optimal solution. Furthermore it can cause a lot of unwanted log entries originating from unknown connections.
To address this issue, AXS Guard now supports the use of dynamic (DNS) hostnames, making tunnels definitions more secure. Every time a tunnel is (re)started, a DNS lookup of the hostname is performed to determine the IP address to connect to. When the tunnel collapses because one side changed its IP address, the tunnel is re-established automatically when that side updates its dynamic DNS entry with the new IP address.
Lists of local and remote subnets in IPsec tunnel definitions
IPsec site-to-site tunnels definitions share one local subnet with one remote subnet. In case that many local subnets have to be shared with possibly many remote subnets, multiple tunnel definitions have to be configured separately for each subnet sharing the same IPsec MAIN mode.
System administrators can now specify a list of local and remote subnets. This reduces configuration overhead and also simplifies IPsec VPN status management.
Personal AXS Guard Industrial AIO
The Personal AXS Guard portfolio of products has been extended with a new type of hardware geared towards industrial applications. The brand new Personal AXS Guard Industrial all-in-one device is based on an x86 64bits platform with two ethernet ports (LAN and WAN), an optional wireless-N adaptor, mSATA storage and is rack-mountable (DIN rail).
Create a new Personal AXS Guard client and select the AG-I122 (Industrial all-in-one) hardware type for an optimal configuration.
Version 10.2
Secure Socket Tunneling Protocol (SSTP)
AXS Guard extends its offering of remote access solutions with support for the Microsoft Secure Socket Tunneling Protocol (SSTP), a VPN service that provides a mechanism to transport PPP traffic over an SSL/TLS channel.
SSL and TLS are cryptographic protocols designed to provide communications security over a computer network.
The use of SSL/TLS over TCP port 443 allows SSTP clients to pass through virtually all firewalls and proxy servers, except for authenticated web proxies.
The SSTP server can be configured to enforce strong authentication, which is capable of blending different authentication factors and/or types for increased security.
The AXS Guard reverse proxy manages the SSTP server as a separate application, allowing administrators to share the same external IP address and port with other applications and services.
See the official Microsoft documentation for additional information about SSTP.
Documentation
The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in the PDF and HTML format.
The following manuals have been added or updated:
-
AXS Guard PKI Guide
-
AXS Guard SSTP Guide
-
AXS Guard Reverse Proxy Guide
The following KB articles have been added or updated:
-
Terminal Server Setups
-
HTTP Authentication Methods
New Features
Microsoft SSTP VPN Support
MS-SSTP (Microsoft Secure Socket Tunneling Protocol) is a VPN protocol which is developed by Microsoft. It implements PPP over HTTPS (SSL), so traffic can easily traverse firewalls and proxies.
CA Certificate Export Option
If the SSTP server certificate is signed by the AXS Guard CA, the CA certificate must be exported and added as a trusted root CA on each Windows SSTP client in order for connections to succeed. A new button has been added for this purpose.
OATH Support for Remote Desktop Gateway Back-ends
The Remote Desktop Gateway (RDG) reverse proxy back-end now supports authentication with OATH-based tokens, such as Google and Microsoft Authenticator apps.
The following authentication methods are available:
-
OATH (default)
-
DIGIPASS
-
OATH or DIGIPASS (to facilitate migration)
-
AXS Guard password
-
Back-end password (LDAP)
OATH is supported for all RDG implementations, such as RPC over HTTP (prior to Windows 8), RDG (Windows 8 or later) and the Microsoft Remote Desktop App (Android, iOS and Windows).
Version 10.1
OATH
Support for Google and Microsoft OATH tokens has been implemented. OATH tokens provide one-time passwords to end users and are a form of strong authentication.
The Initiative for Open Authentication (OATH) is a collaborative effort of IT industry leaders aimed at providing a reference architecture for universal strong authentication across all users and all devices over all networks. Using open standards, OATH will offer more hardware choices, lower cost of ownership, and allow customers to replace existing disparate and proprietary security systems whose complexity often leads to higher costs.
An OATH license is required for this feature.
Visit https://openauthentication.org for additional information.
Documentation
The AXS Guard documentation is constantly updated to reflect the various updates and improvements in the software and the product as a whole. Documents are available in the PDF and HTML format.
The following manuals have been updated:
- AXS Guard Authentication Guide
The following articles have been added to the knowledge base:
-
How to set up your Google Authenticator
-
How to set up your Microsoft Authenticator
New Features
Microsoft and Google Authenticator Support
Both Google and Microsoft provide authenticators based on the OATH standard. Most implementations of OATH leverage smartphones and apps for the generation of one-time passwords.
The Authenticator apps can be downloaded from the Android and iOS app stores at no cost.
Licensing
Tokens cannot be assigned without a valid license; a new system license is required. Contact your reseller to obtain an OATH token license.
Go to System > License > Authenticators > OATH to view your license details.
Provisioning
On the server side, secrets are provisioned by assigning a token to a user. An e-mail with configuration instructions is automatically sent to the user’s AXS Guard mailbox after a token has been assigned by an administrator.
On the client side, the user can simply import the secret by scanning the QR code provided in the e-mail, which also contains instructions to manually enter the required information.
Authentication Policies
New policies have been added to accommodate authentication with OATH tokens. These feature authentication methods for both password (PAP) and challenge (CHAP) based authentication protocols, as used by PPTP and L2TP VPN services.
Version 10.0
Kernel Upgrade
A new 64-bit kernel has been implemented. The previous kernel has also been upgraded to version 4.14. This is especially important when installing the appliance in a virtual environment; it will no longer be possible to boot your virtual AXS Guard appliance with a virtual machine that has been configured for a 32-bit guest OS.
The upgrade process may take over 30 minutes to complete. It is recommended to upgrade your appliance during off-peak hours or during a maintenance window to avoid service interruptions.
A new NAT option has been added to the Personal AXS Guard service to allow administrators to use the same subnet for multiple PAX units. Some minor changes were also made to the server-side user interface, making DHCP and passwords easier to configure.
A drag and drop feature has been implemented allowing administrators to easily change the order of rules in system policies, such as firewall policies.
A new reverse proxy back-end has been added to support Awingu version 4.0 and above.
Documentation
The AXS Guard documentation is constantly updated to reflect the various updates and improvements in the software and the product as a whole. Documents are available in PDF and HTML formats.
The following guides have been updated:
-
AXS Guard PAX Installation Guide
-
AXS Guard Reverse Proxy Guide
-
AXS Guard Firewall Guide
-
AXS Guard PKI Guide
-
AXS Guard Virtual Appliance Guides
New Features
Kernel 4.14
Kernel updates introduce fixes which close up previously discovered security vulnerabilities and are the most important reason to upgrade your system.
Updates will also include support for new hardware, new functionalities and improve the stability and speed of your system.
IPsec netkey and VTI interfaces
The IP security (IPsec) stack is switched to the native linux implementation called netkey. In order to facilitate this transition, AXS Guard makes use of virtual tunnel interfaces (VTI), which provide routable ipsec software interfaces that support multicast, bandwidth management and load balancing, similar to the KLIPS IPsec stack used before.
The switch to netkey IPsec stack offers active development and support, a larger selection of cryptographic algorithm support, cryptographic offloading and parallel processing.
New PAX NAT Option
A new Translate Remote LAN option has been added, allowing administrators to reuse the same subnet for multiple PAX units.
Reverse Proxy support for Awingu 4.0
The reverse proxy has been refactored to support Awingu 4.0 and later versions. To configure the reverse proxy for use with Awingu 4.0, just select the "awingu-v2" back-end.
SSO Tool
Version 2.15
Bug Fixes
- The OpenSSL suite has been upgraded.
- Resolved issue where clients could no longer connect after sleep mode.
- Msi configuration tool now supports username/password mode.
- Per-user install has been fixed.
- The msi configuration tool was moved to the "Configuration Tools" folder in the SSO zip file.
Version 2.14
New Features
- Windows 10 compatibility.
- A new utility helps you to customize the msi installer for deployment via a GPO.
- Software can be installed per-user or per-computer. Per-user context no longer requires administrative privileges.
- New icon which indicates the connection status.
- Updated AXS GUARD logos, icons and trademarks.
- The software has been optimized for AXS GUARD version 8.2.1
Improvements
- OpenSSL and wxWidgets have been upgraded.
- Version 2.14 will play nice with Windows sleep, shutdown and hibernate.
- The uninstall and upgrade wizards will automatically close running instances of the SSO tool (as of version 2.14)
- Version 2.14 can be configured to automatically update the Windows system proxy settings.
- SSO binaries are now signed by "Vasco, The Security Company". See msdn.microsoft.com for additional information.
- When starting the SSO tool without a profile, a friendly dialog box will help you create one.
- Possibility to use an IP or hostname to configure the gateway.
- The installer automatically launches the SSO Tool after installing the software.
- Possibility to choose the installation path of the SSO Tool.
- Only one instance of the SSO Tool can be active at any given time.
- Ability to edit the default profile in a per-computer context (new users only).
- Uninstall will clean up existing SSO registry data, including profiles.
- Validation has been improved
- Improved error messages and debug logging.
- Resilient networking code.
- Friendly reminders will be shown of new versions every time the SSO tool is restarted.
Bug Fixes
- On some systems, uninstalling version 2.13 of the SSO tool is not possible. Upgrading to 2.14 will correct these issues.
- Various memory leaks and software crashes have been fixed.
- The default system profile was not always applied to first-time users in previous versions. This has been fixed in version 2.14.
- Command line install has been updated and is now fully supported.
- The debug log is now saved in
%AppData%\AXSGUARDSSOv2
instead of the application directory. - Fixed connection errors on very fast networks.
- Fixed all inconsistencies between setup-profile and run-profile.
- Improved silent install for per-user and per-computer contexts. Note that the latter requires administrative privileges.
- Profile auto-detection issue has been fixed.
- Corruption of Firefox proxy settings has been fixed.