Important Note:
Today, most of the well-known web browsers have built-in Pop-Up Blocker to prevent
unnecessary windows prompt suddenly. However, this technology will block the operation
when NetDefend Firewall is running the Startup Wizard for the first time.
To reduce this impact for new users, a Startup Button will be shown on tool bar since
firmware v2.20. This button will only appear on WebUI when device’s Configuration Version
is number 1. After saved any setting to let Configuration Version more than
number 1, this Startup Wizard button will not appear again when you log in firewall next
time except reset device configuration to factory default. 
The purpose to implement this mechanism for Startup Wizard is which overcome the
pop-up blocker is not disabled before log in firewall.


Version: 2.27.03
Platform Compatibility: DFL-210/260/800/860/1600/2500
Hardware Version: A1 (for all models), A2/A3/A4 (for DFL-210/800/1600/2500)

Important Note:
For DFL-210/260/800/860, both LAN and DMZ ports cannot support to manually configure interface speed, since IXP4NPE driver only allows auto/auto configuration. If users try to configure the interface speed manually, the configuration will revert back to auto/auto on Web GUI as a dummy-proof mechanism.


New Features:
1. The File Integrity tab for ALGs has been re-arranged with a more logical view for MIME type check. 
2. Added possibility to sort data grids. Sorting on anything except column index will hide grouping. 
3. New setting for High Availability failover timeout value that specify the timeout before HA failover is triggered. 
4. A new log message has been added indicating that an ARP resolve query failed. 
5. The following browsers are now supported: Firefox 3+, Opera 10.5+, Safari 5+, Internet Explorer 7+ and Chrome 4+.
6.  Grouping configuration objects into logical groups makes it easier to manage large number of configuration objects. It is also possible to add a 
descriptive description and custom color to distinguish what these objects do. This grouping functionality is only for presentation and does not affect 
the existing functionality. 
7.  Logging enabled by default on rules for the following objects: Access, DHCP Server, DHCP Relay, Routing Rule, Dynamic Routing Policy Rule, IDP Rule 
Action, IP Rule, OSPF Router Process, Threshold Action and User Authentication Rule. 
8.  Static configuration objects default to their default values if the objects contain configuration errors. This will prevent the firewall to misbehave due 
to configuration errors on static objects. 
9.  The script command has been updated to handle adding objects with dependencies between each other. 
10.  User authentication has been updated with a new authentication source that will grant access to the user without checking any credentials. This 
functionality can be used to authenticate users from within login scripts etc, to make auditing easier.


Fixes:
1. The usage column in the DHCP Server status page has been updated to show active clients. 
2. References to UserAuth privileges for authenticated users could change when modifying the number of configured privileges. 
3. The web server could under certain conditions deadlock and print a "500 - Internal Server Error" message when trying to access the web user interface. 
The web server has been extended with better error handling to prevent this kind of deadlock. 
4. The interface traffic counters were only of size 32-bit and often wrapped around when the throughput was high. Corresponding 64-bit counters have been 
added to ensure that wrapping will not occur as often as the corresponding 32-bit values. 
5. The block list file verification failed for files with a size smaller than one packet. 
The blocklist now validates the extension for the first packet when the content type could not be determined in the first packet. 
6. In certain scenarios, the voice transmitted through the SIP ALG terminated suddenly two minutes after the call was established. 
7. Office "xlsm" files were blocked by the SMTP ALG. Encrypted "xlsm" files are embedded in an "Office 97/2000 Compatible" container which results in an 
incorrect file typ according to file integrity control. The file integrity control has been updated to handle encrypted "xlsm" files. 
8. A faulty model check made the Switch Management not display all the switch ports in the WebUI for the DFL-860E model. 
9. The Realtek 8169 interface reported link down incorrectly. This caused route monitor to not work properly. Affects: DFL-260E and DFL-860E. 
10. The HTTP ALG failed to load web pages from certain web servers correctly. 
The HTTP ALG will now respond with a TCP RESET should the server continue to send packets after the client has closed the connection. 
11. Anti-virus scanning of zip files containing files with a large compressed size could sometimes lead to unexpected behavior. 
12. Using HTTP web authentication with a RADIUS server as authentication source, could in very rare scenarios cause the firewall to malfunction during save 
& activate (reconfigure). 


====================================================================


Version: 2.26.00
Platform Compatibility: DFL-210/260/800/860/1600/2500
Hardware Version: A1 (for all models), A2/A3/A4 (for DFL-210/800/1600/2500)

Important Note:
For DFL-210/260/800/860, both LAN and DMZ ports cannot support to manually configure interface speed, since IXP4NPE driver only allows auto/auto configuration. If users try to configure the interface speed manually, the configuration will revert back to auto/auto on Web GUI as a dummy-proof mechanism.


New Features:
1. The name of the authenticated user is logged together with the requested URL in HTTP ALG log messages
2. DFL-210 and DFL-800 support anti-virus and dynamic web content filtering
3. Improved logging for Anti-SPAM
4. New log message at failover triggered by linkmon
5. A new advanced setting has been added to control the number of RADIUScommunication contexts that can be used simultaneously
5. DNS name resolving uses the shared IP in High Availability setups
6. Added support for Host Monitor for Routing
7. Added command to handle language files on disk
8. Improved LDAP functionality
9. Redesign of the tuple value controller in the webUI
10. Display of network objects
11. Extended route monitoring capabilities
12. The IPsec status page has been improved
13. PCAP Recording
14. New advisory link in virus found log messages
15. The webUI has been extended to handle child objects in a tab
16. Support of custom monitor interval in Linkmonitor
17. ZoneDefense now supports DGS-3200 series switches
18. Anti-Virus triggered ZoneDefense
19. LDAP Authentication
20. Route Load Balancing
21. Extended SIP Application Layer Gateway supporting new scenarios
22. TCP transport added to the SIP Application Layer Gateway
23. Multiple media connections for SIP Application Layer Gateway
24. PPTP server support for multiple PPTP clients behind the same NAT gateway
25. PPTP server and client have been extended to support stateful MPPE
26. Improved verification of IP4 values
27. IDP Triggered Traffic Shaping
28. AVSE_MaxMemory setting has been removed
29. Relayer IP address filter at DHCP Server
30. Support for VLAN priority derived from IP DSCP precedence
31. Gigabit Traffic Shaping Support
32. The PPPoE client has been changed to support unnumbered PPPoE
33. Improved server monitoring for Server Load Balancing
34. The ping CLI command has been improved
35. The schedule page has been improved
36. SSL/TLS Termination


Problems Resolved:

1. PPP negotiations were sometimes slower than necessary.
2. Deploying a configuration during heavy traffic load could cause a watchdog reboot.
3. It was possible to enable the anti-spam feature DNSBL on an SMTP-ALG without specifying any DNSBL servers. Configuring DNSBL without specifying any servers will now give an error.
4. Some errors in IPsec tunnel configuration were not correctly treated during the firewall start up process, resulting in IPsec tunnels not properly being set up. Now most of those errors make the tunnel be disabled and a warning message be displayed. For the most severe ones the configuration will be rejected by the system.
5. Running FTP-ALG in hybrid mode could result in the first packet being dropped when the connection to the server isn't established, and this leads to a three seconds delay. The connection from the ALG to the client will now not be initiated until the server connection is established towards the ALG.
6. It was not possible to move a rule up or down in the list if the rule was disabled.
7. The command "ipsecstats" could in some circumstances not show all tunnels when a tunnel name was given as an argument. The command now displays all the tunnels when tunnel name is given as an argument.
8. The command "ipsecstats" only listed the first matching IPsec SA when a tunnel name was given as an argument. The command now displays all IPsec SAs that are connected to the specified tunnel name.
9. The FTP-ALG virus scanner triggered an unexpected restart if the virus signature database was updated while files were being processed by an FTP-ALG configured with fail-mode set to allow.
10. The "ippool - show" CLI command output showed all configured pools, which could be a very long list. Now only the first ten are listed by default. The "-max <num>" option can be used to display more items.
11. The SIP-ALG didn't handle "183 Session Message" when initiating a new SIP call.
12. The return traffic for ICMP messages received on an IPsec transport mode interface was wrongly routed to the core itself and then dropped. The return traffic is now passed back using the same connection as it arrived on.
13. Tab completion in the command line interface (CLI) did not work on IPsec tunnels when using the "ipsecstats" command. Tab completion is now possible to use in the "ipsecstats" command.
14. The firewall did not accept certificates signed with RSA-SHA256.
15. Timezone setting could make the minimum date limit in scheduling to wrap and become a date into the future. The minimum and maximum dates in scheduling have been modified to be between the years 2000 and 2030 which will not trigger the incorrect behavior.
16. The SMTP-ALG incorrectly blocked emails sent using the CHUNKING (BDAT)
extension. The ALG has been modified to remove the CHUNKING capability from the server's EHLO response. This allows the emails to pass through the ALG.
17. It was not possible to connect to the firewall using SSH if lots of public keys were registered in the SSH client.
18. The firewall could unexpectedly restart when disabling automatic updates of anti-virus and IDP updates.
19. IPsec tunnels with a DNS name as remote endpoint would cease to function after a remote endpoint IP address change.
20. Blacklist could potentially write to media up to five times each minute. The delay between possible writes has been increased to two hours.
21. It was not possible to configure "maximum authentication retries" for the SSH server in the web user interface. Configuration support has now been added.
22. There was a problem when multiple IPsec SAs referenced the same XAuth context.
23. If a DHCP lease of a reserved IP address was manually released in the DHCP server and the host requested a new lease, the host was not given the reserved IP again.
24. The UDP checksum was not correctly updated when the multiplex rule was used together with address translation (SAT SETDEST / NAT).
25. On some models, a data alignment error in the Route Load Balancing system could cause the firewall to malfunction.
26. Old configurations had an incorrect definition of the all_tcpudp service. Upgrading from an older version to a newer version could cause problems. This problem has now been fixed and the old service will be converted during the upgrade.
27. In some scenarios, login attempts using the web user interface failed with the error message "Error 500 - Internal Server Error". No new login attempts were allowed until the system had been restarted. A synchronization lock for an internal buffer failed to reset during reconfigure and caused this issue.
28. Scripts created by "script -create" could previously have problems to run even when executed with "script -execute -force", because the generated script would sometimes incorrectly reference an object before it had been added. This has been solved in such way that "script-create" always generates a script that will not reference an object before it has been created. Circular dependencies are resolved by first adding the objects without the problematic references, then later modifying the object to its final state.
29. Since the web user interface uses UTF-8 encoding, a PSK containing ASCII characters with value of 128-255 would be stored as UTF-8 characters. UTF-8 characters are now converted back to ASCII characters when it is possible.

=======================================================================================

Version: 2.20.03
Platform Compatibility: DFL-210/260/800/860/1600/2500
Hardware Version: A1 (for all models), A2/A3/A4 (for DFL-210/800/1600/2500)
Date: Oct 21, 2008

Important Note:
For DFL-210/260/800/860, both LAN and DMZ ports cannot support to manually configure interface speed, since IXP4NPE driver only allows auto/auto configuration. If users try to configure the interface speed manually, the configuration will revert back to auto/auto on Web GUI as a dummy-proof mechanism in the firmware v2.20.03.

New Features and Enhancements
1. No new features were introduced in the 2.20.03 release.

Problems Resolved
1. Fixed issue with DHCP NAK reception during initial phase of reconfiguration.

2. Fixed issue in OSPF where an LSA could be incorrectly deleted after being re-originated.

3. The interface listings for Marvell Yukon interfaces showed incorrect IRQ values.
It affects in DFL-1600 and DFL-2500 only.

4. The amount of memory used by the IDP engine was too high. The memory consumption has now been reduced.

5. E-mails from e-mail addresses in the whitelist were blocked if they were classified as spam messages. Now all e-mails sent from whitelisted addresses will be let through, even if they are classified as spam.

6. Fixed leap year problem where leap year day was added to January instead of February.

7. Fixed problem in HA where one of the cluster members could be in lockdown and prevent its member from going active.

8. Fixed problem resulting in the IDP/AV license being expired prematurely.

9. It was not possible to enter an NTP server with a DNS name in the setup wizard. The NTP server can now be entered in the format "dns:server.example.com".

10. HTTP Web Content Filter override functionality can cause an unexpected restart when timing out users that have clicked the override button. Users that have clicked the override button have access to blocked content for a specific amount of time. When this time expires, an unexpected restart may occur.

11. It was not possible to manually force media or duplex for Marvell Yukon interface types.
It affects in DFL-1600 and DFL-2500 only.

12. Pattern matching in the blacklist and whitelist in the SMTP-ALG has been extended to be more dynamic.

13. Both members in the HA cluster did not log their change of state when roles were changed (active to passive and passive to active).
It affects in DFL-1600 and DFL-2500 only.

14. Very large configuration files could cause some web pages in the web user interface to not render completely.

15. It was not possible to select PPPoE interfaces as outer interface filter in PPTP/L2TP servers in the web user interface.

16. The SIP-ALG could in some scenarios cause instability of the system when running out of RAM. The issues have been addressed and fixed.

17. Fixed issue in TCPStack with stalling transfers with peers using a very small send window.

18. The SIP-ALG could in rare occasions fail to setup a call and generate a log message containing "M HEADER NOT FOUND". The issue has been corrected.

19. SNMP Traps used the shared IP instead of the private IP in HA setups.

20. SNMP Trap messages could sometimes contain garbage characters.

21. The SNMP logger could in rare circumstances cause the system to malfunction.

22. Web Content Filtering functionality could fail if the WCF server used for URL lookups stopped responding to queries. The mechanism used for failing-over to secondary servers has been improved. WCF will connect to the second closest server if the primary server fails. If that server also fails, it will continue with the other servers. After 1 hour of using secondary servers, a new attempt will be made to contact the primary server in order to minimize latency.


Known Issues:
1. The Oray.net for Peanut Hull DDNS client does not work after supplier changed the protocol.

2. HA: Transparent Mode won't work in HA mode
There is no state synchronization for Transparent Mode and there is no loop avoidance.

3. HA: No state synchronization for ALGs
No aspect of ALGs are state synchronized. This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. if, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

4. HA: Tunnels unreachable from inactive node
The inactive node in an HA cluster cannot communicate over IPSec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
? Inactive HA member cannot send log events over tunnels.
? Inactive HA member cannot be managed / monitored over tunnels.
? OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

5. HA: No state synchronization for L2TP, PPTP and IPSec tunnels
There is no state synchronization for L2TP, PPTP and IPSec tunnels.
On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 seconds range.

6. HA: No state synchronization for IDP signature scan states.
No aspects of the IDP signature states are synchronized. This means that there is a small chance that the IDP engine causes false negatives during an HA failover.



=======================================================================================

Version: 2.20.02
Platform Compatibility: DFL-210/260/800/860/1600/2500
Hardware Version: A1 (for all models), A2/A3/A4 (for DFL-210/800/1600/2500)
Date: July 10, 2008

New Features and Enhancements
1. PPPoE Interfaces.
It is now possible to configure the MTU (Maximum Transmission Unit) for PPPoE Interfaces.

1. PPTP/L2TP Client Interfaces.
It is now possible to configure the MTU (Maximum Transmission Unit) for PPTP/L2TP client Interfaces.


Problems Resolved
1. ICMP Destination Unreachable packets were not sent when UDP packets hit a Reject rule.

2. Web authentication and web server connections were not closed correctly at reconfiguration.

3. The DHCP Server did just send replies back on the receiving interface without regarding routing decisions. The DHCP Server now performs a route lookup if the reply is destined for a host address (i.e. not an IP broadcast).

4. HA setups with IDP scanning enabled, packets could be lost during a failover.

5. Some services were using the private IP in HA setups for communicating. This is now changed and the shared IP is used.

6. The DNS lookup of the IP address to a remote gateway failed under certain circumstances for IPSec interfaces.

7. The CLI command for displaying updatecenter AV/IDP update status did not show enough information. It has now been improved.

8. TCP connections could sometimes fail due to an incorrect sequence number check.


9. A missing Content-Transfer-Encoding header field in e-mails could sometimes cause the SMTP-ALG session to malfunction.

10. With TCP sequence validation turned on, closing existing connections would cause all subsequent attempts to reopen the same connection to be dropped with a log message about a bad sequence number. The situation would resolve itself after a timeout of about 50 seconds, but would still cause severe traffic impairment in certain situations (most noticeably HTTP traffic). This change will by default loosen the restrictions when an attempt to reopen a closed connection is received (ValidateSilent, ValidateLogBad), while still enforcing RFC correctness.

11. The SMTP-ALG could not tell the difference between the new Microsoft Office 2007 document file types and file type ZIP. This is because there is no difference that can be easily discovered (the new Microsoft Office files are in fact ZIP files with a different extension). An ALG configured to make file integrity checks would therefore signal these files as invalid (wrong mime type, wrong file suffix...). The ALG will now identify Office 2007 files as ZIP files. Anti-virus checks will, if enabled, scan the contents of the new Office 2007 files just like it would with a regular ZIP file.

12. IP address with suffixes .0 and/or .255 could incorrectly be assigned to IPSec config mode clients.

13. Nested MIME bodies could in some scenarios be blocked by the SMTP-ALG. For example, the SMTP-ALG could block images inserted as 'inline' with an error message indicating base64 decoding error. The recipient received the email without the attached image but an error message saying: "The attachment xxxx has been blocked by the Security Gateway". The ALG has been updated with better support for nested MIME blocks.

14. A user logging in via Web based user Authentication, when configured to handle user credentials via one or several RADIUS servers, it could cause an unexpected abort if no RADIUS server was reachable. This issue has been fixed.

15. The web user interface, the properties in "Dynamic Black Listing" were incorrectly enabled when action was set to something else than "protect".

16. The icon for removing IKE SA was missing, hence making it impossible to remove an IKE SA using the web user interface.


•17. DNS Blacklist CLI command showed wrong status of blacklist servers on inactive HA member. Inactive HA member does not perform any anti-spam inspection so the inactive node is unaware of the status of the blacklist servers.

18. Email attachments with very long file names could cause memory corruption in the SMTP-ALG.

19. Log string sent to syslog receivers was not always correctly formatted. Some log arguments were not separated by a whitespace, resulting in invalid parsing by syslog receivers.

20. When restarting an interface on the DFL-1600 or DFL-2500, there has been a theoretical possibility of memory corruption. This issue has been fixed from F/W v2.20.02 and later.

21. Connections were, under certain circumstances, incorrectly dropped by the IDP scanning engine when audit mode was used.

22. After IPSec tunnels were modified, the reconfiguration of the gateway was not done correctly. The result was that the gateway could go into unexpected abort state.

23. A configured external log receiver that does not accept log messages might send ICMP destination unreachable packets to the firewall. These packets would trigger new log messages resulting in high CPU utilization. Logging is now connection-based and the sending rate of log messages will be decreased by the firewall when it receives ICMP destination unreachable packets regarding log receiver connections.

24. TCP connections with SYN relay were not synchronized correctly. In case of HA failover, traffic on these connections would freeze.

25. Unnecessary DynDNS and HTTP-Poster re-posts were triggered during reconfigure. This is now avoided by always considering if the local interface IP address has been changed or if the HTTP-Poster/DynDNS configuration has been changed.

26. Some H.323 messages were incorrectly disallowed by the ALG. The H.323 Status Enquiry message is now allowed to be forwarded through the H.323-ALG.

27. The Fail Mode setting in the HTTP-ALG was not honored by the Dynamic Web Content Filtering.


28. The log message for expired or no valid Web Content Filtering license did only show up once. There is now a log message generated once a one minute. This should be more noticeable to the administrator.

29. The SMTP-ALG could in some scenarios cause instability to the system by losing track of SMTP state synchronization. The SMTP-ALG has been updated with improved state tracking and email syntax validation.

30. It was not possible to configure the primary NBNS server for L2TP/PPTP server interfaces in the web user interface.

31. The TCP monitoring of Server Load Balancing did not increase TCP sequence number in the reset packet sent to server in case of connection timeout. The sequence number is now increased by one.

32. Server Load Balancing did not use All-To-One for port numbers. When using a range on the service, the destination port would be the specified port plus the offset from the low port number in the service.

33. One of the log messages had an incorrect format. When the log message was placed first in the log table, the web user interface memlog would display an empty page.

34. The description text for IP Pools incorrectly specified that IP Pools could be used by L2TP and PPTP.

35. A confusing Anti-Virus status message was visible in status page on non UTM capable devices. The message has been removed.


Known Issues:
1. For DFL-210/260/800/860, both LAN and DMZ port cannot support to manually configure interface speed, since IXP4NPE driver only allows auto/auto configuration. If users try to configure the interface speed manually, the configuration will revert back to auto/auto on Web GUI as a dummy-proof mechanism in the firmware v2.20.02.

2. For DFL-1600/2500, the duplex status of all Ethernet interfaces would be changed to “Half” when duplex setting is configured manually as “Full” on Web GUI.


3. The Oray.net for Peanut Hull DDNS client does not work after supplier changed the protocol.

4. HA: Transparent Mode won't work in HA mode
There is no state synchronization for Transparent Mode and there is no loop avoidance.

5. HA: No state synchronization for ALGs
No aspect of ALGs are state synchronized. This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. if, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

6. HA: Tunnels unreachable from inactive node
The inactive node in an HA cluster cannot communicate over IPSec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
- Inactive HA member cannot send log events over tunnels.
- Inactive HA member cannot be managed / monitored over tunnels.
- OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

7. HA: No state synchronization for L2TP, PPTP and IPSec tunnels
There is no state synchronization for L2TP, PPTP and IPSec tunnels.
On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 seconds range.

8. HA: No state synchronization for IDP signature scan states.
No aspects of the IDP signature states are synchronized. This means that there is a small chance that the IDP engine causes false negatives during an HA failover.