cOS Core 15.00.05 Release Notes

RSA-PSS in IKE/IPsec
IKE and IPsec can now be configured to use certificates with RSA-PSS signatures. IKEv2 can also use RSA-PSS digital signatures during IKE authentication.

New Route Monitor Functionality
Added possibility for a route to start disabled when the monitored host is reachable and become enabled if the monitored host becomes unreachable.

ACME Certificate Renewals
Support for 'renewalInfo' according to RFC9773 has been added to keep accurate time when to renew a certificate.

ACME Certificate Handling
The ACME subsystem now uses 'Authority Key ID' and 'Serial number' to identify certificates during the renewal phase, in accordance with RFC9773.

ACME Profiles
Support for profiles has been added to the ACME protocol.

Persistent IPsec Tunnels
When changing IKE IDs on an IPsec tunnel, IPsec tunnel connections are now kept. This is an improvement for customers that often update their ID lists.

Post Quantum Crypto Support
Post Quantum Crypto (PQC) algorithms are now supported for TLS (OneConnect, TLS ALG, Admin Web User Interface and Web Authentication).

Increased Number of OneConnect Routes
The maximum number of routes that can be sent to a OneConnect client has been increased from 32 to 64.

Improved OSPF Configuration View in the CLI
The CLI output for the OSPF command has been updated to a more user-friendly view.

Updated Blacklist REST API Behavior
When an already blacklisted IP is posted again using the REST API, the blacklist time-to-live is updated. Previously, REST API calls returned an error message when the IP was blacklisted already.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

Updated TLS/SSL Library
The embedded TLS/SSL library has been updated to the latest version.

Updated Application Control Library
The Application Library has been updated to version 1.820.0. New protocols include:

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

NTP Version 3 and 4
The NTP (Network Time Protocol) Client has been upgraded and does now support version 3 (RFC 1305) and version 4 (RFC 5905) of the NTP protocol. The number of concurrent servers has also been increased from two to three servers. Authentication is supported. Time updates are synced to the inactive node in HA setups.

Support for Certificate Chains
The handling of certificate chains has been improved. Instead of having one certificate object per certificate, it is now possible to add a chain object that contains the whole certificate chain.

Possibility to Limit the Number of Half-Open TCP Connections
A configuration setting for limiting the number of half open TCP connections has been added. By default the behavior is as in earlier versions, where no limit is applied.

Thresholds for SSH Rekeying
You can now set data and time thresholds for SSH rekeying.

Logging of Firmware Update Events
Logging during firmware upgrades has been improved. A new log message has been added when a firmware upgrade has been triggered, as well as for the event when the upgrade was cancelled or not succeeded.

Administrator Access Banner
There is now a possibility to specify a customized access banner that is shown directly after login to the WebUI, serial/local console and SSH console.

Protection of PSK HEX Keys
The PSK HEX key is now treated as a password field and is encrypted when saved to the configuration. The only time a PSK HEX key is visible to the administrator is directly after it has been generated, to allow the PSK to be copied to other systems.

Improved Random Number Generator
Increased security level of random number generator in 64-bit versions (100 Series, 300 Series, 500 Series, 6000 Series, 200R, RSG-200 and 64-bit virtual).

Protection of Passwords
All passwords stored in the configuration are now encrypted.

Unspecified and Reserved IPv6 Addresses
A setting has been added, when enabled, unspecified and reserved IPv6 addresses ranges can be blocked and logged. The setting is named "IPv6 Reserved Net" (IPv6ReservedNet in the CLI) and can be found under Advanced Settings -> IP Settings.

Improved Reassembly Logging
Not all reasons why a TCP Reassembly could fail were logged.

Logging of the User Responsible for Configuration Changes
The firewall will now track the user that last modified a configuration object and allow generating log events with information about what was changed and by whom. By default the logging of configuration changes is disabled but can be enabled using a global setting (System->Advanced Settings->Misc).

Logging of Time Changes
All possible situations when the system time is changed are now logged. For example manual updates in the CLI, manual updates in the WebUI, by the NTP subsystem, when timezone is changed and when daylight saving time is changed.

Logging Of Configuration Changes
The system now has the ability to generate separate log messages on activation of modified objects in the configuration and what changes were introduced.

Protection of Private Certificate Keys
Certificate private keys are now encrypted in the configuration.

OneConnect Status in the REST API
Information about currently connected OneConnect clients can now be accessed over the REST API. The information is the same as in the OneConnect web user interface status page. For more details, see the REST API guide.

Logging of Interface Link Changes
There is now an added log for interface link up and link down events in the SYSTEM category.

New Application Control Library
The application control engine library has been updated to version 5.11.

Synchronization of Time and Date for HA Clusters
Time and date are now synchronized between HA members.

Improved Cloning of Configuration Objects
When using "clone" in the Web User Interface, the copy is now always placed below the currently cloned object. Before this change, it was placed last in the list.

More Clear Configuration of ARP Publish Mode
The MAC address field is now grayed out in the Web User Interface when ARP Publish Mode is selected.

Improved Connections CLI Command
In the "connections" CLI command, it is now possible to filter subnets on "-srcip", "-destip" and "-ip" connections. Example "-srcip=192.168.1.0/24".

Blacklist REST API Improvement
The destination parameter (dest) has been added to the blacklist REST API (/api/oper/blacklist).

Neighbor Devices With Random MAC
The Neighbor Devices overview in the Web User Interface now shows if the device has a randomized MAC address.

Enhanced Filter for the "connections" CLI Command
A new argument has been added to the "connections" CLI command. Now it is possible to use "-ip" as a filter to include both source and dest at the same time.

IP Rule Sets in the REST API
A new endpoint which lists all additional IP rule sets has been added to the REST API. For details, see the REST API Guide.

Update of The Threat Prevention Menu in the Web User Interface
The left tree in the web user interface menu "Threat Prevention" has been updated with new sections.

OneConnect Custom URL
A new client option has been added to the OneConnect interface to enable a configured URL to be opened after the client has been connected. Furthermore a posibillity to select the label for the button has been added.

Updated Web User Interface Columns for NAT Pools
The NAT Pool overview page has been updated to show IP Pool or IP Range information.

ACME Support for Buypass Discontinued
Buypass has been removed as a possible certificate provider since their service ceased to issue new certificates on October 15, 2025. Any account containing Buypass as endpoint will automatically be disabled. However, certificates already issued will be functional until end of validity.

Improved Web User Interface Page for User Authentication Rules
The Options tab on the web user interface page for User Authentication Rules has been restructured. Settings have been grouped by authentication source and headers have been added, to make configuration clearer.

More Structured Web User Interface for Misc Settings
The misc settings web user interface page has been updated with settings grouped in sections.

Standardized 2048-bit Diffie-Hellman Group Considered Insecure for TLS
The standardized 2048-bit Diffie-Hellman group has been replaced with corresponding 4096-bit group for TLS.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

Updated TLS/SSL Library
The embedded TLS/SSL library has been updated to the latest version.

Updated Application Control Library
The Application Library has been updated to version 1.800.0. New protocols include:

Support for GRE L2
Support for GRE L2 (Generic Routing Encapsulation at Layer 2) tunnels has been added. GRE L2, also known as GRETAP or L2GRE, enables encapsulation of full Ethernet frames, including the original Ethernet header, allowing for the transparent transport of Layer 2 traffic between two Clavister NetWall devices.

Note: GRE L2 tunnels are not encrypted or authenticated by default. For secure transport, it is recommended to combine GRE L2 with IPsec.

OneConnect Certificates
It is now possible to configure a certificate per OneConnect interface, instead of using one global certificate for all OneConnect interfaces. By default, new and existing OneConnect interfaces use the management web user interface certificate.

Updated Timeout for Subscription-Based Licenses
Subscription based licenses were earlier limited to only run for 2 weeks without update check. This limit has been removed and now the reduced mode is delayed until subscription end is reached.

OpenID Connect (OIDC) User Groups
OIDC has been updated and can now handle up to 199 groups. If a user belongs to more than 199 groups, Microsoft Entra will not send any group belongings. See the KB space (https://kb.clavister.com) for instructions of how this scenario can be handled.

RADIUS Server
The integrated RADIUS server allows Clavister NetWall appliances to provide authentication services for devices using EAP-TLS in 802.1X deployments. It is designed specifically for device-based authentication and does not support user authentication. This enables the firewall to function as a RADIUS server for network access control in environments where certificate-based authentication is used to validate devices.

SNMPv3 Privacy Passphrase
It is now possible to configure separate passwords for SNMPv3 Authentication and SNMPv3 Privacy. The new setting is optional and is configured on the user in the local user database. If the privacy passphrase is not set, the normal password will be used both for authentication and privacy like in older versions.

Improved Memory Tracking
The internal memory reporting system has been improved for better subsystem memory tracking. The result in the "memory" CLI command will be more accurate after this change.

New Advanced Setting for SNMP
It is now possible to use the device name (configured under Device Settings, shown at the top of the web user interface dashboard and used as CLI prompt) as SNMP System Name, instead of specifying an additional name only used for SNMP. Firewalls upgraded will continue to use the same SNMP System Name in the configuration as in older versions while new installations have the new setting enabled to use the global device name. The new setting can be found under Remote Management -> Advanced Settings.

Default Private IP Address for VLAN Interfaces
New VLAN Interfaces will have the default value for Private HA IPv4 Address set to "localhost".

Updated Backup Filenames
The default filenames for configuration backups, anonymous configuration backups and full system backups, when downloading from the web user interface, have been updated to include firmware version. The technical support file name, also when downloaded from the web user interface, has been aligned with the backup files and also includes HA member role if part of an HA cluster.

IPv6 Support for the REST API
The REST API now also supports using IPv6 addresses.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

New Application Control Library
The Application Library has been updated to version 1.770.1. New protocols include:

Usernames for OpenID Connect and Microsoft Entra
It is now possible to specify which OpenID Connect parameter, instead of the default one, to use for populating username when OIDC is used as Authentication method. This makes it possible to get usernames in plain text instead of the GUID that Microsoft Entra otherwise sends.

New Version of the AI Library
The AI library has been updated to version 1.2.0.

OpenID Connect (OIDC)
A timer has been added to regularly keep the OIDC data up to date. The refresh interval is a user setting with a default of one hour.

Upload Progress Bar in the Web User Interface
The Web User Interface will now display a progress bar showing file upload progress when uploading Upgrade files and Full Backup files.

Certificate Chains in Reverse Proxy
Added support for configuration of certificate chains in the reverse proxy maps.

Ping CLI Command Improvement
The "ping" CLI command has been updated to check for both IPv4 and IPv6 but put priority on IPv4 if both are resolved. To ping using a specific IP-version use "ping -4" or "ping -6".

Temporary Blacklist of IPs from the Web User Interface
It is now possible to temporarily blacklist IP addresses from the Blacklist Status page in the web user interface. IPs will be blocked for 24 hours. For more detailed manual blacklisting, we recommend using the REST API.

Legacy Interface Drivers
Support for legacy interface drivers has been removed from the 32-bit version of cOS Core.

Updated Timezone Database
The timezone database has been updated to the latest version.

Shutdown CLI Command
The CLI command "shutdown" has been updated to do a full reboot as the default behavior on 100, 200R, 300, 500, 6000 Series and 64bit virtual installations. The flags "-reboot" and "-restart" are available on all platforms.

Extended Error Logging for RADIUS
The RADIUS client has been extended to include reason why "radius_parse_error" was triggered making it easier to determine where the problem is.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

New Application Control Library
The Application Library has been updated to version 1.760.1. New protocols include:

AI Policies
Using Artificial Intelligence (AI) to perform Anomaly Detection, in a broad sense, is the identification of patterns that do not conform to a defined normal behavior. In cOS Core, the Anomaly Detection feature employs a combination of state-of-the-art concepts in machine learning and time-series analysis to detect communication misbehavior in near real-time. The underlying technique features a multi-layer AI engine that enables the creation and configuration of multiple AI models that monitor multiple data streams concurrently. AI Policies are available on the 200R Series, 300 Series, 500 Series and 6000 Series. To configure AI Policies a license is required.

IPv6 Support for PPPoE Interfaces
PPPoE (Point-to-Point Protocol over Ethernet) interfaces now fully support IPv6, ensuring compatibility with ISPs and services that rely on IPv6 addressing.

IP Rules, ALGs and SSL VPN Interfaces
Older types of objects like IP Rules, ALGs and SSL VPN Interfaces are no-longer possible to add. Existing objects of these types can still be edited or deleted. Replacements are IP Policies, Profiles and One Connect.

User Groups
Configuration of user authentication related to IP Policies has been updated. Instead of configuring user authentication on the address object, a new User Group object has been introduced. This new object can be used as a filter directly on an IP Policy.

During upgrade a conversion to the new format will be done. Nested objects are not possible to convert automatically.

IP Policies, IP Rules, Threshold Rules, IDP Rules and Routing Rules referring to network objects that could not be converted will be disabled after the upgrade, to let the administrator verify them before manually activating them again.

Review the configuration log after the upgrade, any object that was not converted will be listed here. Disabled objects will also be logged in the console CLI during the first start up of the new version.

Prefix Delegation for DHCPv6
Support has been added for IPv6 Prefix Delegation. An external interface, for example the interface facing the ISP, can be set in DHCPv6 Client mode and internal interfaces can after that delegate a subnet of the received prefix.

DHCP Client for High Availability
Interfaces in a High Availability (HA) cluster can now use DHCP to obtain an IPv4 address to be used as a shared IP address.

Graphic View Update to Tables
Proxy ARP has been added as a column to the Routing Table page. Routing Table has been added as a column to the Loopback Interface page.

Updated CLI Output
The "pipes" CLI command (-show <pipe>) listed the precedence levels from 0 to 7. The order has been changed to match the order in the web user interface configuration page, which is 7 to 0 with total last.

More Members in IPv4 Address Groups, IPv6 Address Groups and Ethernet Address Groups
The number of allowed members in address groups has been increased from 256 to 512.

Renamed CLI Command
The CLI command for resetting a device to factory settings has been renamed, to make it harder to use by mistake. The new name is "reset -factorydefault".

IPv6 Support for the "pcapdump" CLI Command
It is now also possible to filter on IPv6 addresses in the "pcapdump" CLI command.

Updated Maintenance Menu
The maintenance menu in the web user interface has been updated. The options "reset" and "restart" have been separated and now have a menu item of their own.

Updated Default Values
The default values for some advance settings have been increased, these settings include settings for ARP Hash/Cache size.

Simplified System Error Reports for 64bit Versions
Devices that crash will now generate a simplified text based version in addition to the ordinary crash dump file. The simplified version is included in the technical support file.

More Details in InControl Log Messages
The log parameters "connsrcdevice", "conndestdevice", "connsrcmac" and "conndestmac" have been added to EFW logs.

Improvements to Cloud-init
It is now possible to add license commands in the userdata file in a Cloud-init open-stack environment, which allows for adding SECaaS license information.

Update to Application Control Rules
User authentication has been removed from Application Control rules. User authentication is instead configured on the IP Policy.

Removed Inline Application Control Configuration
Configuring Application Control on IP Policies now requires a previously created Application Rule Set to be set and does not allow inline configuration. Existing configurations with inline Application Control configuration will be converted to use Application Rule Set.

Updated Filter Layout for IP Policies in the Web User Interface
The filter configuration has been updated for all rules and policies to use a vertical layout instead of horizontal to accommodate new filter methods.

Removed Inline File Control Configuration
Configuring File Control on an IPPolicy now requires a previously created File Control Profile to be set and does not allow inline configuration. Existing configurations with inline File Control configuration will be converted to use File Control Profile.

Removed Inline Anti-Virus Configuration
Configuring Anti-Virus on an IPPolicy now requires a previously created Anti-Virus Profile to set and does not allow inline configuration. Existing configurations with inline Anti-Virus configuration will be converted to use Anti-Virus Profile.

Updated List of IP Policies in the Web User Interface
The list of IP Policies in the web user interface now uses icons for options on the Policy. This allows for listing more information on the overview page.

Default Value for Source Address Translation
The default value for "Source Address Translation" when adding a new IP Policy, Fallback Policy, Multicast Policy and SLB Policy has been changed from "Auto" to "None" Existing configurations will keep the current values during upgrade.

Updated Graph on the Dashboard
A graph for Blacklist has been added to the dashboard. It replaces the Malware graph.

Updated Interface Filter for OneConnect Configuration
The "type" filter for the OneConnect outer interface did not allow IPsec or IPsecLANtoLAN interfaces to be selected. This update makes it possible to have the OneConnect Server to listen on an IPsec interface.

Updated Description Texts
Description texts have been added or improved for some objects. Descriptions for folders, mostly seen in InControl, have also been improved or added.

Application Control and IP Reputation in InControl Logs
The log parameters for Application Control (like "app_name", "app_risk" and "app_family") and IP Reputation ("iprep_src", "iprep_src_score", "iprep_dest" and "iprep_dest_score") have been added to InControl logs, and can be seen in the InControl Log Explorer.

IPv6 Support for DNS Queries
The CLI command "dns -query" has been extended to support IPv6 queries. The query results will show both IPv4 and IPv6 results when available.

Updated TLS/SSL Library
The embedded TLS/SSL library has been updated to the latest version.

ACME Certificates
384bit Elliptic Curve has been added to the existing RSA2048 and ECC256 as a supported ACME key type.

Settings to Advanced Tabs and Updated Design on the DHCP Server Page
Some settings that are not that often used have been moved to advanced tabs in the web user interface. The DHCP Server page has been updated, so that the common settings are shown on the first tab.

Increased Length of Address Objects in the REST API
The string length of network objects listed in the REST API (eg iprules) has been increased from 100 to 2048 characters.

OSPF System Information in the Technical Support File
The Technical Support file now contains OSPF information if OSPF is enabled in the system.

New Date Time Picker in the Web User Interface
The date and time picker for the Schedule Profile and Log viewer's date filter has been updated with a new design.

Session Manager in the Web User Interface
Information about logged in administration users, previously available under the CLI command "sessionmanager -list", is now also available in the web user interface.

DHCP Server Improvement
The option to use the same DNS servers configured for the device itself has been added to DHCP Servers.

Removed Legacy SSL VPN Client Installer
The legacy SSL VPN client has been removed from the firewall and the download link from the SSL VPN portal has been removed.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

New Application Control Library
The Application Library has been updated to version 1.740. Major additions/updates:

COP-25781: In some scenarios, an unexpected restart could happen.

COP-24903: With certain LDAP configurations, an unexpected restart could occur.

COP-25564: IP Addresses in Config Mode Pools were not freed correctly, which could cause the pool to be depleted.

COP-25610: The system could restart unexpectedly under certain circumstances when changing OSPF Interface Network to 0.0.0.0/0.

COP-25747: IPsec certificates expired one week earlier than the certificates valid until date.

COP-25147: OneConnect clients took too long to detect an HA failover before reconnecting to the new active HA node.

COP-25611: Faulty logic in TCP reassembly could trigger unexpected behavior.

COP-25263: Device initiated InControl connections (from the firewall to the InControl Server) could under certain circumstances get stuck in a reconnect loop.

COP-25573: SNMP traps for interface up and interface down would not trigger for all interfaces. Interfaces with SNMP index above 127 were not treated correctly.

COP-25766: System time synchronization could in some rare cases cause memory corruption.

COP-25735: The log message with action user_login in OneConnect used a different log ID compared to all other user_login messages. This log message has now been changed from ID 03700103 to 03700102 to match other messages with the same action.

COP-25354: IP Reputation validation (Botnet, DoS, Phishing, Scanner and Scam protection) was not enforced on incoming IKE traffic.

COP-25706: The initial value for the Delegate property on the DHCPv6 Server was incorrect and it was not possible to configure a DHCPv6 Server using InControl with specific settings.

COP-24427: Passwords added when using InControl containing characters outside the standard ASCII table were encrypted incorrectly resulting in unusable passwords.

COP-25544: Unused old items in the IPsec Certificate cache were not removed when the cache was full.

COP-25535: Some log messages contained duplicated parameters in the log reference guide.

COP-25569: The system could restart unexpectedly due to an error in the OSPF subsystem.

COP-25619: The following cipher suites are now considered weak and are therefore disabled per default. It is possible to re-enable them manually under Advanced Settings -> SSL Settings, but this is not recommended.

COP-25633: The error message shown when configuring a Reverse Proxy Policy incorrectly was incorrect.

COP-25653: A OneConnect client reconnecting from a new IP address could in an HA setup result in an unexpected restart.

COP-25684: An unreachable DNS server could trigger an unexpected behavior when using device initiated InControl server connections with an FQDN address. Netcon now correctly handles DNS servers that do not respond to queries.

COP-25749: In rare circumstances, where InControl was used, an unexpected restart could occur.

COP-25492: Certain configurations using ZoneDefense could lead to an unexpected restart on 64-bit systems.

COP-25508: The certificate cache was limited to 256 entries, after that certificates could not be inserted to certificate cache resulting in failed IPsec negotiation.

COP-25348: The OneConnect Server could on rare occasions cause a restart of the firewall.

COP-25309: The status page for the Session Manager didn't show IPv6 addresses correctly.

COP-25420: SNMPv3 Privacy Passwords were not encrypted in configuration file backups.

COP-25419: If a subscription based license was initiated with a system identifier text that included lowercase characters, the license did not work and no warning message was shown. All characters in the system identifier are now converted to uppercase when inserted in the web user interface or the CLI.

COP-25423: For Virtual Firewalls, the Setup Wizard removed DHCP settings for interfaces after the wizard was completed.

COP-25157: The system could in some situations stop responding to incoming IPv6 IPsec connection attempts.

COP-25371: The third party OpenConnect Client version 1.6.0 and later could not connect to the OneConnect Server.

COP-25427: When negotiating with ACME-server, the result could in some cases be dropped when the configured domain names contained uppercase letters.

COP-25349: OneConnect and group memberships did not work when group membership contained spaces.

COP-25156: SLB Policies with stickiness enabled could still send new connections to a server when the server was set to maintenance mode.

COP-25316: SNMPv3 generated an unclear log message when the wrong "priv" passphrase was used.

COP-25319: Some configuration errors did not show correct information about the error.

COP-25516: The default value for "Subject" in Mail Alerting was not shown when new Mail Alerting objects were created.

COP-25488: On the Certificate page under Key Ring, the "create new certificate" option was incorrectly shown when the certificate object was disabled.

COP-25378: 4096 bit RSA SSH Public Keys were not accepted when uploading them to the firewall.

COP-25382: Log messages for DNS Cache contained incorrect or no IP version. Four log messages have been updated, each with a new log revision. One message has got a new log ID number. All four have new event names. The new event names are "max_addresses_reached_ipv4", "max_addresses_reached_ipv6", "dns_cache_removed_ipv4" and "dns_cache_removed_ipv6".

COP-25395: Neighbor devices information was not displayed correctly if the number of devices was bigger than 400. The problem affected both the REST API and the Web User Interface Status page.

COP-25552: The IP Reputation Lookup page under Tools showed an incorrect text in the address field.

COP-25553: The OSPF configuration used a faulty memory calculation for max memory usage, making it misbehave if used in installations with more than 4GB of memory or if the manually configured max limit was larger than 470MB.

COP-25266: The system could restart unexpectedly when logging NAT Pool failure.

COP-25168: When a VLAN interface had a "null" type interface as base interface, the firewall could restart unexpectedly. An interface could become a null interface if for example a physical interface fails to attach (e.g. hardware failure or changes to a hypervisor backend).

COP-25109: RADIUS NAS Port Type was incorrectly set to "none" for messages sent to the RADIUS Server when logging in on a OneConnect interface. This gave problems with for example Windows NPS. The port type has now been changed to "virtual".

COP-25226: Messages for errors triggered at configuration deployment used a shared output buffer that could be re-used and overwritten before printed. This sometimes led to incorrect configuration error messages.

COP-25279: The OpenID Connect (OIDC) subsystem was unable to parse ID Tokens with a signature longer that 512 bytes.

COP-25298: The CLI command "route -verbose" and "route -switched -verbose" did not print the verbose information aligned to the columns.

COP-25146: Connections inside OneConnect tunnels were not synced to the inactive High Availability member.

COP-25071: OneConnect users could sometimes be logged out from VPN sessions when logging out from the administration web user interface session within the VPN session.

COP-24741: ESP packets using the AES-GCM cipher were sent with incorrect padding causing some IPsec clients to drop the packets.

COP-25131: Routes for L2TP and PPTP interfaces were not created when "Automatically add a route for this interface using the given remote network" was checked.

COP-25154: DHCP padding options were incorrectly validated by the DHCP server resulting in that only part of the DHCP message was parsed. The DHCP parsing has been updated to correctly handle DHCP option padding.

COP-25159: OneConnect DTLS negotiation could stall if UDP packets were received in the wrong order.

COP-24834: The OneConnect session list could in special cases become corrupt, resulting in an unexpected restart of the firewall.

COP-25075: The syslog ALG handled fragmented packets incorrectly resulting in unexpected behavior.

COP-23902: When restoring a configuration backup, for example a converted configuration from an older firewall (eg with version 267) to a new one (eg with version 4), the "local configuration version" from the new firewall was used (eg version 4). Now the highest number of the two will be used.

COP-24833: The property "Groups" in the Local User Database was restricted to 127 characters but could be overloaded with many more characters, without showing anything about it being truncated. Now a configuration warning is issued when reading in a faulty configuration. A warning is also issued when entering a "Groups" property that exceeds the maximum number of characters.

COP-25094: Memory Log was available to use in InControl domains.

COP-25085: Changing index on an IP Policy (or related object) would show that something was changed in the configuration, but the detailed list of changes was empty. The list of changes now has been updated to show when indexed objects are moved.

COP-25103: The system could in rare occasions restart unexpectedly during SSLVPN Portal and WebUI login.

COP-25132: Sections with a tooltip could incorrectly show the tooltip in the wrong place on the screen.

COP-25133: The dashboard graphs "Application Control Data", "IP Reputation Risk" and "Web Content Filtering" used the wrong time span when rendering information. The graphs have been updated to render correct time span.

COP-25135: The configuration dropdown menu could sometimes contain HTML tags.

COP-25176: The SNMP Index was not persistent for OneConnect interfaces.

COP-25257: Some settings for IPv6 Prefix Delegation were not shown in InControl.

COP-25012: In some situations, IKE SAs remained and could not be deleted using the CLI command "ike -delete".

COP-24969: Using snoop commands over a netcon connection (from InControl) could cause the firewall to restart unexpectedly.

COP-24979: The system could sometimes restart unexpectedly in a High Availability system with a large number of IPsec SAs.

COP-25056: ACME certificate requests could in some rare circumstances be sent without the correct 'Content-Type' header.

COP-24959: The width of the memory log pages in the web user interface could sometimes, for example when the log contained IPv6 addresses, be too narrow to show the whole addresses.

COP-24965: The "Content Control" list for Application Rules sometimes showed unrelated protocols under inherited protocols.

COP-24980: System Error Report files sometimes did not include the time and date information in the filename on 64bit firewalls.

COP-24996: OSPF Hello packets could under certain circumstances contain an incorrect value for Active Neighbors.

COP-25032: The display name for log category 76 used an old label "SAAS" which is wrong. The name has been updated to the correct label "SECaaS".

COP-25038: When using OpenID Connect in an HA environment the device would use the private IP during the discovery which is problematic if non-public IP Addresses are used as private IP. OIDC has been updated to use the shared IP during the discovery.

COP-25044: The OIDC JWT header property "typ" was incorrectly marked as mandatory. Now the "typ" property has been made optional.

COP-25065: The OIDC JWK buffer handling the max length of the JWK property fields was too limited and has been extended.

COP-25084: A High Availability system with a DHCPv6 Server enabled could in rare occasions during high DHCPv6 traffic restart unexpectedly.

COP-25099: The DHCPv6 Client did not handle T1 and T2 set to zero in received IA_NA options.