cOS Core 15.00.02 Release Notes

Support for GRE L2
Support for GRE L2 (Generic Routing Encapsulation at Layer 2) tunnels has been added. GRE L2, also known as GRETAP or L2GRE, enables encapsulation of full Ethernet frames, including the original Ethernet header, allowing for the transparent transport of Layer 2 traffic between two Clavister NetWall devices.

Note: GRE L2 tunnels are not encrypted or authenticated by default. For secure transport, it is recommended to combine GRE L2 with IPsec.

OneConnect Certificates
It is now possible to configure a certificate per OneConnect interface, instead of using one global certificate for all OneConnect interfaces. By default, new and existing OneConnect interfaces use the management web user interface certificate.

Updated Timeout for Subscription-Based Licenses
Subscription based licenses were earlier limited to only run for 2 weeks without update check. This limit has been removed and now the reduced mode is delayed until subscription end is reached.

OpenID Connect (OIDC) User Groups
OIDC has been updated and can now handle up to 199 groups. If a user belongs to more than 199 groups, Microsoft Entra will not send any group belongings. See the KB space (https://kb.clavister.com) for instructions of how this scenario can be handled.

RADIUS Server
The integrated RADIUS server allows Clavister NetWall appliances to provide authentication services for devices using EAP-TLS in 802.1X deployments. It is designed specifically for device-based authentication and does not support user authentication. This enables the firewall to function as a RADIUS server for network access control in environments where certificate-based authentication is used to validate devices.

SNMPv3 Privacy Passphrase
It is now possible to configure separate passwords for SNMPv3 Authentication and SNMPv3 Privacy. The new setting is optional and is configured on the user in the local user database. If the privacy passphrase is not set, the normal password will be used both for authentication and privacy like in older versions.

Improved Memory Tracking
The internal memory reporting system has been improved for better subsystem memory tracking. The result in the "memory" CLI command will be more accurate after this change.

New Advanced Setting for SNMP
It is now possible to use the device name (configured under Device Settings, shown at the top of the web user interface dashboard and used as CLI prompt) as SNMP System Name, instead of specifying an additional name only used for SNMP. Firewalls upgraded will continue to use the same SNMP System Name in the configuration as in older versions while new installations have the new setting enabled to use the global device name. The new setting can be found under Remote Management -> Advanced Settings.

Default Private IP Address for VLAN Interfaces
New VLAN Interfaces will have the default value for Private HA IPv4 Address set to "localhost".

Updated Backup Filenames
The default filenames for configuration backups, anonymous configuration backups and full system backups, when downloading from the web user interface, have been updated to include firmware version. The technical support file name, also when downloaded from the web user interface, has been aligned with the backup files and also includes HA member role if part of an HA cluster.

IPv6 Support for the REST API
The REST API now also supports using IPv6 addresses.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

New Application Control Library
The Application Library has been updated to version 1.770.1. New protocols include:

Usernames for OpenID Connect and Microsoft Entra
It is now possible to specify which OpenID Connect parameter, instead of the default one, to use for populating username when OIDC is used as Authentication method. This makes it possible to get usernames in plain text instead of the GUID that Microsoft Entra otherwise sends.

New Version of the AI Library
The AI library has been updated to version 1.2.0.

OpenID Connect (OIDC)
A timer has been added to regularly keep the OIDC data up to date. The refresh interval is a user setting with a default of one hour.

Upload Progress Bar in the Web User Interface
The Web User Interface will now display a progress bar showing file upload progress when uploading Upgrade files and Full Backup files.

Certificate Chains in Reverse Proxy
Added support for configuration of certificate chains in the reverse proxy maps.

Ping CLI Command Improvement
The "ping" CLI command has been updated to check for both IPv4 and IPv6 but put priority on IPv4 if both are resolved. To ping using a specific IP-version use "ping -4" or "ping -6".

Temporary Blacklist of IPs from the Web User Interface
It is now possible to temporarily blacklist IP addresses from the Blacklist Status page in the web user interface. IPs will be blocked for 24 hours. For more detailed manual blacklisting, we recommend using the REST API.

Legacy Interface Drivers
Support for legacy interface drivers has been removed from the 32-bit version of cOS Core.

Updated Timezone Database
The timezone database has been updated to the latest version.

Shutdown CLI Command
The CLI command "shutdown" has been updated to do a full reboot as the default behavior on 100, 200R, 300, 500, 6000 Series and 64bit virtual installations. The flags "-reboot" and "-restart" are available on all platforms.

Extended Error Logging for RADIUS
The RADIUS client has been extended to include reason why "radius_parse_error" was triggered making it easier to determine where the problem is.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

New Application Control Library
The Application Library has been updated to version 1.760.1. New protocols include:

AI Policies
Using Artificial Intelligence (AI) to perform Anomaly Detection, in a broad sense, is the identification of patterns that do not conform to a defined normal behavior. In cOS Core, the Anomaly Detection feature employs a combination of state-of-the-art concepts in machine learning and time-series analysis to detect communication misbehavior in near real-time. The underlying technique features a multi-layer AI engine that enables the creation and configuration of multiple AI models that monitor multiple data streams concurrently. AI Policies are available on the 200R Series, 300 Series, 500 Series and 6000 Series. To configure AI Policies a license is required.

IPv6 Support for PPPoE Interfaces
PPPoE (Point-to-Point Protocol over Ethernet) interfaces now fully support IPv6, ensuring compatibility with ISPs and services that rely on IPv6 addressing.

IP Rules, ALGs and SSL VPN Interfaces
Older types of objects like IP Rules, ALGs and SSL VPN Interfaces are no-longer possible to add. Existing objects of these types can still be edited or deleted. Replacements are IP Policies, Profiles and One Connect.

User Groups
Configuration of user authentication related to IP Policies has been updated. Instead of configuring user authentication on the address object, a new User Group object has been introduced. This new object can be used as a filter directly on an IP Policy.

During upgrade a conversion to the new format will be done. Nested objects are not possible to convert automatically.

IP Policies, IP Rules, Threshold Rules, IDP Rules and Routing Rules referring to network objects that could not be converted will be disabled after the upgrade, to let the administrator verify them before manually activating them again.

Review the configuration log after the upgrade, any object that was not converted will be listed here. Disabled objects will also be logged in the console CLI during the first start up of the new version.

Prefix Delegation for DHCPv6
Support has been added for IPv6 Prefix Delegation. An external interface, for example the interface facing the ISP, can be set in DHCPv6 Client mode and internal interfaces can after that delegate a subnet of the received prefix.

DHCP Client for High Availability
Interfaces in a High Availability (HA) cluster can now use DHCP to obtain an IPv4 address to be used as a shared IP address.

Graphic View Update to Tables
Proxy ARP has been added as a column to the Routing Table page. Routing Table has been added as a column to the Loopback Interface page.

Updated CLI Output
The "pipes" CLI command (-show <pipe>) listed the precedence levels from 0 to 7. The order has been changed to match the order in the web user interface configuration page, which is 7 to 0 with total last.

More Members in IPv4 Address Groups, IPv6 Address Groups and Ethernet Address Groups
The number of allowed members in address groups has been increased from 256 to 512.

Renamed CLI Command
The CLI command for resetting a device to factory settings has been renamed, to make it harder to use by mistake. The new name is "reset -factorydefault".

IPv6 Support for the "pcapdump" CLI Command
It is now also possible to filter on IPv6 addresses in the "pcapdump" CLI command.

Updated Maintenance Menu
The maintenance menu in the web user interface has been updated. The options "reset" and "restart" have been separated and now have a menu item of their own.

Updated Default Values
The default values for some advance settings have been increased, these settings include settings for ARP Hash/Cache size.

Simplified System Error Reports for 64bit Versions
Devices that crash will now generate a simplified text based version in addition to the ordinary crash dump file. The simplified version is included in the technical support file.

More Details in InControl Log Messages
The log parameters "connsrcdevice", "conndestdevice", "connsrcmac" and "conndestmac" have been added to EFW logs.

Improvements to Cloud-init
It is now possible to add license commands in the userdata file in a Cloud-init open-stack environment, which allows for adding SECaaS license information.

Update to Application Control Rules
User authentication has been removed from Application Control rules. User authentication is instead configured on the IP Policy.

Removed Inline Application Control Configuration
Configuring Application Control on IP Policies now requires a previously created Application Rule Set to be set and does not allow inline configuration. Existing configurations with inline Application Control configuration will be converted to use Application Rule Set.

Updated Filter Layout for IP Policies in the Web User Interface
The filter configuration has been updated for all rules and policies to use a vertical layout instead of horizontal to accommodate new filter methods.

Removed Inline File Control Configuration
Configuring File Control on an IPPolicy now requires a previously created File Control Profile to be set and does not allow inline configuration. Existing configurations with inline File Control configuration will be converted to use File Control Profile.

Removed Inline Anti-Virus Configuration
Configuring Anti-Virus on an IPPolicy now requires a previously created Anti-Virus Profile to set and does not allow inline configuration. Existing configurations with inline Anti-Virus configuration will be converted to use Anti-Virus Profile.

Updated List of IP Policies in the Web User Interface
The list of IP Policies in the web user interface now uses icons for options on the Policy. This allows for listing more information on the overview page.

Default Value for Source Address Translation
The default value for "Source Address Translation" when adding a new IP Policy, Fallback Policy, Multicast Policy and SLB Policy has been changed from "Auto" to "None" Existing configurations will keep the current values during upgrade.

Updated Graph on the Dashboard
A graph for Blacklist has been added to the dashboard. It replaces the Malware graph.

Updated Interface Filter for OneConnect Configuration
The "type" filter for the OneConnect outer interface did not allow IPsec or IPsecLANtoLAN interfaces to be selected. This update makes it possible to have the OneConnect Server to listen on an IPsec interface.

Updated Description Texts
Description texts have been added or improved for some objects. Descriptions for folders, mostly seen in InControl, have also been improved or added.

Application Control and IP Reputation in InControl Logs
The log parameters for Application Control (like "app_name", "app_risk" and "app_family") and IP Reputation ("iprep_src", "iprep_src_score", "iprep_dest" and "iprep_dest_score") have been added to InControl logs, and can be seen in the InControl Log Explorer.

IPv6 Support for DNS Queries
The CLI command "dns -query" has been extended to support IPv6 queries. The query results will show both IPv4 and IPv6 results when available.

Updated TLS/SSL Library
The embedded TLS/SSL library has been updated to the latest version.

ACME Certificates
384bit Elliptic Curve has been added to the existing RSA2048 and ECC256 as a supported ACME key type.

Settings to Advanced Tabs and Updated Design on the DHCP Server Page
Some settings that are not that often used have been moved to advanced tabs in the web user interface. The DHCP Server page has been updated, so that the common settings are shown on the first tab.

Increased Length of Address Objects in the REST API
The string length of network objects listed in the REST API (eg iprules) has been increased from 100 to 2048 characters.

OSPF System Information in the Technical Support File
The Technical Support file now contains OSPF information if OSPF is enabled in the system.

New Date Time Picker in the Web User Interface
The date and time picker for the Schedule Profile and Log viewer's date filter has been updated with a new design.

Session Manager in the Web User Interface
Information about logged in administration users, previously available under the CLI command "sessionmanager -list", is now also available in the web user interface.

DHCP Server Improvement
The option to use the same DNS servers configured for the device itself has been added to DHCP Servers.

Removed Legacy SSL VPN Client Installer
The legacy SSL VPN client has been removed from the firewall and the download link from the SSL VPN portal has been removed.

Updated GeoIP and Ethernet Vendor Databases
The GeoIP and Ethernet vendor databases have been updated to the latest releases.

New Application Control Library
The Application Library has been updated to version 1.740. Major additions/updates:

COP-25266: The system could restart unexpectedly when logging NAT Pool failure.

COP-25168: When a VLAN interface had a "null" type interface as base interface, the firewall could restart unexpectedly. An interface could become a null interface if for example a physical interface fails to attach (e.g. hardware failure or changes to a hypervisor backend).

COP-25109: RADIUS NAS Port Type was incorrectly set to "none" for messages sent to the RADIUS Server when logging in on a OneConnect interface. This gave problems with for example Windows NPS. The port type has now been changed to "virtual".

COP-25226: Messages for errors triggered at configuration deployment used a shared output buffer that could be re-used and overwritten before printed. This sometimes led to incorrect configuration error messages.

COP-25279: The OpenID Connect (OIDC) subsystem was unable to parse ID Tokens with a signature longer that 512 bytes.

COP-25298: The CLI command "route -verbose" and "route -switched -verbose" did not print the verbose information aligned to the columns.

COP-25146: Connections inside OneConnect tunnels were not synced to the inactive High Availability member.

COP-25071: OneConnect users could sometimes be logged out from VPN sessions when logging out from the administration web user interface session within the VPN session.

COP-24741: ESP packets using the AES-GCM cipher were sent with incorrect padding causing some IPsec clients to drop the packets.

COP-25131: Routes for L2TP and PPTP interfaces were not created when "Automatically add a route for this interface using the given remote network" was checked.

COP-25154: DHCP padding options were incorrectly validated by the DHCP server resulting in that only part of the DHCP message was parsed. The DHCP parsing has been updated to correctly handle DHCP option padding.

COP-25159: OneConnect DTLS negotiation could stall if UDP packets were received in the wrong order.

COP-24834: The OneConnect session list could in special cases become corrupt, resulting in an unexpected restart of the firewall.

COP-25075: The syslog ALG handled fragmented packets incorrectly resulting in unexpected behavior.

COP-23902: When restoring a configuration backup, for example a converted configuration from an older firewall (eg with version 267) to a new one (eg with version 4), the "local configuration version" from the new firewall was used (eg version 4). Now the highest number of the two will be used.

COP-24833: The property "Groups" in the Local User Database was restricted to 127 characters but could be overloaded with many more characters, without showing anything about it being truncated. Now a configuration warning is issued when reading in a faulty configuration. A warning is also issued when entering a "Groups" property that exceeds the maximum number of characters.

COP-25094: Memory Log was available to use in InControl domains.

COP-25085: Changing index on an IP Policy (or related object) would show that something was changed in the configuration, but the detailed list of changes was empty. The list of changes now has been updated to show when indexed objects are moved.

COP-25103: The system could in rare occasions restart unexpectedly during SSLVPN Portal and WebUI login.

COP-25132: Sections with a tooltip could incorrectly show the tooltip in the wrong place on the screen.

COP-25133: The dashboard graphs "Application Control Data", "IP Reputation Risk" and "Web Content Filtering" used the wrong time span when rendering information. The graphs have been updated to render correct time span.

COP-25135: The configuration dropdown menu could sometimes contain HTML tags.

COP-25176: The SNMP Index was not persistent for OneConnect interfaces.

COP-25257: Some settings for IPv6 Prefix Delegation were not shown in InControl.

COP-25012: In some situations, IKE SAs remained and could not be deleted using the CLI command "ike -delete".

COP-24969: Using snoop commands over a netcon connection (from InControl) could cause the firewall to restart unexpectedly.

COP-24979: The system could sometimes restart unexpectedly in a High Availability system with a large number of IPsec SAs.

COP-25056: ACME certificate requests could in some rare circumstances be sent without the correct 'Content-Type' header.

COP-24959: The width of the memory log pages in the web user interface could sometimes, for example when the log contained IPv6 addresses, be too narrow to show the whole addresses.

COP-24965: The "Content Control" list for Application Rules sometimes showed unrelated protocols under inherited protocols.

COP-24980: System Error Report files sometimes did not include the time and date information in the filename on 64bit firewalls.

COP-24996: OSPF Hello packets could under certain circumstances contain an incorrect value for Active Neighbors.

COP-25032: The display name for log category 76 used an old label "SAAS" which is wrong. The name has been updated to the correct label "SECaaS".

COP-25038: When using OpenID Connect in an HA environment the device would use the private IP during the discovery which is problematic if non-public IP Addresses are used as private IP. OIDC has been updated to use the shared IP during the discovery.

COP-25044: The OIDC JWT header property "typ" was incorrectly marked as mandatory. Now the "typ" property has been made optional.

COP-25065: The OIDC JWK buffer handling the max length of the JWK property fields was too limited and has been extended.

COP-25084: A High Availability system with a DHCPv6 Server enabled could in rare occasions during high DHCPv6 traffic restart unexpectedly.

COP-25099: The DHCPv6 Client did not handle T1 and T2 set to zero in received IA_NA options.