NetDefend Firewall Firmware Release Notes

NetDefendOS Version: 2.60.02

Published Date: 2014-07-07

Copyright © 2014

Copyright Notice
This publication, including all photographs, illustrations and software, is protected under
international copyright laws, with all rights reserved. Neither this manual, nor any of the material
contained herein, may be reproduced without written consent of the author.

Disclaimer
The information in this document is subject to change without notice. The manufacturer makes no
representations or warranties with respect to the contents hereof and specifically disclaim any
implied warranties of merchantability or fitness for any particular purpose. The manufacturer
reserves the right to revise this publication and to make changes from time to time in the content
hereof without obligation of the manufacturer to notify any person of such revision or changes.

Limitations of Liability
UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF
ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK
STOPPAGE, LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES)
RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE
OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.
FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER
FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS
OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.

Content:
REVISION HISTORY AND SYSTEM REQUIREMENT: ....................................................................................................... 2
UPGRADING INSTRUCTIONS: ...................................................................................................................................... 3
UPGRADING BY USING CLI VIA SCP PROTOCOL........................................................................................................................... 3
UPGRADING BY USING WEB-UI .............................................................................................................................................. 3
NEW FEATURES: .......................................................................................................................................................... 3
CHANGES OF FUNCTIONALITY: .................................................................................................................................... 9
CHANGES OF MIB & D-VIEW MODULE: ....................................................................................................................... 9
PROBLEMS FIXED: ....................................................................................................................................................... 9
KNOWN ISSUES: ....................................................................................................................................................... 44
RELATED DOCUMENTATION: ......................................................................................................................................55

1
 NetDefend Firewall Firmware Release Notes

Revision History and System Requirement:

Firmware Date Model Hardware Version
Version
Jul 07, DFL-1660/2560/2560G DFL-260E A2
2.60.02
2014 DFL-260E/860E A1 (for all models)
Jul 17, DFL-1660/2560/2560G DFL-260E A2
2.40.04
2013 DFL-260E/860E A1 (for all models)
Apr 05, DFL-1660/2560/2560G DFL-260E A2
2.40.03
2013 DFL-260E/860E A1 (for all models)
Dec 15, DFL-1660/2560/2560G DFL-260E A2
2.40.02
2012 DFL-260E/860E A1 (for all models)
Apr 15, DFL-1660/2560/2560G
2.40.01 A1 (for all models)
2012 DFL-260E/860E
Oct 21, DFL-1660/2560/2560G
2.40.00 A1 (for all models)
2011 DFL-260E/860E
June 1 DFL-1660/2560/2560G
2.30.01 A1 (for all models)
2011 DFL-260E/860E
A1 (for all models), A2 (for
DFL-210/800/1600/2500
Nov 24 DFL-210/800/1600/2500), A3 (for
2.27.03 DFL-260/860/1660/2560/2560G
2010 DFL-210/800/1600), A4/A5 (for
DFL-260E/860E
DFL-210), B1 (for DFL-260/860)
A1 (for all models), A2 (for
Sep 13 DFL-210/800/1600/2500 DFL-210/800/1600/2500), A3 (for
2.27.02
2010 DFL-260/860/1660/2560/2560G DFL-210/800/1600), A4/A5 (for
DFL-210), B1 (for DFL-260/860)
A1 (for all models), A2 (for
July 5 DFL-210/800/1600/2500 DFL-210/800/1600/2500), A3 (for
2.27.01
2010 DFL-260/860/1660/2560/2560G DFL-210/800/1600), A4/A5 (for
DFL-210), B1 (for DFL-260/860)
A1 (for all models), A2 (for
May 14 DFL-210/800/1600/2500 DFL-210/800/1600/2500), A3 (for
2.27.00
2010 DFL-260/860/1660/2560/2560G DFL-210/800/1600), A4/A5 (for
DFL-210), B1 (for DFL-260/860)
DFL-160 A1/A2 (for all models), A3/A4/A5
Mar 4
2.26.02 DFL-210/800/1600/2500 (for DFL-210/800/1600/2500),B1
2010
DFL-260/860/1660/2560/2560G (for DFL-260/860)
DFL-160 A1/A2 (for all models), A3/A4/A5
Jan 29
2.26.01 DFL-210/800/1600/2500 (for DFL-210/800/1600/2500),B1
2010
DFL-260/860/1660/2560/2560G (for DFL-260/860)
Sep 15, DFL-210/800/1600/2500 A1 (for all models), A2/A3/A4/A5
2.26.00
2009 DFL-260/860/1660/2560/2560G (for DFL-210/800/1600/2500)
July 15, A1 (for all models), A2/A3/A4 (for
2.25.01.28 DFL-210/260/800/860/1600/2500
2009 D F L- 2 1 0 / 8 0 0 / 1 6 0 0 / 2 5 0 0 )
Jun 11, A1 (for all models), A2/A3/A4 (for
2.25.01.22 DFL-210/260/800/860/1600/2500
2009 D F L- 2 1 0 / 8 0 0 / 1 6 0 0 / 2 5 0 0 )
Oct 21, A1 (for all models), A2/A3/A4 (for
2.20.03 DFL-210/260/800/860/1600/2500
2008 D F L- 2 1 0 / 8 0 0 / 1 6 0 0 / 2 5 0 0 )
Jul 10, A1 (for all models), A2/A3/A4 (for
2.20.02 DFL-210/260/800/860/1600/2500
2008 D F L- 2 1 0 / 8 0 0 / 1 6 0 0 / 2 5 0 0 )

2
 NetDefend Firewall Firmware Release Notes

Upgrading Instructions:
Upgrading by using CLI via SCP protocol
SCP (Secure Copy) is a widely used communication protocol for file transfer. No specific SCP client
is provided with NetDefendOS distributions but there exists a wide selection of SCP clients
available for nearly all workstation platforms. SCP is a complement to CLI usage and provides a
secure means of file transfer between the administrator's workstation and the NetDefend Firewall.
Various files used by NetDefendOS can be both uploaded and downloaded with SCP. This feature
is fully described in Section 2.1.6, “Secure Copy” of NetDefend Firewall v2.60.02 user Manual.

Upgrading by using Web-UI

For detailed installation and upgrade instructions, please refer to the Firmware Upgrades chapter
in the NetDefend Firewall v2.60.02 User Manual.

New Features:
Firmware New Features
Version
2.60.02 1. New Web User Interface: The Web User Interface has been reworked with
a more user friendly touch. Administrative tasks can now be performed faster
with less work and is more intuitive, even for the less experienced user.
2. Application Control: Support has been added to control what applications
users behind the firewall are using. It is now possible to select what applications
should be allowed and the administrator can monitor data transfer and other
statistics for the applications accessing the Internet.
3. IPv6: Numerous changes have been implemented in order to improve
interoperability and protocol compliance.
4. User Identity Awareness: The administrator of a firewall now has the
possibility to control the access of users authenticated to a Windows Active
Directory Domain.
5. Routing support in SSL VPN Client: It is now possible to configure routing
information for SSL VPN clients. In addition to the default use of all-nets, explicit
routing information can be supplied to the client.
6. Web Content Filtering for HTTPS: Web Content Filtering support has been
added for HTTPS traffic.
7. L2TPv3 server support: Support had been added to create L2TPv3 server
interfaces. With these, Ethernet and VLAN interfaces can be interconnected
through the networks using the L2TPv3 protocol.
8. URL filter for HTTPS: URL filter support has been added to the HTTP ALG

3
 NetDefend Firewall Firmware Release Notes

when using the HTTPS protocol.

9. Route Fail Over Enhancement: A Route Fail Over setting has been added
- 'Gratuitous Proxy ARP On Fail' that enables the transmission of gratuitous ARP
packets on fail over to alert hosts about changed interface Ethernet address of
Proxy ARPed hosts.
10. Search filter enhancement: The search filter on the memory log pages
was using a lot of space at the top of the page. The filter is now by default
hidden, only showing the free text search form. The entire filter can be shown
by clicking its header.
11. WebUI speed improvement: The speed of browsing through the WebUI,
in particular pages where there is a large number of objects, has been
improved.
12. Logout message for DHCP server: A new feature has been added to the
DHCP server when used with MAC address authentication to enable automatic
logout of users. When an IP address is being reused from the DHCP server and
the old user was logged in via MAC authentication, the DHCP server sends a
logout message to log out the old user from the system.
13. High Availability role switch improvement: The role change between
High Availability nodes has been enhanced with a seamless transition to ensure
uninterrupted traffic in the network.
14. Added "IPA" as recognized MIME type An .ipa file is an iPhone
application archive file which stores an iPhone app.
15. Support for hardware acceleration of IKE negotiations: Hardware
acceleration of IKE negotiations is now possible on the DFL-2560 and
DFL-2560G models to offload the CPU and make IPsec tunnel setup faster.
16. Chain of certificates The use of certificates has been enhanced to support
configuring a chain of X509 root certificates to use with the HTTPS Web
Administrator page, SSL VPN Portal, TLS ALG and Use Authentication Rules.
17. Enhanced ICMPv6 configuration: A setting was added to control the
maximum number of ICMPv6 Neighbor Discovery Options allowed and hence
improve network security.
18. New PPP configuration settings: A new 'Advanced Settings/PPP settings'
row is created in WebUI. A new 'Initial Resend Time' value is added and the
existing 'Max PPP Resends' value has been moved to this new dialog page
19. Ping CLI parameter renaming
The ping CLI command has been updated with a more logical parameter
naming. The '-recvif parameter is now renamed to '-srcif'.
20. HTTP ALG: Added "Force SafeSearch" option: A new option "Force

4
 NetDefend Firewall Firmware Release Notes

SafeSearch" has been added to the HTTP ALG. This option can be enabled so
search queries to Google, Bing and Yahoo through this HTTP ALG will be
modified to enforce the SafeSearch functionality these search engines provide.
21. L2TPv3 server enhancement: The L2TPv3 server has been improved to
better handle scenarios with a high amount of L2TPv3 clients connected to the
same L2TPv3 server interface.
22. L2TPv3 client Support for L2TPv3 client has been added. The client can be
configured to run over an Ethernet or a VLAN interface. Protocols supported are
UDP and IP. In addition to this, extended security can be added by routing the
L2TPv3 client through an IPsec interface.
23 New 'ipver' argument to the 'connections' CLI command: The
'connections' CLI command has been enhanced with an additional argument
'-ipver=' that makes it possible to list only IPv4 or IPv6 connections.
23. SHA256 and SHA512 IPsec algorithms: The IPsec engine now supports
the SHA256 and SHA512 algorithms to be configured on IPsec tunnels.
2.40.03 1. Added the DHCP server when used with MAC address authentication to
enable automatic logout of users. When an IP address is being reused from the
DHCP server and the old user was logged in via MAC authentication, the DHCP
server sends a logout message to log out the old user from the system.
2. Added "IPA" as recognized MIME type.
3. Support for hardware acceleration of IKE negotiations for DFL-2560/2560G
to offload the CPU and make IPsec setup faster.
2.40.02 No new features are introduced in the 2.40.02 release.
2.40.01 1. Support the Cisco IPSec client on iPhone.
2. Double Web Content Filtering local cache size on all models to accommodate
more categorized sites.
3. Support CHAP, MS-CHAP, MS-CHAPv2 and No authentication mechanisms for
SSL VPN.
4. Web Content Filtering Configuration Improvement. When filtering override is
enabled, it is now possible to enter a custom timeout of the override period.
1. Support for IPv6 in routing, IPRules and Policy Based Routing in Ethernet as
well as VLAN interfaces.
2. Remove restrictions on the number of HTTP posters. All other network clients
2.40.00 listed in “Misc Clients” also benefit from this restriction removal.
3. Support authenticating users using the Ethernet MAC address over HTTP(S).
4. Update password field: when focus is moved to a text input field which
contains a password, the field will now be cleared so the user can type in a new

5
 NetDefend Firewall Firmware Release Notes

password directly.
5. The WebUI page "Reset" now also contains a method for normal shutdown
(same action as the CLI command "shutdown"). This method will gracefully
close down tunnels, hand over to other HA unit (in HA scenarios) and so on.
1. Support SSL VPN feature.
2. Support TLS renegotiation (RFC 5746) in the TLS ALG.
3. Increase the number of IDP signatures to up to 30,000. Configuration of up
to 30,000 IDP signatures is now possible.
(Affected models:DFL-1660/2560/2560G)
4. Add clone functionality to Web GUI. It's now possible to create a copy of an
object in the Web GUI by selecting Clone in the context menu in the data
grids, the edit page will pop-up with information copied from the original
object.
2.30.01 5. Enhancement of services drop down menu. The drop down menu for services
has been enhanced to show port numbers.
6. Enhanced IDP signature configuration. It's now possible to select IDP
signature groups from a visual tree interface.
7. Add lifetime for connection in the log messages.
8. Warning for incompletely cloned objects. When cloning objects that contain
properties which cannot be cloned, an alert will be displayed.
9. Support for dynamic server addresses in SSL VPN. The SSL VPN server has
been updated to support the sending of an optional domain name (FQDN) to
the client that will be used to connect to the server.
1. The D-Link DES-3528 switch can now be used by ZoneDefense.
2. A new log message has been added indicating that an ARP resolve query
2.27.02 failed.
3. The following browsers are now supported: Firefox 3+, Opera 10.5+, Safari
3+, Internet Explorer 7+ and Chrome 4+.
1. A confirmation question will be prompted if the user attempts to execute a
2.27.01
CLI command that may cause system delays.
1. Grouping configuration objects into logical groups makes it easier to
manage large number of configuration objects. It is also possible to add a
descriptive description and custom color to distinguish what these objects
2.27.00 do. This grouping functionality is only for presentation and does not affect
the existing functionality.
2. Logging enabled by default on rules for the following objects: Access, DHCP
Server, DHCP Relay, Routing Rule, Dynamic Routing Policy Rule, IDP Rule

6
 NetDefend Firewall Firmware Release Notes

Action, IP Rule, OSPF Router Process, Threshold Action and User

Authentication Rule.
3. Static configuration objects default to their default values if the objects
contain configuration errors. This will prevent the firewall to misbehave due
to configuration errors on static objects.
4. The script command has been updated to handle adding objects with
dependencies between each other.
5. User authentication has been updated with a new authentication source that
will grant access to the user without checking any credentials. This
functionality can be used to authenticate users from within login scripts etc,
to make auditing easier.
6. All rule page layouts have been updated for how to enter the interface and
network combination to be more intuitive.
7. The data grid in the Web User Interface now displays information for simple
objects as tooltip (an example is a reference to an IP4Address which would
show the address value as a tooltip).
[DFL-210/260/800/860/1600/1660/2500/2560/2560G]
1. Added the possibility to disable and enable Ethernet interfaces using
WebUser Interface.
2.26.02 2. Separate icon for User Authentication enabled objects.
3. Improved file names for backup packages, including the configuration
version number.
4. Connection Rate Statistic Values can be viewed using SNMP.
[DFL-210/260/800/860/1600/1660/2500/2560/2560G]
1. The name of the authenticated user is logged together with the requested
URL in HTTP ALG log messages
2.26.01
[DFL-160]
1. DHCP relaying through the firewall in transparent mode is supported
2. DH Group and PFS can be configured on IPsec interfaces
1. The name of the authenticated user is logged together with the requested
URL in HTTP ALG log messages
2.26.00
2. DFL-210 and DFL-800 support anti-virus and dynamic web content filtering

No new features in this version.

This firmware version is positioned to replace v2.25.01.22 because the
2.25.01.28
v2.25.01 will cause device into cycle reboot when IPSec encapsulation was set
as “Both”.

7
 NetDefend Firewall Firmware Release Notes

1. Added version check for external language files

2. Improved logging for Anti-SPAM
3. New log message at failover triggered by linkmon
4. A new advanced setting has been added to control the number of
RADIUScommunication contexts that can be used simultaneously
5. DNS name resolving uses the shared IP in High Availability setups
6. Added support for Host Monitor for Routing
7. Added command to handle language files on disk
8. Improved LDAP functionality
9. Redesign of the tuple value controller in the webUI
10. Display of network objects
11. Extended route monitoring capabilities
12. The IPsec status page has been improved
13. PCAP Recording
14. New advisory link in virus found log messages
15. The webUI has been extended to handle child objects in a tab
16. Support of custom monitor interval in Linkmonitor
17. ZoneDefense now supports DGS-3200 series switches

2.25.01.22 18. Anti-Virus triggered ZoneDefense

19. LDAP Authentication
20. Route Load Balancing
21. Extended SIP Application Layer Gateway supporting new scenarios
22. TCP transport added to the SIP Application Layer Gateway
23. Multiple media connections for SIP Application Layer Gateway
24. PPTP server support for multiple PPTP clients behind the same NAT gateway
25. PPTP server and client have been extended to support stateful MPPE
26. Improved verification of IP4 values
27. IDP Triggered Traffic Shaping
28. AVSE_MaxMemory setting has been removed
29. Relayer IP address filter at DHCP Server
30. Support for VLAN priority derived from IP DSCP precedence
31. Gigabit Traffic Shaping Support
32. The PPPoE client has been changed to support unnumbered PPPoE
33. Improved server monitoring for Server Load Balancing
34. The ping CLI command has been improved
35. The schedule page has been improved
36. SSL/TLS Termination

2.20.03 1. No new features were introduced in the 2.20.03 release.

8
 NetDefend Firewall Firmware Release Notes

1. MTU can be configured for PPPoE Interfaces

2.20.02
2. MTU can be configured for PPTP/L2TP Client Interfaces.

Changes of Functionality:
Firmware Modified Features
Version
1. The firmware 2.30.01 and latter would ONLY be applied on the current
2.30.01 platform: DFL-260E/860E/1660/2560/2560G

2.26.00 1. DFL-210 and DFL-800, remove IDP Maintenance Service

Changes of MIB & D-View Module:

Support memory usage and TCP buffer usage monitoring.

Problems Fixed:
Firmware Problems Fixed
Version
2.60.02 1. No validation was done on hexadecimal pre-shared keys before pressing 'OK'
on the configuration page. They are now validated to only accept
hexadecimal strings.
2. It was possible to create user authentication rules without giving them a
name, but when saving the configuration an error was shown. The name is
now required when adding the rule.
3. The CLI command "dns" showed servers with an index value of 0 to 2. The
servers are now listed with an index value of 1 to 3.
4. The statistics value for connections in TCP_FIN state incorrectly also included
TCP_OPEN.
5. Long pipe names would disrupt the format of the CLI command "pipes
-show".
6. The VLAN interface statistics was reset on each reconfiguration.
7. DHCP relay packets received on interfaces without configured DHCP relay
could in some configuration scenarios be dropped.
8. The "Add" button on the application control tab on an IP Policy was enabled
even when application control was turned off. It is now enabled/disabled
based on the application control slider.

9
 NetDefend Firewall Firmware Release Notes

9. Enabling IPv6 on a VLAN interface with IPv6 disabled in the global settings
did not produce a configuration warning.
10. Route monitoring using link status did not recover a disabled route after a
reconfigure had been issued.
11. Keep-alive set to "Auto" did not work on IPsec tunnels where the Remote
Endpoint was a DNS name.
12. SSH CLI sessions could not handle large amount of data being pasted or
piped into the session.
13. Connections scanned by IDP were sometimes broken at HA cluster
configuration deployment.
14. In the WebUI's L2TP/PPTP client page there was no way of configuring the
Originator IP Type or Originator IP.
15. It was not possible to change the index of an interface route that was created
automatically by the system using the CLI.
16. In case of timeout, a SIP session was terminated without notifying the UAC
and the UAS. This is now fixed by sending a timeout message to the UAC
and a cancel message to the UAS in order to notify them before terminating
the session.
17. The Application Control feature did not recognize the Sohu Video application
correctly.
18. Anycast IPv6 source addresses were treated as invalid by the firewall. In
accordance to RFC 4291 a new advanced setting has been added called
"IPv6 Anycast Source" where this behavior can be changed when needed.
19. The CLI commands "arpsnoop" and "ndsnoop" did not output status
feedback when invoked. Now there is CLI output indicating what interfaces
arpsnoop and ndsnoop are active on.
20. The "dhcpserver" CLI command did not obey the -num or -fromentry options
in combination with the -mappings flag.
21. The firewall would in some cases fail to update its ND cache after receiving a
valid Neighbor Solicitation.
22. IPv6 network address validation in the WebUI did not allow the usage of
network size of 100 and larger.
23. It was not possible to use a DNS object from the address book on the
L2TP/PPTP client's remote endpoint.
24. Some of the filter options in the Status->Run-time
information->Connections page were not applied when selected.
25. The CLI command "sipalg -connection" did not show information under the
appropriate columns.

10
 NetDefend Firewall Firmware Release Notes

26. No IPv6 interface routes were added in the routing table specified by the
interface's routing table membership parameter if the selected routing table
was different from the 'main' routing table.
27. Users authenticated by an Identity Awareness Agent were not synchronized
to the inactive node in an HA cluster.
28. In certain SIP configuration scenarios the SIP ALG could cause an
unexpected reboot of the firewall.
29. Users could be logged out if a large number of PPTP clients were trying to
connect simultaneously.
30. The SIP vendor Aastra was not supported by the SIP ALG.
31. The SIP ALG's CLI command "sip -registration flush" did not work.
32. Unreachable RADIUS Accounting servers could in rare cases cause undefined
behavior.
33. No log was generated when an L2TP session was closed.
34. The SIP ALG's CLI command "sip -statistics flush" did not work.
35. Valid Neighbor Discovery packets would always cause the interface drop
statistics to increase.
36. After an HA failover the inactive node was getting stuck with old route states.
This had the side effect that routes could be reported as down in the inactive
node even if they were actually up. The issue is fixed by resetting the routes'
states whenever a node becomes inactive, and for instance Route
monitoring in High Availability will now work as it should.
37. The index value for SNMP stat values for HTTP ALG was reset at
reconfiguration so when polling those, only one HTTP ALG was listed.
38. A help text in the HTTP ALG incorrectly mentioned that URL Filter was not
supported for the HTTPS protocol.
39. Polling the SNMP property if Alias would, for certain interface types, not
return the comment configured for the interface.
40. Configuration backup restore failed if the backup file contained an additional
line break at the end of the configuration file.
41. When using DHCP client on an interface the broadcast address was not set.
With the broadcast information missing, incoming traffic could not make
ARP resolutions correctly.
42. In rare circumstances during HA hand-over, the inactive HA node could
erroneously send neighbor solicitations for its own shared IP.
43. There was no error or warning generated when trying to configure
switchroutes in an HA cluster.
44. If an authenticated user had a lot of privileges the CLI command "userauth"

11
 NetDefend Firewall Firmware Release Notes

was printing unaligned output. Furthermore, the CLI command "userauth

-user <user>" has been extended to show all the privileges the <user> has.
45. There were no logs about destination port, destination IP or name of SSL VPN
interface for incoming SSL VPN connections.
46. It is now possible to use "route" as an alias to the CLI command "routes".
47. The Request URL property of an HTTP host to monitor required the "http://"
prefix before the actual URL. This is now fixed by appending it automatically
if not given.
48. The firewall failed to match an HTTP Monitoring response with the "expected
response" value given by the user in case special characters existed
(spaces, tabs, line feeds, carriage returns).
49. If DNS resolution of an HTTP monitored host failed, the respective route was
always declared "up" and no other connection attempts were made. The fix
allows proper action on the route and re-attempts for DNS resolution.
50. On systems with multiple active IPsec tunnels, configured to add dynamic
routes, the memory usage increased for every reconfiguration.
51. Memory management in configurations with IPsec where Xauth and RADIUS
was used was not always correctly done.
52. Using RADIUS for authentication and/or accounting under certain rare
conditions, could sometimes lead to use of previously released memory and
system instability.
53. On systems with OSPF configured, an unexpected restart could in rare
occasions happen after a large number of reconfigurations.
54. The system could in rare occasions restart unexpectedly when doing
configuration changes related to IPsec tunnel(s) that uses XAuth for
authentication.
55. Extensive memory usage occurred after a very large number of users having
been logged in to system.
56. The system showed configuration warnings about overlapping services when
a service group is configured as the member of another service group, even
if the actual services don't overlap with each other.
57. It was possible to add an Authentication Agent object without specifying a
name for it.
58. The "DirectedBroadcasts" drop log message was missing information about
the source IP of the host sending the broadcast and the destination
IP/network/broadcast it was attempting to use.
59. There was no check whether IPv6 was globally enabled when trying to send
IPv6 ping messages, so the user could send pings without knowing this

12
 NetDefend Firewall Firmware Release Notes

would not work.

60. The PPTP subsystem could in rare circumstances cause unexpected system
reboots.
61. The CLI command "ifstat" omitted a line break at the end of the output for
certain types of interfaces.
62. The firewall could run out of packet buffers when trying to send too many
packets on an R8169 interface with no link. The R8169 driver will now drop
packets if no link is detected. Affects DFL-260E/860E.
63. There was no warning issued if the user added an IPv6 route and IPv6 had
not been enabled in the configuration.
64. ncorrect or outdated RADIUS Accounting responses could cause an increase
in memory consumption.
65. The "pcapdump" functionality couldn't capture the outgoing packets flowing
through a VLAN when the capturing target was its base interface.
66. On rare occasions, the firewall restarted unexpectedly when performing a
reconfiguration following a previous IDP database update.
67. The last part of an ICMP packet sent through an IPsec tunnel was sometimes
dropped.
68. IPv6 groups would in certain rare cases create wrong IPv6 address ranges.
69. The help section for SwitchManagement in the CLI was missing proper
descriptions for some properties.
70. The configuration warning shown when a service group contains overlapping
services was confusing and has been refined to more clearly show the
problem and how it can be resolved.
71. Users being logged out after a timeout could in some rare cases appear to log
out multiple times.
72. The pie chart describing category classification for the Web Content Filtering
service calculated the percentage incorrectly when the number of hits was
very large.
73. The Application Control subsystem allocated memory resources which
remained allocated for a long time and could cause the system to run out of
memory. A cleanup mechanism has been added that will optimize the
Application Control memory usage when the system runs low on RAM.
74. It was not possible to configure two or more SSL VPN interfaces with the
same server IP and port.
75. The firewall might experience unexpected behavior when reporting IDP
events using SMTP LogReceiver under certain specific circumstances.
76. L2TP client behind NAT using L2TP/IPsec transport mode tunnel did not

13
 NetDefend Firewall Firmware Release Notes

always succeed in reestablishing the L2TP tunnel.

77. Using RADIUS accounting could under certain rare conditions lead to system
instability.
78. In rare occasions when an IPsec configuration was updated, the firewall
could restart or stop responding unexpectedly.
79. The MTU for VLAN interfaces was calculated incorrectly, causing unnecessary
ICMPv6 PacketTooBig error messages.
80. The invalid_ip_checksum log message did not correctly list the actual and
expected checksums as intended.
81. CRL lookup over LDAP did not work if the URL for the CRL distribution point
did not contain the port.
82. The ping command could in some rare cases report an incorrect round-trip
time.
83. When using a routing table with the "Ordering" setting configured to
"Default", the named table was sometimes incorrectly consulted first,
instead of the default routing table, during route lookup.
84. Using SCP to download a file from the firewall whose filename included a
hyphen (e.g my-cap.cap) would fail with a "Permission denied" error
message.
85. The CLI prompt was not shown after the "pipes -show" CLI command.
86. In some situations the system would send an extra TCP ACK packet when it
did not need to.
87. The pcapdump command did not print a warning message in the CLI when
the buffer was full.
88. The descriptions of custom timeout settings in the WebUI were not
consistent and have been changed from "timeout" to "idle lifetime".
89. When using a service group which contained overlapping services, there was
no warning message that this may cause undefined behavior.
90. When "arp -notify" was used in an HA setup, the firewall incorrectly used its
private MAC address instead of the shared MAC address.
91. The setting for SLB HTTP monitoring erroneously required a value and can
now be left blank in the configuration without an error being generated.
92. Changes made to the HTTP normalization parameters on an IDP rule were
ignored unless other settings were changed on the same IDP rule.
93. A static DHCP lease was not treated as static anymore if the IP had been
blacklisted and then being released from the blacklist. The static leases are
now always kept static and related temporarily assigned leases during
blacklist are cleared from the lease pool.

14
 NetDefend Firewall Firmware Release Notes

94. The WebUI status page for IDP Log always printed "No IDP or Threshold rules
are currently logging." even though such rules were configured.
95. When the UTM service expired on one of the members in an HA cluster there
was an infinite loop of sending databases from the active node to the
inactive node.
96. The Log and Event receivers did not support using another routing table than
"main".
97. Hardware statistics for Realtek interfaces of type "8169SC" and "8110SC"
was incorrectly represented in the CLI and could not be reset.
98. The HostMonitor subsystem could cause an unexpected restart during
reconfiguration when used together with Server Load Balancing.
99. One of the nodes in a High Availability cluster was entering a reconfiguration
loop if the antivirus subscription had expired for at least one of the nodes,
and there was an IDP database to be synchronized.
100. When using a NAT Pool with a large amount of addresses, the performance
was affected in a negative way.
101. It was not possible to send IPv6 packets through an L2TPv3 Server
interface.
102. The update center ping requests to update servers were incorrectly sent
when no ALG was in use.
103. The CLI tab completion when adding a Custom Option for a DHCP Server
was confusing and has been improved.
104. The firewall's WebUI page showing authenticated users had the label
"Logged in as" instead of the name or groups of the user(s).
105. The advanced IP setting to block multicast source addresses was covering a
range that included too many addresses. The range has been decreased to
the correct 224.0.0.0-239.255.255.255 span.
106. LDAP authentication was failing if the display Name of a user had a space
and it was used as user name against an AD.
107. On rare occasions the system could make an unexpected restart when using
the HTTP ALG together with Anti-Virus scanning.
108. In certain rare scenarios, the H323 ALG could make the firewall reboot
unexpectedly.
109. The system would advertise the wrong IPv6 address when going active in a
high availability scenario.
110. In rare cases when a heavy load of IPsec traffic was sent through the firewall
there could be logs about hardware acceleration failure with performance
degradation as a result. Affected models were DFL-260E and DFL-860E.

15
 NetDefend Firewall Firmware Release Notes

111. When listing VLANs in the CLI and the same VLAN ID was available on more
than one physical interface, the listing was incorrect.
112. Fragmented packets coming from a VLAN going into an L2TPv3 tunnel would
be erroneously dropped in some situations.
113. The internal SSH Server could in rare circumstances use an increasing
amount of memory.
114. Enabling Router Advertisement on an interface with an unnamed
IPv6Network would produce a configuration error.
115. The properties for local_peer and remote_peer in the IPsec logs were
sometimes truncated.
116. The system sometimes restarted unexpectedly during a reconfiguration.
117. The firewall would always perform automatic updates of IDP and AV
databases on startup and HA activation. Automatic updates will now only
occur at the configured time.
118. The log events "too_many_flows_aged" and "failed_to_select_policy_rule"
both used the same log ID 01803001. Now the former uses ID 01803005
and the latter ID 01803001.
119. Syslog messages sent from the firewall did not follow the standard specified
in RFC5424. A setting that enables sending Syslog messages according to
RFC5424 has been added to the ' LogReceiverSyslog ' configuration object.
120. LDAP queries against OpenLDAP servers did not work as expected. It is now
possible, via the new setting; 'Combined Username' and 'Optional
Attribute', on the LDAP Server, to specify how LDAP queries towards an
OpenLDAP server should be sent.
121. Certain web pages were not possible to reach or load when using the HTTPS
ALG.
122. POP3 ALG log messages would sometimes contain incorrect e-mail
addresses.
123. On rare occasions, the SMTP and POP3 ALGs could not read fields from the
DataHeader correctly.
124. The firewall could perform an unexpected restart in case an up and running
PPPoE tunnel was disabled by the user.
125. The DHCP Client did not renew its IP address lease after a link failure had
been restored.
126. The firewall would incorrectly terminate some HTTPS sessions when using
an HTTP ALG with HTTPS, resulting in a blank page in some browsers.
127. TCP traffic inside an IPsec tunnel using Transport Mode where both peers
were located behind a NAT gateway did not work as expected, SYN-ACKs

16
 NetDefend Firewall Firmware Release Notes

never reached client, when the firewall was configured with SynRelay.
128. The community string in SNMP Remote Management was truncated if it was
longer than 32 characters.
129. Unsolicited ARP reply was not handled correctly according to the Unsolicited
ARPReplies setting.
130. The setting for Multiple Username Logins on the User Authentication Rule
did not work as intended when selecting to use timeouts from the
authentication server.
131. When two SSL VPN Interfaces were configured on the same Interface with
the same listening IP only one of them was triggering for all client
connections, even though different ports were used.
132. The L2TPv3 Server leaked a small amount of memory when a new session
was initiated within an established tunnel.
133. Certain SIP PBX configurations caused the firewall to drop INVITE requests.
134. In rare occasions when SIP was reconfigured, the firewall could make an
unexpected restart.
135. Some characters were not supported in passwords for users being
authenticated using LDAP as source.
136. It was possible to configure multiple static DHCP hosts with the same IP or
MAC address without getting a configuration warning.
137. The cryptographic accelerator on DFL-260E/860E could in some high
performance situations become unresponsive.
138. With Application Control enabled in some high bandwidth scenarios there
was a possibility that connections might stall and make the traffic flow slow.
139. The CLI command "dhcpserver" was not able to show the client identifier
string. Now it supports both MAC and identifier.
140. Unexpected exceptions sometimes occurred when the remote endpoint of
an IPsec tunnel was set to a DNS object.
141. The system would set the BROADCAST flag in DHCP Discover and DHCP
Request messages, despite being fully capable of receiving unicast replies.
142. The update center CLI command would return an error if no argument was
specified. It will now show the status of all databases as default action.
143. The L2TP/PPTP client used the wrong source IP when the interface used for
L2TP/PPTP traffic was changed due to a DHCP update.
144. The navigation menu disappeared when visiting the "List all active IKE SAs"
from the IPsec status page. The navigation menu should now correctly still
be there and highlight IPsec status.
145. NATed traffic sometimes used an old source IP address for connections

17
 NetDefend Firewall Firmware Release Notes

opened prior to a dynamic update of the IP address of the outgoing

interface.
146. The configurable minimum lease time of the DHCP server was incorrectly set
to 0 seconds. This has now been changed to 30 seconds.
147. ndsnoop messages would sometimes show the firewall's MAC address as
00-00-00-00-00-00.
148. The system could in some situations misbehave when parsing malformed
SNMP packets on the remote management interface.
149. Advisory links were missing on the IDP log event list in the web interface,
and when listing a large amount of IDP log events the system could become
unresponsive.
150. A space was placed before %REDIRHOST% in HTTP banner files leading to
bad URLs.
151. The switch driver used on DFL-260E (rev a2) appliances had a faulty default
configuration, which lead to performance issues.
152. Service custom timeouts did not trigger when used by an IP Policy.
153. Forcibly logging out authenticated users via the CLI command "userauth
-remove" did not generate a log event.
154. The TFTP ALG would stop forwarding packets after 65535 blocks.
155. The CLI commands "ippool" and "idppipes" had no default usage and they
were always in need of an argument. Now they can be used without any
argument which implicitly means running them with the "-show" argument.
Furthermore the "-max" option for "ippool" has been renamed to "-num" to
be consistent with other CLI commands.
156. When using trace route through the firewall the responses were not
forwarded correctly to the initiating client.
157. The icons for the collapsible search filters on log pages were not following
user interface standards. The down arrow is now shown when the filter is
expanded, instead of the opposite.
158. The ALG didn't handle SSLv2 compatibility mode with new TLS protocols.
The ALG has been updated to handle compatibility mode correctly.
159. Some statistics for rejected DHCP Relay packets was increased even though
nothing was rejected.
160. The "ipsecstats -ike" CLI command would output a lot of unnecessary "more
entries not displayed" lines.
161. When using the HTTP ALG together with Anti-Virus scanning, the system
would sometimes make an unexpected restart.
162. On rare occasions certain IP addresses in blacklist could lead to faulty

18
 NetDefend Firewall Firmware Release Notes

behavior.
163. Port Based VLAN did not work on DFL-260E (rev a2) model.
164. An incorrect PPPoE interface name could be logged in closed / open events
with certain configurations.
165. PPPoE interfaces could in rare circumstances make the firewall restart
unexpectedly.
166. It was not possible to disable Port Based VLAN without rebooting the device.
167. Port Based VLAN didn't properly forward packets according to switch routes.
168. VLAN traffic sent over, and received from, L2TPv3 interfaces was incorrectly
required to be received on, or forwarded on, a VLAN interface with identical
ID. Now, L2TPv3 interfaces trust the routing configuration and do not
enforce any additional restrictions regarding how VLAN packets are handled
by the rest of the system
169. Group names, returned from external databases e.g LDAP, that contained
spaces were not supported.
170. The output list from the CLI command 'vlan' was not sorted in VLAN ID
order. This has been corrected and the command was enhanced with the
parameters to segment long output lists using 'num' and 'page'.
171. The 'blacklist' CLI command did not set the correct port number and
destination URL in its output.
172. The default metric for a manually added route was 0 instead of 100.
173. Static destination address translation would fail for transport mode IPsec
traffic.
174. Changing an IDP Rule Action setting from Action "Protect" and "Dynamic
Black Listing" enabled to Action "Audit" left the "Dynamic Black Listing"
enabled.
175. IPsec Transport mode clients using the same remote ID behind NAT devices
failed to connect simultaneously.
176. A warning text has been added to inform the administrator when the
maximum number of IPsec rules for an IPsec interface has been reached.
177. The SSL VPN Portal would sometimes not use the same authentication
method as the SSL VPN Client when RADIUS authentication was enabled.
178. In rare circumstances when using High Availability and OSPF, there could be
a flood of OSPF packets on the sync interface.
179. A RADIUS Accounting session was closed if the reply from the RADIUS
server contained RADIUS Attributes.
180. The ifstat CLI command did not show the chip information for some E1000
based interfaces.

19
 NetDefend Firewall Firmware Release Notes

181. Phase one rekey negotiations in the cases where peer Xauth authentication
is required were removed.
182. Under rare circumstances, an IPsec configuration could cause the firewall to
run out of buffers.
183. The traffic shaping subsystem consumed a large amount of CPU resources
when processing packets that could not fit within a configured pipe.
184. The system could in rare cases perform an unexpected restart when IPsec
clients were connected behind a NAT gateway.
185. The handling of large amounts of hosts in blacklist has been optimized.
186. The clone option was not always available on the WebUI objects.
187. The IP protocols 33 and 48 were logged with incorrect names and IP
protocols 131 to 142 were missing names. The IP protocol list has been
updated according to the current IANA definition.
188. Receiving ESP packets for a new IPsec security association, before the last
IKE message in the negotiation was received, could cause the firewall to
drop the ESP packets for that security association during its entire lifetime.
189. ISAKMP cookies in IKEsnoop messages were sometimes displayed
incorrectly and could lead to a mismatch in the print out of the 'Delete SPIs'
and the cookies in an 'IKE delete' message.
190. In an IPsec scenario where XAuth was used on the tunnel, the memory
consumption could in rare circumstances increase unexpectedly after
renegotiations.
191. Certain configurations related to one sub system could cause a security
vulnerability.
2.40.04 1. The IP protocols 33 and 48 were logged with incorrect names and IP protocols
131 to 142 were missing names. The IP protocol list has been updated
according to the current IANA definition.
2. Syslog messages sent from the firewall did not follow the standard specified
in RFC5424. A setting that enables sending Syslog messages according to
RFC5424 has been added to the ' LogReceiverSyslog ' configuration object
3. Certain configurations related to one sub system could cause a security
vulnerability.
2.40.03 1. Routemon did not detect link state changes on some Realtek interfaces.
Affected models: DFL-260E/DFL-860Es.
2. The link status info for the Realtek interfaces disappeared after a
reconfigure. Affected models: DFL-260E/DFL-860E
3. In some scenarios with IDP configured, traffic of certain patterns could in

20
 NetDefend Firewall Firmware Release Notes

rare circumstances be delayed

4. It was not possible to connect multiple L2TP/IPsec clients behind the same
NAT gateway.
5. SNMP Interface Alias field was empty when selecting "Comment" in
"Interface Alias".
6. If L2TP clients with the same local IP address established IPsec tunnels
behind a NAT device there were sometimes problems with the connections.
7. The OSPF routes database was not updated during reconfigure in some High
Availability scenarios.
8. In some unusual circumstances the use of XAuth based authentication
would lead to an unexpected reboot
9. The web user interface was not 100% compatible with Explorer 10. The
basic structure has now been updated to render the page correctly in all
major browsers.
10. The firewall Dynamic Routing Rules did not properly export / import OSPF
routes when they were filtered by "OSPF Tag range" or "Router Type".
11. A few log message categories, such as SSL VPN and IPv6 Neighbor
Discovery were missing from the log message exception list..
12. In some scenarios when using IPsec with XAuth, ESP delete notifications
would not be sent.
2.40.02 1. In some rare occasions, the memory consumption of the firewall could
increase unexpectedly when deploying cluster configurations.
2. The output list from the CLI command 'vlan' was not sorted in VLAN ID order.
This has been corrected and the command was enhanced with the
parameters to segment long output lists ‘num’ and ‘page’.
3. The 'blacklist' CLI command did not set the correct port number and
destination URL in its output.
4. A configuration with the now obsolete selection of Log And Event Receiver
category '36 (USAGE)' would send out empty log data. The configuration is
now silently updated to exclude this category.
5. The shared IP was not used in LDAP server queries for High Availability
cluster nodes.
6. The realm string for HTTP basic authentication was incorrectly not optional in
the configuration.
7. The unit for the OSPF memory max usage in the WebUI was 'kilobytes', but
has now been corrected to 'bytes'.
8. The Local Gateway configured in an IPsec tunnel was not shown in the CLI
command "ipsectunnels -iface" printout.

21
 NetDefend Firewall Firmware Release Notes

9. The link status of the DMZ, WAN1 and WAN2 interfaces on the DFL-860E
model and DMZ and WAN on the DFL-260E would disappear shortly during
the reconfigure process.
10. The filename for an attachment was incorrectly required for the SMTP ALG
and POP3ALG. The ALGs have now been updated to handle attachments
without filenames, according to the RFCs.
11. The SIP ALG did not use the "420 Bad Extension" response in certain
circumstances.
12. The built in L2TP client did not work correctly when put behind a NAT device.
13. The configuration was not always updated correctly when upgrading to a
newer version.
14. HTTPS webauth using Internet Explorer versions 8 and older did not show the
logged in page after the user had logged in.
15. When using a large number of neighbors in nodes running OSPF, there was a
rare possibility of memory corruption.
16. A prompt was not added after various SSH printouts in the CLI.
2.40.01 1. Corrected leap year problem where leap year day was added to January
instead of February.
2. The log event no_arp (ID:04100007) firewall action text was previously
route_enabled, the text is now corrected to route_disabled.
3. Time unit 'seconds' added to help texts in WebUI ALG SIP dialog and CLI
command 'help ALG_SIP'.
4. An expired AV or IDP license in an HA environment could trigger unexpected
behavior in the inactive cluster node.
5. Some web authentication scenarios could lead to unexpected behavior by
the firewall.
6. The output text for the CLI command 'dns -list' was not formatted correctly
when using SSH remote management.
7. The firewall did not handle lower and upper case correctly in some
configuration scenarios where objects were named almost identically.
8. In some High Availability scenarios, the HA setting ReconfFailoverTime was
not obeyed, resulting in a failover when deploying a configuration on the
active peer before the ReconfFailoverTime was reached.
9. Cancelling the HA wizard would result in unexpected behavior of the
firewall. Affected models: DFL-260E/860E.
10. In rare occasions, closing down a SIP session could lead to an unexpected
restart of the firewall.
11. The general stability of SSL VPN tunnels has been improved.

22
 NetDefend Firewall Firmware Release Notes

12. The deployment of new configuration could have a negative impact on the
performance of Realtek 8169 interfaces.
Affected models: DFL-260E/DFL-860E.
13. Running SSL VPN on a shared IP in an HA cluster disconnected the client at
reconfiguration due to the inactive node going active during reconfiguration.
14. A recent change in scp (secure copy) uses an end of option parameter that
was handled erroneously by the firewall causing scp connections to be
closed unexpectedly.
15. The "add" CLI command would in some cases add a new configuration
object with errors, and the "set" CLI command allowed the user to modify
configuration objects by entering invalid values. Now the behavior has been
changed to not modify the configuration if the resulting change causes
errors, unless the "-force" flag is specified.
16. The CLI "netobject" command incorrectly printed IPv6 addresses in IPv4
format.
17. It was not possible to disable sending out High Availablility cluster
heartbeats on nodes. The setting was not obeyed.
18. The Web Content Filtering (WCF) server connection could stall after a
reconfigure and fail to resolve new URLs. The issue has been corrected
along with additional server connection statistics for the 'httpalg -wcfcache'
CLI command.
19. Log messages containing routing information used invalid values.
20. Using the H323 ALG could in rare circumstances lead to unexpected
behavior.
21. An error in the configuration module could in rare occasions lead to
unexpected behavior during the deployment of a new configuration.
22. The output of the CLI command "ifstat" has been extended to list the shared
MAC addresses on the interfaces of High Availability cluster nodes.
23. Passwords for newly added users were not encrypted in the configuration
file.
24. OSPF MD5 authentication misbehaved when using ID other than 2.
25. The RADIUS accounting session ID string could under some circumstances
be reused for a later session.
26. A prompt was not printed in the CLI after activating a new configuration.
27. A recent security patch for CVE-2011-3389 in some popular web browsers
made the firewall's SSL VPN client download page unreachable.
2.40.00 1. Some VPN configurations using Radius Accounting did not report in/out octet
statistics to the Radius Accounting server.

23
 NetDefend Firewall Firmware Release Notes

2. The H.323 ALG did not allow FACILITY messages to be sent during the
ALERTING state.
3. In certain scenarios, traffic originating from LDAP could lead to unexpected
behavior by the firewall.
4. If SSL VPN was configured to listen on a proxy ARPed IP, it was not possible to
log in to the SSL VPN portal.
5. Browsing to certain pages in the WebUI would lead to unexpected behavior for
the firewall. Affected models: DFL-260E and DFL-860E.
6. Some scenarios made the firewall send malformed packets in an SSL
negotiation.
7. In a High Availability scenario it was not possible to log in to the firewall in
order to download the SSL VPN client.
8. The value "Password Attribute" for LDAP Servers could not be empty. It is now
possible to create an LDAP Server with an empty "Password Attribute" field.
9. The possibility to configure interface groups inside interface groups has been
added.
10. Routes monitored only by ARP were not marked as down when the link on the
Ethernet interface was down. Affected models: DFL-260E and DFL-860E.
11. Setting up a High Availability cluster using the "backup and restore" method
would result in problems synchronizing the configuration because of an invalid
interface configuration. The units now correctly handle that interface
configuration by using information from the old configuration.
12. Large VLAN tagged packets would be dropped by the RealTek R8169 driver.
The driver has been updated to handle VLAN packets.
Affected models: DFL-260E and DFL-860E.
13. The RealTek R8169 interface reported wrong link speed for SNMP. The
interface has been updated to report the correct speed.
Affected models: DFL-260E and DFL-860E.
14. The RealTek R8169 driver contained a watchdog that erroneously triggered
too often and made the interface restart. The watchdog has been updated with a
longer timer to prevent this from happening.
Affected models: DFL-260E and DFL-860E.
2.30.01 1. The firewall did not forward SIP registrations REQUEST with null values in the
“Authorization” field.
2. The source port 20 is occupied when combining the SAT Action in an IP rule
with the FTP ALG.
3. The CLI commands “reset -configuration” and “reset –unit” show incorrect
default management IP.

24
 NetDefend Firewall Firmware Release Notes

4. SIP ALG would close SIP calls two minutes after the call session was
established in some network scenario.
5. The "Route Type" in "OSPF Actions" was incorrectly interpreted by the firewall
when the configuration was activated.
6. An unexpected restart could occur during a configuration deployment when
new IPSec tunnels were added to the configuration.
7. It was not possible to use all address object combinations in places like routes
or in the Address Book.
8. The severity for the log message sslvpn_max_sessions_reached was
incorrectly set to DEBUG, but has been changed to NOTICE.
9. IP4Groups containing Userauth configured objects were not available for
selection in IPRules. The IPRules have been updated to allow IP4Groups
containing objects with Userauth.
10. The TLS ALG rejected SSL HELLOs with zero or more than one compression
method.
11. Some cipher suite combinations prevented the AES256 algorithm to be used
when establishing SSH administration sessions to the firewall.
12. Some specially crafted SDP payloads could cause unexpected reboots of the
firewall.
13. The edit alternative for Comment Groups was not shown.
14. The Web GUI page for interface status showed the Send Rate and Receive
Rate as average for the last 24h. The values have been updated to use the
average for the last 2 minutes.
15. The ping -verbose CLI command did not print the correct translated port if
the packet was affected by a SAT rule in some cases.
16. Some statistics on IXP interfaces were not correctly printed on the firewall
console. Affected models: DFL-160/260E/860E.
1. The usage column in the DHCP Server status page has been updated to show
active clients.
2. References to UserAuth privileges for authenticated users could change when
modifying the number of configured privileges.
3. The web server could under certain conditions deadlock and print a "500 -
2.27.03 Internal Server Error" message when trying to access the web user interface.
The web server has been extended with better error handling to prevent this
kind of deadlock.
4. The interface traffic counters were only of size 32-bit and often wrapped
around when the throughput was high. Corresponding 64-bit counters have
been added to ensure that wrapping will not occur as often as the

25
 NetDefend Firewall Firmware Release Notes

corresponding 32-bit values.

5. The block list file verification failed for files with a size smaller than one packet.
The blocklist now validates the extension for the first packet when the content
type could not be determined in the first packet.
6. In certain scenarios, the voice transmitted through the SIP ALG terminated
suddenly two minutes after the call was established.
7. Office "xlsm" files were blocked by the SMTP ALG. Encrypted "xlsm" files are
embedded in an "Office 97/2000 Compatible" container which results in an
incorrect file typ according to file integrity control. The file integrity control has
been updated to handle encrypted "xlsm" files.
8. A faulty model check made the Switch Management not display all the switch
ports in the WebUI for the DFL-860E model.
9. The Realtek 8169 interface reported link down incorrectly. This caused route
monitor to not work properly. Affects: DFL-260E and DFL-860E.
10. The HTTP ALG failed to load web pages from certain web servers correctly.
The HTTP ALG will now respond with a TCP RESET should the server continue
to send packets after the client has closed the connection.
11. Anti-virus scanning of zip files containing files with a large compressed size
could sometimes lead to unexpected behavior.
12. Using HTTP web authentication with a RADIUS server as authentication
source, could in very rare scenarios cause the firewall to malfunction during
save & activate (reconfigure).
13. Two HTTP ALGs with the same name, but with different case (e.g.
"MYHTTPALG" and "myhttpalg"), could sometimes cause the firewall to
freeze during save & activate (reconfigure).
1. It was not possible to use User Authentication on IP4Group objects.
2. Certain SIP server scenarios in REGISTER transactions made the firewall
reject incoming SIP calls.
3. In some situations when using SMTP ALG with Anti-Virus e-mails with
attachments would not be completely transferred, resulting in a timeout. The
ALG Anti-Virus feature now specifically logs failure to decompress encrypted zip
2.27.02 files. A setting to allow or deny encrypted zip files have also been added.
4. The usage bars on the DHCP Server status page were not displayed correctly
when leases reached 100% usage.
5. ACK messages for non 2xx PBXs responses were not forwarded by the SIP
ALG.
6. The DHCP Server did not send DHCP NAK messages in all scenarios. This
change speeds up the process of receiving a new IP address lease in these

26
 NetDefend Firewall Firmware Release Notes

scenarios.
7. The SMTP ALG always allowed emails where the SMTP "from" address and
email header "from" address did not match. A new setting has been added which
allows the administrator to deny or tag these mails as spam.
8. CLI command "ipsecdefines" has been removed from "techsupport"
command.
9. During configuration certain values were not reset after parsing an IGMP
Report rule, which made the next IGMP Query misbehave. The configuration
values are now properly reset after parsing IGMP Report rules.
10. Incoming SIP traffic routed through an IPsec tunnel was discarded by the SIP
ALG.
11. Some empty configuration values were not written to the configuration.
After a restart of the firewall the default values were used instead.
12. Some buttons in the web user interface had truncated text.
13. The reception of 255.255.255.254 as Framed-IP-Address in a RADIUS
negotiation wasn't handled correctly in all installations. Now this will always lead
to an IP being assigned, to the PPTP-/L2TP-client, from the configured IP pool.
14. It was not possible to click on the IDP signature group links in the web user
interface page "IDP Factory Signatures". Clicking on the link now lists the
signatures in the group.
15. The DNS client always dropped DNS replies that had the truncated bit set.
The truncated bit indicates that the reply does not contain the complete response
and that a new DNS request should be sent using TCP (if the client supports TCP
DNS). The DNS client now uses the addresses in the partial response instead of
ending up with no address at all.
1. Certain SIP PBX configurations blocked media transmission on calls
established between devices located on the same interface of the firewall.
2. The POP3 ALG did not reset its state after a failed authentication. This could
cause the next login attempt to fail.
3. Specific Intrusion Detection Protection (IDP) scenarios using hardware
acceleration could cause scans to fail.
2.27.01 4. Restarting a GRE interface did sometimes trigger an unexpected restart of the
firewall.
5. The POP3 ALG did not allow Digest-MD5 authentication.
6. The SIP ALG could forward malformed SIP messages if a range 0-65535 was
used as destination port in the SIP service configuration.
7. Specific scenarios using the PPTP ALG could sometimes cause an unexpected
restart of the firewall.

27
 NetDefend Firewall Firmware Release Notes

8. The log message sent when reclassifying a URL using Web Content Filtering
showed the wrong category. The log message has been updated to display the
correct category.
9. Web User Interface: Activating a configuration that had deleted an item that
was represented in the navigation tree would not automatically update the
navigation tree. This resulted in a navigation tree that did not correspond to the
running configuration.
10. Checked checkbox properties that were disabled were unchecked when
submitting data in the Web User Interface (since information sent by a web
browser is identical for an unchecked checkbox and a disabled checkbox). The
configuration engine now correctly remembers the state of disabled checkboxes
when submitting data.
11. The HTTP ALG MIME type check did not have support for OpenDocument Text
Documents (odt).
12. Script execute did not allow the 'cc' command to run without parameters.
The command has been updated.
1. The IP4 Group object didn't handle excluded addresses correctly. It's now
possible to use excluded and included objects in the correct way.
2. Certain SIP option messages with high values for the "expires" header field
failed to be properly parsed. When that occurred incoming calls to phones
placed behind the firewall failed.
3. Some HTTP headers could cause HTTP connections through the HTTP ALG to
be closed down prematurely.
4. On DFL-260/ DFL-860, some specific high stressed Intrusion Detection and
Protection scenarios using a hardware accelerator could drain the memory of
the firewall.
5. The SMTP ALG did not accept response codes that only contained numeric
2.27.00
data.
6. Browsing the Web User Interface over HTTPS would sometimes result in
"Error 500 - Internal server error".
7. On DFL-1600/DFL-1660/DFL-2500/DFL-2560(G), after a reconfiguration
using a HA configuration the interface synchronization list for the Inactive
node contained invalid interface references which could cause problems
when connections were synchronized before the list was rebuilt. The
references are now properly cleared during a reconfiguration.
8. In the Web User Interface, when defining an IDP Rule, the check box to
enable or disable the option "Protect against insertion/evasion attacks" was
not visible.

28
 NetDefend Firewall Firmware Release Notes

9. The CLI techsupport command always sent a "sesmgr_file_error" log

message, even when it worked correctly. The techsupport command now
only sends log message when it fails.
10. A limitation on the number of simultaneous WebAuth transaction could
prevent the authentication of authorized users.
11. The IP Rule view in the Web User Interface was slow when viewing large
collection of rules. The rendering speed has been improved.
12. Dropdown menus in the Web User Interface used a fixed width, which caused
objects with long names to push information outsize the window. The
dropdowns are now scaled to be able to show all the information. The
dropdown also automatically scrolls to the selected item when opened.
13. The Mappings and Leases links on the DHCP Server status page in the Web
User Interface didn't work.
14. Disabling objects with references in the Web User Interface would delete the
objects and references instead. The objects are now only disabled when
selecting to disable them.
[DFL-210/260/800/860/1600/1660/2500/2560/2560G]
1. The "range" parameter in the "rules" CLI command did not work.
2. The CLI command "dns -query" only returned one IP address even though the
DNS Record contained multiple entries.
3. An error in the configuration engine caused problems when configuring the
first OSPF Area for an OSPF Router Process.
4. When using services with the SYN flood protection (SYN Relay) functionality
enabled, reconfigurations could result in unexpected behavior.
5. Certain conditions sometimes led to an unexpected behavior when a firewall
had IPsec tunnels configured.
6. It was not possible to use User Authentication enabled objects in Routing
2.26.02
Rules, Threshold Rules, IDP Rules or Pipe Rules.
7. The log pages for the Web User Interface were rendered incorrectly resulting
in artifacts on some web browsers.
8. The SMTP ALG did not load all whitelist and blacklist entries if the number of
entries were more than about 30. The entries that failed to load were silently
ignored. All configured whitelisted and blacklisted addresses are now loaded and
filtered correctly.
9. Users were not properly logged in when IPsec LAN to LAN tunnels were
configured to require IKE XAuth. This could cause an unexpected reboot. Now
the LAN to LAN case is properly handled by IKE XAuth.
10. The L2TP/PPTP Server overview grid did not have a column for "Server IP".

29
 NetDefend Firewall Firmware Release Notes

11. The dropdown to select the interface for OSPF Neighbor in the Web User
Interface printed the name wrongly. The dropdown code has been enhanced to
handle this value correctly and print the proper name.
12. The validation of the latency setting in the Host Monitor configuration was not
correct. The configured value was lowered to an incorrect value.
13. The setup wizard only created the second of the two possible Syslog servers.
The first Syslog server is now correctly created by the wizard.
14. The "min" and "preferred" input fields had swapped position on the
configuration page for IPsec Algorithms and IKE Algorithms in the Web User
Interface. The position of the input fields has been corrected.
15. In the Web User Interface it was not possible to change order of objects that
were both disabled and deleted. It's now possible to move objects that are both
disabled and deleted.

[DFL-160]
1. Enabling POP3 on the Inbound Traffic page did not have any effect.
[DFL-210/260/800/860/1600/1660/2500/2560/2560G]
1. A configuration that contains a routing table loop could lead to the watchdog
being triggered. Now the configuration will fail to be activated with the following
message: "Dynamic routing configuration error, possible configuration loop".
2. Setting both "IKE Lifetime" and "IPsec Lifetime" to 0 seconds in an IPsec
tunnel triggered a warning message on the console referring incorrectly to
another property.
3. Proposal lists were not properly listed in command line "ipsectunnel -iface"
output.
4. When using a user authentication rule for HTTPS with LDAP, an SSL socket
was sometimes not closed, possibly resulting in instability.
2.26.01
5. It was not possible to use certificates that had no alternative name set.
6. Due to memory corruption occurring in some setups, the internal timers
caused the firewall to restart unexpectedly. Depending on the traffic load, the
reboots occurred periodically from a few hours up to several days. This issue has
been corrected together with fixes in the loader.
7. The establishment of SYN flood protected TCP connection could be
unnecessarily delayed due to the firewall dropping all the packets sent by the
client side while waiting for the completion of the three-way handshaking
between the firewall and the server.
8. Updates of the Anti-Virus database could only be done when the Anti-Virus
functionality was enabled. The database can now be updated even though no

30
 NetDefend Firewall Firmware Release Notes

Anti-Virus functionality is enabled

9. The license page showed an incorrect value for maximum number of PPP
tunnels.
10. Running certain sequences of CLI commands (or performing corresponding
actions in the Web User Interface) involving multiple "reject" commands, could
cause a critical malfunction in some cases.
11. After running the CLI command "reject" with a configuration object as
parameter, activation of configuration changes could fail with an error message,
but "show -errors" would say that there were no errors. The "show -errors"
command has been updated to correctly display these errors.
12. Keep-alive SIP pings were not handled correctly and would generate drop
logs. The SIP pings are now handled correctly and a response pong is sent.
13. The console command always printed that it showed the events for the last
30 days even though nothing had happened. The command has been updated so
it will print the date of the oldest entry. If entries exist that are older than 30 days
it will print 30 days and truncate, if less than 30 days, date of last entry will be
printed.
14. The system information slides on the front panel display could stop after
showing the first sensor under certain conditions when Hardware Monitor was
enabled. The system information slides can now loop through all pages without
getting stuck. Only affected hardware models with front panel display.
15. There was a critical defect in the Web Content Filter functionality that could
cause the firewall to reboot unexpectedly.

[DFL-160]
1. It did not work to have DHCP assigned IP on the WAN interface and at the
same time relay DHCP requests to hosts on the LAN or DMZ in transparent mode.
2. If the Internet connection had dynamic IP address (DHCP enabled) and
transparent mode was used on LAN or DMZ, the IP address on the LAN / DMZ
interface was set to 0.0.0.0.
1. PPP negotiations were sometimes slower than necessary.
2. Deploying a configuration during heavy traffic load could cause a watchdog
reboot.
3. It was possible to enable the anti-spam feature DNSBL on an SMTP-ALG
2.26.00
without specifying any DNSBL servers. Configuring DNSBL without specifying
any servers will now give an error.
4. Some errors in IPsec tunnel configuration were not correctly treated during
the firewall start up process, resulting in IPsec tunnels not properly being set up.

31
 NetDefend Firewall Firmware Release Notes

Now most of those errors make the tunnel be disabled and a warning message be
displayed. For the most severe ones the configuration will be rejected by the
system.
5. Running FTP-ALG in hybrid mode could result in the first packet being dropped
when the connection to the server isn't established, and this leads to a three
seconds delay. The connection from the ALG to the client will now not be initiated
until the server connection is established towards the ALG.
6. It was not possible to move a rule up or down in the list if the rule was
disabled.
7. The command "ipsecstats" could in some circumstances not show all tunnels
when a tunnel name was given as an argument. The command now displays all
the tunnels when tunnel name is given as an argument.
8. The command "ipsecstats" only listed the first matching IPsec SA when a
tunnel name was given as an argument. The command now displays all IPsec
SAs that are connected to the specified tunnel name.
9. The FTP-ALG virus scanner triggered an unexpected restart if the virus
signature database was updated while files were being processed by an FTP-ALG
configured with fail-mode set to allow.
10. The "ippool - show" CLI command output showed all configured pools, which
could be a very long list. Now only the first ten are listed by default. The "-max
<num>" option can be used to display more items.
11. The SIP-ALG didn't handle "183 Session Message" when initiating a new SIP
call.
12. The return traffic for ICMP messages received on an IPsec transport mode
interface was wrongly routed to the core itself and then dropped. The return
traffic is now passed back using the same connection as it arrived on.
13. Tab completion in the command line interface (CLI) did not work on IPsec
tunnels when using the "ipsecstats" command. Tab completion is now possible to
use in the "ipsecstats" command.
14. The firewall did not accept certificates signed with RSA-SHA256.
15. Timezone setting could make the minimum date limit in scheduling to wrap
and become a date into the future. The minimum and maximum dates in
scheduling have been modified to be between the years 2000 and 2030 which
will not trigger the incorrect behavior.
16. The SMTP-ALG incorrectly blocked emails sent using the CHUNKING (BDAT)
extension. The ALG has been modified to remove the CHUNKING capability from
the server's EHLO response. This allows the emails to pass through the ALG.
17. It was not possible to connect to the firewall using SSH if lots of public keys

32
 NetDefend Firewall Firmware Release Notes

were registered in the SSH client.

18. The firewall could unexpectedly restart when disabling automatic updates of
anti-virus and IDP updates.
19. IPsec tunnels with a DNS name as remote endpoint would cease to function
after a remote endpoint IP address change.
20. Blacklist could potentially write to media up to five times each minute. The
delay between possible writes has been increased to two hours.
21. It was not possible to configure "maximum authentication retries" for the
SSH server in the web user interface. Configuration support has now been
added.
22. There was a problem when multiple IPsec SAs referenced the same XAuth
context.
23. If a DHCP lease of a reserved IP address was manually released in the DHCP
server and the host requested a new lease, the host was not given the reserved
IP again.
24. The UDP checksum was not correctly updated when the multiplex rule was
used together with address translation (SAT SETDEST / NAT).
25. On some models, a data alignment error in the Route Load Balancing system
could cause the firewall to malfunction.
26. Old configurations had an incorrect definition of the all_tcpudp service.
Upgrading from an older version to a newer version could cause problems. This
problem has now been fixed and the old service will be converted during the
upgrade.
27. In some scenarios, login attempts using the web user interface failed with the
error message "Error 500 - Internal Server Error". No new login attempts were
allowed until the system had been restarted. A synchronization lock for an
internal buffer failed to reset during reconfigure and caused this issue.
28. Scripts created by "script -create" could previously have problems to run
even when executed with "script -execute -force", because the generated script
would sometimes incorrectly reference an object before it had been added. This
has been solved in such way that "script-create" always generates a script that
will not reference an object before it has been created. Circular dependencies are
resolved by first adding the objects without the problematic references, then
later modifying the object to its final state.
29. Since the web user interface uses UTF-8 encoding, a PSK containing ASCII
characters with value of 128-255 would be stored as UTF-8 characters. UTF-8
characters are now converted back to ASCII characters when it is possible.

33
 NetDefend Firewall Firmware Release Notes

1. If the IPSec encapsulation was configured as “Both” then upgrade firmware to

v2.25.01.22, it will cause device into cycle reboot.
2. The WCF tab is shown on Non-UTM Firewall models. Basically, Non-UTM
2.25.01.28 firewalls don’t support dynamic WCF feature. It is no longer visible on non-UTM
firewall models after upgrade to firmware v2.25.01.28.
3. Startup Wizard is not displayed after reset configuration to default via
WebGUI.
1. The advanced setting Block0000Src{Drop, DropLog, Ignore, Log} has been
renamed toLog0000Src{Drop, DropLog}.The actions Log andIgnore have now
been converted into DropLog and Drop.
2. UpdateCenter caused problems in HA setups, sometimes locking up an HA
node. HA alsocaused some problems for pseudo-reassembly
3. The behavior of the TCP reassembly has been changed slightly to avoid
causing orcontributing to ACK loops
4. The firewall could generate multicast_ethernet_ip_address_mismatch log
messages if itwas deployed in setups where another HA cluster was present. The
heartbeats from the other HA setup were not recognized and triggered a log
message. Heartbeats from other HA setups are now identified and silently
dropped.
5. Configuration errors in SSH management setup were not reported to the user.
6. Ability to configure a source port for a NAT rule has been removed. This could
be configured but would be ignored and the source port would still be randomly
2.25.01.22 selected.
7. Log messages regarding denied update of anti-virus or IDP signatures were
incorrectly generated when no valid subscription existed for that service. The log
messages have been removed.
8. Redirecting HTTP users to the web authentication login page did not work
correctly.
9. A change of an interface's name could lead to the drainage of free buffers that
eventually caused the firewall to stop handling traffic. The root cause of the
leakage has been identified and fixed.
10. The functionality of the CLI command 'urlcache' has been moved into the
'httpalg-wcfcache' command. The new 'httpalg' flag '-wcfcache' lists the hosts
which have overridden the content filter.
11. A predefined list of file types were missing in the configuration for ALG file
integrity and anti-virus scan exclusion. Specifying the file extensions can now be
done with support of a list of extensions.
12. The arguments to the CLI command "arpsnoop" have been changed. To

34
 NetDefend Firewall Firmware Release Notes

enable snooping on all interfaces "all" should now be used instead of "*" and
"none" instead of "disable".
13. Some malformed HTTP URLs were always blocked when scanning with IDP. It
is now possible to configure the way malformed HTTP URIs should be treated
(log, drop, droplog, ignore).
14. Previously, ARP monitoring would be disabled if there was no gateway to
monitor.
15. Previously a route could not be configured to include its own gateway among
hosts to monitor, if the gateway address was obtained via DHCP.
16. A missing anti-virus signature database or a license file not allowing
anti-virus scanning resulted in all traffic sent through an anti-virus enabled
Application Layer Gateway to be blocked. Even though this behavior guaranteed
that un-scanned traffic never passed through the gateway, it could lead to
unexpected interrupts in traffic flows.
17. At shut down of the unit, connected SSH clients were not disconnected
18. The interface status page could show corrupted driver / hardware output
when viewing VLAN interfaces. VLAN interfaces have no driver or hardware
information so this field is now left empty.
19. Executing commands which used object arguments from within a script file
did not work. It is now possible to execute such commands from within script
files.
20. IP4HAAddress peer address was not shown in the WebUI and CLI address
book views. The HA peer address is now displayed in address book listings.
21. Idling system backup download for more than 5 seconds aborted the
download. It is now possible to idle up to two minutes without having the
download being aborted.
22. When the SMTP-ALG anti-virus engine detected multiple infected files within
a single ZIP file, the name of the zip file was incorrectly added to the
BlockedAttachments.txt file each time a virus was found. The zip file name is now
only added once, no matter of the number of infected files within the zip file.
23. An HA node sometimes froze and had to be physically rebooted after
updating IDP signatures via updatecenter.
24. The authentication method for IPsec tunnels was set to PSK as default value.
When adding such tunnels from the CLI this was unclear. When using the CLI to
create IPsec tunnels, the user must now explicitly specify the wanted
authentication method.
25. Microsoft Windows LT2P over IPsec sessions could fail in the sequence of
re-keys.

35
 NetDefend Firewall Firmware Release Notes

26. When using the CLI it was possible to add objects to already disabled folders.
It is no longer possible to add objects to disabled folders.
26. The User Authentication logs sometimes contained faulty authentication
information. Log events were also missing in some authentication scenarios
27. A file transfer scanned by the HTTP ALG with anti-virus activated could be
aborted after a WindowZero event from the client.
28. The 'active' column of 'updatecenter -servers' command showed misleading
information. The column shows which server that is the recommended server to
use by the UTM services (Anti-virus, IDP and Web Content Filtering). The column
has been renamed to 'Precedence' and a server is either marked as 'Primary' or
'Backup'.
29. PCAP captures on non-Ethernet interfaces were missing Ethernet headers
causing Wireshark to fail opening the files.
30. The configuration user and session stored for the configuration changes
sometimes indicated that the wrong user session stored the configuration. Now,
the correct user session parameters are stored.
31. In rare cases, the Web Content Filtering feature could trigger an unexpected
restart of the firewall.
32. A lease for a static host in a DHCP server was removed if a new lease with the
same MAC-address was created. A lease is now removed if the new lease is
within the same DHCP server and has the same MAC-address.
33. The webUI memory logger search fields used partial matching. The search
fields are now using strict matching with the possibility to use the wildcards '*'
and '?'.
34. Outdated information was sometimes used when generating log events from
the ALGs which could cause the device to restart.
35. It was not possible to select Local ID for certificates. Added configuration
support for Local ID.
36. Configuring the static IPsec config mode IP pool with an address range where
the least significant byte of the last address in the range is smaller that the least
significant byte of the first address in the range would cause the device to reboot
when several tunnels are established. One example of such a range is
172.16.1.240-172.16.2.40.
37. Route Fail Over status information was faultily printed on the console every
time the state of the route changed. These printouts are now removed and only
the log events remain.
38. Changing the high availability setting "use unique shared MAC" could make
both nodes of a high availability cluster go active.

36
 NetDefend Firewall Firmware Release Notes

39. There was a dependency between link monitors which resulted in that the
effective ping interval was reduced for each new link monitor configured.
40. The CLI was missing a quick and easy way to list the available runtime
services. A 'services' CLI command has been added. This command lists the
runtime values of configured services.
41. It was not possible to send IKE messages through an IPsec interface. The
result was that a pair of hosts could not establish an IPsec tunnel with each other
using IKE if the negotiation needed to pass through an IPsec tunnel established
by the firewall and a peer.
42. Netobject groups were not updated if the groups contained a dynamically
changed (DHCP, PPPoE etc.) address.
43. IPsec-tunnels using DNS resolving of the remote gateway could sometimes
not be established. The dynamic routes are now set properly for tunnels using
DNS resolving of remote gateway.
44. Certain device parameters, such as the device name, were previously
synchronized between the members of a HA cluster. To make it easier to
distinguish between the members of a HA cluster; these parameters are no
longer synchronized.
45. Route load balancing method spillover didn't take disabled routes into
account.
46. When reclassifying a Web Content Filtering blocked site, the new category for
the site was not immediately updated in the local cache. It could take up to five
hours before the cached entry was updated. The local cache is now immediately
updated once a site has been reclassified.
47. When activating HA in the WebUI, the browser was redirected to the shared
IP address of the management interface. Now, the web browser is redirected to
the private IP of the management interface.
48. The HTTP-ALG could fail to reconnect to Web Content Filter servers after a HA
fail-over. The unit will now reconnect to the server when URLs need to be
resolved.
49. The TCP stack used by TCP-based ALGs, web-based user authentication and
remote management did not respond to SYNs with the window set to zero.
50. The CLI command "arp -flush <interface>" did not work. It has now been
corrected. Flushing the ARP cache on all interfaces using "arp -flush" did work
though.
51. The firewall did not respond to TCP Keep-Alive packets.
52. Management sessions to the WebUI could on low throughput links timeout
before the web pages have been fully loaded. The timeout of the sessions has

37
 NetDefend Firewall Firmware Release Notes

been increased in order to better handle this scenario.

53. A leak of addresses in the static IPsec config mode IP pool caused the number
of addresses available to clients to shrink over time. It could also cause the
device to reboot itself.
54. IPsec config mode configured with a static IP pool did not, in general, hand
out the last address in a range to clients.
55. Log messages were not throttled correctly when the configured log receiver
was offline and in return sent ICMP destination unreachable packets to the
gateway. This made the gateway trigger more log messages which could lead to
drained CPU resources.
56. IPsec config mode, configured with multiple subnets or a static IP pool with
multiple ranges of addresses, falsely treated unchanged configurations as
changed during reconfiguration and disconnected all tunnels.
57. Using Web Content Filtering, users were incorrectly displayed the "access has
been denied" page if their HTTP request was generated while the WCF server
connection was establishing. The URL category lookup request is now silently
queued and sent to the WCF server once the connection has been established.
58. The HTTP-ALG blocked web pages with malformed charset statement in HTTP
headers.
59. A misconfigured IPsec tunnel could in some scenarios cause the firewall to
malfunction.
60. The firewall sometimes restarted unexpectedly when using IDP Pipes.
61. The LDAP client now handles authentication using PPP with CHAP,
MS-CHAPv1 and MS-CHAPv2.
62. Adobe Illustrator (.ai) files (saved by recent versions of Illustrator) did not
pass the MIME type check performed by the Application Layer Gateways since
they were identified as PDF files.
63. Removing the use of DHCP on multiple interfaces could in some rare cases
during reconfigure cause the firewall to perform an unexpected abort. Protection
has been added to the timeout handling routine of DHCP.
64. HTTP-ALG generated information pages, e.g. Restricted site notice, could get
incorrectly cached by downstream proxy servers. This could lead to proxy
servers returning a cached error message even though no error page should be
seen.
65. The OSPF Interface was missing the 'network' configuration parameter. This
caused problems in certain setups where IPsec tunnels configured with 0.0.0.0/0
as remote or local network. If the network parameter is not set, the network
parameter is copied from the configured interface.

38
 NetDefend Firewall Firmware Release Notes

66. The PPPoE client option "Force Unnumbered PPPoE" did not force
Unnumbered PPPoE to be used.
67. Under certain Traffic Sapping settings, lower precedences stop forwarding
traffic when higher precedences start forwarding traffic.
68. Configurations containing names or comments using certain special
characters could cause the firewall to fail reading the configuration during
startup.
1. ICMP Destination Unreachable packets were not sent when UDP packets hit a
Reject rule.
2. Web authentication and web server connections were not closed correctly at
reconfiguration.
3. The DHCP Server did just send replies back on the receiving interface without
regarding routing decisions. The DHCP Server now performs a route lookup if
the reply is destined for a host address (i.e. not an IP broadcast).
4. HA setups with IDP scanning enabled, packets could be lost during a failover.
5. Some services were using the private IP in HA setups for communicating. This
is now changed and the shared IP is used.
6. The DNS lookup of the IP address to a remote gateway failed under certain
circumstances for IPSec interfaces.
7. The CLI command for displaying updatecenter AV/IDP update status did not
show enough information. It has now been improved.
8. TCP connections could sometimes fail due to an incorrect sequence number
2.20.03 check.
9. A missing Content-Transfer-Encoding header field in e-mails could sometimes
cause the SMTP-ALG session to malfunction.
10. With TCP sequence validation turned on, closing existing connections would
cause all subsequent attempts to reopen the same connection to be dropped
with a log message about a bad sequence number. The situation would
resolve itself after a timeout of about 50 seconds, but would still cause
severe traffic impairment in certain situations (most noticeably HTTP traffic).
This change will by default loosen the restrictions when an attempt to reopen
a closed connection is received (ValidateSilent, ValidateLogBad), while still
enforcing RFC correctness.
11. The SMTP-ALG could not tell the difference between the new Microsoft Office
2007 document file types and file type ZIP. This is because there is no
difference that can be easily discovered (the new Microsoft Office files are in
fact ZIP files with a different extension). An ALG configured to make file
integrity checks would therefore signal these files as invalid (wrong mime

39
 NetDefend Firewall Firmware Release Notes

type, wrong file suffix...). The ALG will now identify Office 2007 files as ZIP
files. Anti-virus checks will, if enabled, scan the contents of the new Office
2007 files just like it would with a regular ZIP file.
12. IP address with suffixes .0 and/or .255 could incorrectly be assigned to IPSec
config mode clients.
13. Nested MIME bodies could in some scenarios be blocked by the SMTP-ALG.
For example, the SMTP-ALG could block images inserted as 'inline' with an
error message indicating base64 decoding error. The recipient received the
email without the attached image but an error message saying: "The
attachment xxxx has been blocked by the Security Gateway". The ALG has
been updated with better support for nested MIME blocks.
14. A user logging in via Web based user Authentication, when configured to
handle user credentials via one or several RADIUS servers, it could cause an
unexpected abort if no RADIUS server was reachable. This issue has been
fixed.
15. The web user interface, the properties in "Dynamic Black Listing" were
incorrectly enabled when action was set to something else than "protect".
16. The icon for removing IKE SA was missing, hence making it impossible to
remove an IKE SA using the web user interface.
17. DNS Blacklist CLI command showed wrong status of blacklist servers on
inactive HA member. Inactive HA member does not perform any anti-spam
inspection so the inactive node is unaware of the status of the blacklist
servers.
18. Email attachments with very long file names could cause memory corruption
in the SMTP-ALG.
19. Log string sent to syslog receivers was not always correctly formatted. Some
log arguments were not separated by a whitespace, resulting in invalid
parsing by syslog receivers.
20. When restarting an interface on the DFL-1600 or DFL-2500, there has been a
theoretical possibility of memory corruption. This issue has been fixed from
F/W v2.20.02 and later.
21. Connections were, under certain circumstances, incorrectly dropped by the
IDP scanning engine when audit mode was used.
22. After IPSec tunnels were modified, the reconfiguration of the gateway was
not done correctly. The result was that the gateway could go into unexpected
abort state.
23. A configured external log receiver that does not accept log messages might
send ICMP destination unreachable packets to the firewall. These packets

40
 NetDefend Firewall Firmware Release Notes

would trigger new log messages resulting in high CPU utilization. Logging is
now connection-based and the sending rate of log messages will be
decreased by the firewall when it receives ICMP destination unreachable
packets regarding log receiver connections.
24. TCP connections with SYN relay were not synchronized correctly. In case of
HA failover, traffic on these connections would freeze.
25. Unnecessary DynDNS and HTTP-Poster re-posts were triggered during
reconfigure. This is now avoided by always considering if the local interface
IP address has been changed or if the HTTP-Poster/DynDNS configuration
has been changed.
26. Some H.323 messages were incorrectly disallowed by the ALG. The H.323
Status Enquiry message is now allowed to be forwarded through the
H.323-ALG.
27. The Fail Mode setting in the HTTP-ALG was not honored by the Dynamic Web
Content Filtering.
28. The log message for expired or no valid Web Content Filtering license did only
show up once. There is now a log message generated once a one minute.
This should be more noticeable to the administrator.
29. The SMTP-ALG could in some scenarios cause instability to the system by
losing track of SMTP state synchronization. The SMTP-ALG has been updated
with improved state tracking and email syntax validation.
30. It was not possible to configure the primary NBNS server for L2TP/PPTP
server interfaces in the web user interface.
31. The TCP monitoring of Server Load Balancing did not increase TCP sequence
number in the reset packet sent to server in case of connection timeout. The
sequence number is now increased by one.
32. Server Load Balancing did not use All-To-One for port numbers. When using
a range on the service, the destination port would be the specified port plus
the offset from the low port number in the service.
33. One of the log messages had an incorrect format. When the log message was
placed first in the log table, the web user interface memlog would display an
empty page.
34. The description text for IP Pools incorrectly specified that IP Pools could be
used by L2TP and PPTP.
35. A confusing Anti-Virus status message was visible in status page on non UTM
capable devices. The message has been removed.
1. ICMP Destination Unreachable packets were not sent when UDP packets hit a
2.20.02
Reject rule.

41
 NetDefend Firewall Firmware Release Notes

2. Web authentication and web server connections were not closed correctly at
reconfiguration.
3. The DHCP Server did just send replies back on the receiving interface without
regarding routing decisions. The DHCP Server now performs a route lookup
if the reply is destined for a host address (i.e. not an IP broadcast).
4. HA setups with IDP scanning enabled, packets could be lost during a failover.
5. Some services were using the private IP in HA setups for communicating. This
is now changed and the shared IP is used.
6. The DNS lookup of the IP address to a remote gateway failed under certain
circumstances for IPSec interfaces.
7. The CLI command for displaying updatecenter AV/IDP update status did not
show enough information. It has now been improved.
8. TCP connections could sometimes fail due to an incorrect sequence number
check.
9. A missing Content-Transfer-Encoding header field in e-mails could sometimes
cause the SMTP-ALG session to malfunction.
10. With TCP sequence validation turned on, closing existing connections would
cause all subsequent attempts to reopen the same connection to be dropped
with a log message about a bad sequence number. The situation would
resolve itself after a timeout of about 50 seconds, but would still cause
severe traffic impairment in certain situations (most noticeably HTTP traffic).
This change will by default loosen the restrictions when an attempt to reopen
a closed connection is received (ValidateSilent, ValidateLogBad), while still
enforcing RFC correctness.
11. The SMTP-ALG could not tell the difference between the new Microsoft Office
2007 document file types and file type ZIP. This is because there is no
difference that can be easily discovered (the new Microsoft Office files are in
fact ZIP files with a different extension). An ALG configured to make file
integrity checks would therefore signal these files as invalid (wrong mime
type, wrong file suffix...). The ALG will now identify Office 2007 files as ZIP
files. Anti-virus checks will, if enabled, scan the contents of the new Office
2007 files just like it would with a regular ZIP file.
12. IP address with suffixes .0 and/or .255 could incorrectly be assigned to IPSec
config mode clients.
13. Nested MIME bodies could in some scenarios be blocked by the SMTP-ALG.
For example, the SMTP-ALG could block images inserted as 'inline' with an
error message indicating base64 decoding error. The recipient received the
email without the attached image but an error message saying: "The

42
 NetDefend Firewall Firmware Release Notes

attachment xxxx has been blocked by the Security Gateway". The ALG has
been updated with better support for nested MIME blocks.
14. A user logging in via Web based user Authentication, when configured to
handle user credentials via one or several RADIUS servers, it could cause an
unexpected abort if no RADIUS server was reachable. This issue has been
fixed.
15. The web user interface, the properties in "Dynamic Black Listing" were
incorrectly enabled when action was set to something else than "protect".
16. The icon for removing IKE SA was missing, hence making it impossible to
remove an IKE SA using the web user interface.
17. DNS Blacklist CLI command showed wrong status of blacklist servers on
inactive HA member. Inactive HA member does not perform any anti-spam
inspection so the inactive node is unaware of the status of the blacklist
servers.
18. Email attachments with very long file names could cause memory corruption
in the SMTP-ALG.
19. Log string sent to syslog receivers was not always correctly formatted. Some
log arguments were not separated by a whitespace, resulting in invalid
parsing by syslog receivers.
20. When restarting an interface on the DFL-1600 or DFL-2500, there has been a
theoretical possibility of memory corruption. This issue has been fixed from
F/W v2.20.02 and later.
21. Connections were, under certain circumstances, incorrectly dropped by the
IDP scanning engine when audit mode was used.
22. After IPSec tunnels were modified, the reconfiguration of the gateway was
not done correctly. The result was that the gateway could go into unexpected
abort state.
23. A configured external log receiver that does not accept log messages might
send ICMP destination unreachable packets to the firewall. These packets
would trigger new log messages resulting in high CPU utilization. Logging is
now connection-based and the sending rate of log messages will be
decreased by the firewall when it receives ICMP destination unreachable
packets regarding log receiver connections.
24. TCP connections with SYN relay were not synchronized correctly. In case of
HA failover, traffic on these connections would freeze.
25. Unnecessary DynDNS and HTTP-Poster re-posts were triggered during
reconfigure. This is now avoided by always considering if the local interface
IP address has been changed or if the HTTP-Poster/DynDNS configuration

43
 NetDefend Firewall Firmware Release Notes

has been changed.

26. Some H.323 messages were incorrectly disallowed by the ALG. The H.323
Status Enquiry message is now allowed to be forwarded through the
H.323-ALG.
27. The Fail Mode setting in the HTTP-ALG was not honored by the Dynamic Web
Content Filtering.
28. The log message for expired or no valid Web Content Filtering license did only
show up once. There is now a log message generated once a one minute.
This should be more noticeable to the administrator.
29. The SMTP-ALG could in some scenarios cause instability to the system by
losing track of SMTP state synchronization. The SMTP-ALG has been updated
with improved state tracking and email syntax validation.
30. It was not possible to configure the primary NBNS server for L2TP/PPTP
server interfaces in the web user interface.
31. The TCP monitoring of Server Load Balancing did not increase TCP sequence
number in the reset packet sent to server in case of connection timeout. The
sequence number is now increased by one.
32. Server Load Balancing did not use All-To-One for port numbers. When using
a range on the service, the destination port would be the specified port plus
the offset from the low port number in the service.
33. One of the log messages had an incorrect format. When the log message was
placed first in the log table, the web user interface memlog would display an
empty page.
34. The description text for IP Pools incorrectly specified that IP Pools could be
used by L2TP and PPTP.
35. A confusing Anti-Virus status message was visible in status page on non UTM
capable devices. The message has been removed.

Known Issues:
Firmware Known Issues
Version
2.60.02 1. The Oray.net Peanut Hull client does not work after they changed the
protocol
2. HA: Transparent Mode won't work in HA mode: There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs: No aspect of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when

44
 NetDefend Firewall Firmware Release Notes

the cluster fails over to the other peer. if, however, the cluster fails back
over to the original peer within approximately half a minute, frozen sessions
(and associated transfers) should begin working again. Note that such
failover (and consequent fallback) occurs each time a new configuration is
uploaded.
4. HA: Tunnels unreachable from inactive node: The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as
such tunnels are established to/from the active node.
A. Inactive HA member cannot send log events over tunnels.
B. Inactive HA member cannot be managed / monitored over tunnels.
C. OSPF: If the cluster members do not share a broadcast interface so that
the inactive node can learn about OSPF state, OSPF failover over
tunnels uses normal OSPF failover rather than accelerated (<1s)
failover. This means 20-30 seconds with default settings, and 3-4
seconds with more aggressively tuned OSPF timings.
5. HA: No state synchronization for L2TP, PPTP and IPsec tunnels: There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover,
incoming clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
HA: No state synchronization for IDP signature scan states: No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
2.40.04 1. SSL VPN: Outer interface 'any' limitation: If the SSL VPN interface is
configured with the outer interface 'any' option, SSL VPN will be disabled.
2. The Oray.net Peanut Hull client does not work after they changed the
protocol
3. HA: Transparent Mode won't work in HA mode: There is no state
synchronization for Transparent Mode and there is no loop avoidance.
4. HA: No state synchronization for ALGs: No aspect of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when
the cluster fails over to the other peer. if, however, the cluster fails back
over to the original peer within approximately half a minute, frozen sessions
(and associated transfers) should begin working again. Note that such
failover (and consequent fallback) occurs each time a new configuration is
uploaded.
5. HA: Tunnels unreachable from inactive node: The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as
such tunnels are established to/from the active node.
D. Inactive HA member cannot send log events over tunnels.

45
 NetDefend Firewall Firmware Release Notes

E. Inactive HA member cannot be managed / monitored over tunnels.

F. OSPF: If the cluster members do not share a broadcast interface so that
the inactive node can learn about OSPF state, OSPF failover over
tunnels uses normal OSPF failover rather than accelerated (<1s)
failover. This means 20-30 seconds with default settings, and 3-4
seconds with more aggressively tuned OSPF timings.
6. HA: No state synchronization for L2TP, PPTP and IPsec tunnels: There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover,
incoming clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
7. HA: No state synchronization for IDP signature scan states: No aspects of the
IDP signature states are synchronized. This means that there is a small
chance that the IDP engine causes false negatives during an HA failover.
2.40.02 1. If the SSL VPN interface is configured with the outer interface 'any' option,
SSL VPN will be disabled.
2. Don’t support the latest protocol used by oray.net Peanut Hull clients.
3. Transparent Mode won’t in HA mode.
4. ALGs won’t synchronize states in HA mode.
5. L2TP, PPTP, IPSec won’t synchronize states in HA mode.
6. The inactive node in an HA cluster cannot be reachable over IPSec, PPTP,
L2TP and GRE tunnels.
7. If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over VPN tunnels
uses normal OSPF failover rather than accelerated (<1s) failover. This
means 20-30 seconds with default settings, and 3-4 seconds with more
aggressively tuned OSPF timings.
8. No aspects of the IDP signature states are synchronized in HA modes.
2.40.01 1. If the SSL VPN interface is configured with the outer interface 'any' option,
SSL VPN will be disabled.
2. Don’t support the latest protocol used by oray.net Peanut Hull clients.
3. Transparent Mode won’t in HA mode.
4. ALGs won’t synchronize states in HA mode.
5. L2TP, PPTP, IPSec won’t synchronize states in HA mode.
6. The inactive node in an HA cluster cannot be reachable over IPSec, PPTP,
L2TP and GRE tunnels.
7. If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over VPN tunnels

46
 NetDefend Firewall Firmware Release Notes

uses normal OSPF failover rather than accelerated (<1s) failover. This
means 20-30 seconds with default settings, and 3-4 seconds with more
aggressively tuned OSPF timings.
8. No aspects of the IDP signature states are synchronized in HA modes.
2.40.00 1. Don’t support the latest protocol used by oray.net Peanut Hull clients.
2. Transparent Mode won’t in HA mode.
3. ALGs won’t synchronize states in HA mode.
4. L2TP, PPTP, IPSec won’t synchronize states in HA mode.
5. The inactive node in an HA cluster cannot be reachable over IPSec, PPTP, L2TP
and GRE tunnels.
7. DFL cannot support redirecting L2TP/IPSec tunnels to another DFL working in
LAN.
8. No aspects of the IDP signature states are synchronized in HA modes.
2.30.01 1. Don’t support the latest protocol used by oray.net Peanut Hull clients.
2. Transparent Mode won’t in HA mode.
3. ALGs won’t synchronize states in HA mode.
4. L2TP, PPTP, IPSec won’t synchronize states in HA mode.
5. The inactive node in an HA cluster cannot be reachable over IPSec, PPTP, L2TP
and GRE tunnels.
7. DFL cannot support redirecting L2TP/IPSec tunnels to another DFL working in
LAN.
8. No aspects of the IDP signature states are synchronized in HA modes.
1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode. There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs. No aspects of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to the
original peer within approximately half a minute, frozen sessions (and associated
2.27.03 transfers) should begin working again. Note that such failover (and consequent
fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node. The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
5. Inactive HA member cannot send log events over tunnels.
6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the

47
 NetDefend Firewall Firmware Release Notes

inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means 20-30
seconds with default settings, and 3-4 seconds with more aggressively tuned
OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels. There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
10. The function “StateKeepAlive” of NAT Pool is not working.
11. SIP ALG: Limited functionality on SIP ALG. It supports three scenarios: (a)
Protecting local clients - Proxy located on the Internet; (b) Protecting proxy and
local clients - Proxy on the same network as clients; (c) Protecting proxy and
local clients - Proxy on a DMZ interface. A more detailed description and network
topologies can be found in the Admin Guide. Any scenario different from these
three might be difficult to deploy.
12. SIP ALG: Limited functionality on IP telephony. It is not support all
functionality in RFC-3261 or other RFC’s that is referred to from RC-3261. There
may be third party SIP-aware units that cannot be configured to be compatible
with the SIP-ALG.
1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode. There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs. No aspects of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to the
original peer within approximately half a minute, frozen sessions (and associated
transfers) should begin working again. Note that such failover (and consequent
2.27.02
fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node. The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
5. Inactive HA member cannot send log events over tunnels.
6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses

48
 NetDefend Firewall Firmware Release Notes

normal OSPF failover rather than accelerated (<1s) failover. This means 20-30
seconds with default settings, and 3-4 seconds with more aggressively tuned
OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels. There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
10. The function “StateKeepAlive” of NAT Pool is not working.
1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode. There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs. No aspects of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to the
original peer within approximately half a minute, frozen sessions (and associated
transfers) should begin working again. Note that such failover (and consequent
fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node. The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
5. Inactive HA member cannot send log events over tunnels.
2.27.01 6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means 20-30
seconds with default settings, and 3-4 seconds with more aggressively tuned
OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels. There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
10. The function “StateKeepAlive” of NAT Pool is not working.

49
 NetDefend Firewall Firmware Release Notes

1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode. There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs. No aspects of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to the
original peer within approximately half a minute, frozen sessions (and associated
transfers) should begin working again. Note that such failover (and consequent
fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node. The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
5. Inactive HA member cannot send log events over tunnels.
2.27.00 6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means 20-30
seconds with default settings, and 3-4 seconds with more aggressively tuned
OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels. There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
10. The function “StateKeepAlive” of NAT Pool is not working.
1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode. There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs. No aspects of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when the
2.26.02 cluster fails over to the other peer. if, however, the cluster fails back over to the
original peer within approximately half a minute, frozen sessions (and associated
transfers) should begin working again. Note that such failover (and consequent
fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node. The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such

50
 NetDefend Firewall Firmware Release Notes

tunnels are established to/from the active node.

5. Inactive HA member cannot send log events over tunnels.
6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means 20-30
seconds with default settings, and 3-4 seconds with more aggressively tuned
OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels. There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
10. The function “StateKeepAlive” of NAT Pool is not working.
11. The DUT would be crash and reboot after restart the GRE interface.
1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode. There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs. No aspects of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to the
original peer within approximately half a minute, frozen sessions (and associated
transfers) should begin working again. Note that such failover (and consequent
fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node. The inactive node in an HA
2.26.01 cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
5. Inactive HA member cannot send log events over tunnels.
6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means 20-30
seconds with default settings, and 3-4 seconds with more aggressively tuned
OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels. There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming

51
 NetDefend Firewall Firmware Release Notes

clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode. There is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGs. No aspect of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to the
original peer within approximately half a minute, frozen sessions (and associated
transfers) should begin working again. Note that such failover (and consequent
fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node. The inactive node in an HA
cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
5. Inactive HA member cannot send log events over tunnels.
2.26.00
6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means 20-30
seconds with default settings, and 3-4 seconds with more aggressively tuned
OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels. There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small chance
that the IDP engine causes false negatives during an HA failover.
1. The Oray.net Peanut Hull client does not work after they changed the protocol
2. HA: Transparent Mode won't work in HA mode There is no state
synchronization for Transparent Mode and there is no loop avoidance.
2.25.01.28
3. HA: No state synchronization for ALGs No aspect of ALGs are state
synchronized. This means that all traffic handled by ALGs willfreeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to

52
 NetDefend Firewall Firmware Release Notes

the original peer within approximately half a minute, frozen sessions (and
associated transfers) should begin working again. Note that such failover
(and consequent fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive node The inactive node in an HA cluster
cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
5. Inactive HA member cannot send log events over tunnels.
6. Inactive HA member cannot be managed / monitored over tunnels.
7. OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means
20-30 seconds with default settings, and 3-4 seconds with more
aggressively tuned OSPF timings.
8. HA: No state synchronization for L2TP, PPTP and IPsec tunnels There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
9. HA: No state synchronization for IDP signature scan states No aspects of the
IDP signature states are synchronized. This means that there is a small
chance that the IDP engine causes false negatives during an HA failover.
1. If the IPSec encapsulation was configured as both, when upgrade firmware to
v2.25.01.22, it will cause device into cycle reboot. This problem has been
fixed in v2.25.01.28.
2. The Oray.net Peanut Hull client does not work after they changed the protocol
3. HA: Transparent Mode won't work in HA mode There is no state
synchronization for Transparent Mode and there is no loop avoidance.
4. HA: No state synchronization for ALGs No aspect of ALGs are state
synchronized. This means that all traffic handled by ALGs willfreeze when the
cluster fails over to the other peer. if, however, the cluster fails back over to
2.25.01.22
the original peer within approximately half a minute, frozen sessions (and
associated transfers) should begin working again. Note that such failover
(and consequent fallback) occurs each time a new configuration is uploaded.
5. HA: Tunnels unreachable from inactive node The inactive node in an HA cluster
cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
6. Inactive HA member cannot send log events over tunnels.
7. Inactive HA member cannot be managed / monitored over tunnels.
8. OSPF: If the cluster members do not share a broadcast interface so that the

53
 NetDefend Firewall Firmware Release Notes

inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means
20-30 seconds with default settings, and 3-4 seconds with more
aggressively tuned OSPF timings.
9. HA: No state synchronization for L2TP, PPTP and IPsec tunnels There is no
state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
10. HA: No state synchronization for IDP signature scan states No aspects of the
IDP signature states are synchronized. This means that there is a small
chance that the IDP engine causes false negatives during an HA failover.
1. The Oray.net for Peanut Hull DDNS client does not work after supplier changed
the protocol.
2. HA: Transparent Mode won't work in HA modeThere is no state
synchronization for Transparent Mode and there is no loop avoidance.
3. HA: No state synchronization for ALGsNo aspect of ALGs are state
synchronized. This means that all traffic handled by ALGs will freeze when
the cluster fails over to the other peer. if, however, the cluster fails back over
to the original peer within approximately half a minute, frozen sessions (and
associated transfers) should begin working again. Note that such failover
(and consequent fallback) occurs each time a new configuration is uploaded.
4. HA: Tunnels unreachable from inactive nodeThe inactive node in an HA cluster
cannot communicate over IPSec, PPTP, L2TP and GRE tunnels, as such
tunnels are established to/from the active node.
2.20.03  Inactive HA member cannot send log events over tunnels.
 Inactive HA member cannot be managed / monitored over tunnels.
 OSPF: If the cluster members do not share a broadcast interface so that the
inactive node can learn about OSPF state, OSPF failover over tunnels uses
normal OSPF failover rather than accelerated (<1s) failover. This means
20-30 seconds with default settings, and 3-4 seconds with more
aggressively tuned OSPF timings.
5. HA: No state synchronization for L2TP, PPTP and IPSec tunnels. There is no
state synchronization for L2TP, PPTP and IPSec tunnels. On failover, incoming
clients will re-establish their tunnels after the tunnels are deemed
non-functional. This timeout is typically in the 30 -- 120 seconds range.
6. HA: No state synchronization for IDP signature scan states. No aspects of the
IDP signature states are synchronized. This means that there is a small
chance that the IDP engine causes false negatives during an HA failover.

54
 NetDefend Firewall Firmware Release Notes

Related Documentation:
- NetDefend Firewall User Manual v2.60.02
- NetDefend Firewall CLI Reference Guide v2.60.02
- NetDefend Firewall Logging Reference Guide v2.60.02
- NetDefend Firewall Application Control Sig v2.60.02

55