cOS Core 14.00.14 Release Notes

• OpenID Connect for OneConnect
  This release adds support for OpenID Connect (OIDC) for OneConnect VPN. OpenID Connect is a decentralized authentication protocol which removes the need to handle passwords. Clavister's OneConnect clients for Windows, macOS, iOS, iPadOS and Android support OpenID Connect. Clavister recommends using PhenixID Authentication Server and the OneTouch mobile application.

• High Availability Support for OneConnect
  OneConnect client information is now state synchronized betwen the cluster nodes.

• Logs With Link to the Log Reference Guide
  The memory log pages in the web user interface now contain a link to the online version of the log reference guide. Clicking on a log ID opens the description for that log ID in a new tab in the web browser.

• ACME HA Support
  High Availability Support for ACME (Automatic Certificate Management Environment), used for automating retrieval of Let's Encrypt and Buypass certificates in cOS Core, has been added.

• Naming of Interfaces When Using Cloud-Init
  Cloud-Init uses the field ID in network_data.json file to set the interface name (and corresponding address objects). If the original naming of the interfaces instead should be used, that is now possible. By adding the tag '#no_iface_rename' in the "user_data" file, interface renaming will be overridden and the names will be left untouched.

• User Groups for OneConnect
  A "User Groups" setting has been added to the OneConnect interface to make it possible to specify the User Groups a user must be member of to log in. After successful authentication against the configured authentication source, the returned User Group or Groups are matched against the configured User Groups on the OneConnect interface. If the user is not a member of any of the configured Groups, login will be disallowed. If the OneConnect interface User Groups field is empty, no User Group matching will be performed.

• SNMPv3 EngineID
  The SNMPv3 EngineID can now be shown using the "snmp" CLI command.

• Updated GeoIP Database
  The GeoIP database has been updated to the latest release.

• Simplified Configuration of ACME (Let's Encrypt)
  Support for an additional verification method has been added when using ACME. The new more user friendly method does not need a reverse proxy policy to be configured, and might be more suitable for installations that do not protect a web server.

• Updated VLAN CLI Command
  The "vlan" CLI command output has been updated. The new format can show the full VLAN interface name (up to the allowed max length), displays a longer part of the base interface name and follows the output format of other CLI commands better. A "verbose" flag has also been added, which lists zone and PBR table membership.

• Anti-Virus Database Size
  A setting has been added where the administrator can reduce the number of signatures that cOS Core will use from the Anti-Virus database. Possible entries are 100%, 75%, 50% and 25%.

• DHCP Client Shutdown Event
  The shutdown event (log and CLI message) when a reconfigure is triggered by a new DHCP lease now contains the name of the interface that received the new lease.

• System Notification for High Availability
  The system will now log, output to the CLI and show a notification in the web user interface when the two High Availability nodes are running different firmware versions.

• Support for Uploading Certificate Chains
  When uploading a certificate file that contains a chain (more than one certificate), cOS Core now inserts all certificates as separate objects in the key ring. The name of the certificates after the lead node will be followed by "_C#", where # is the certificate order counting from the lead. Example WebServer, WebServer_C1, WebServer_C2.

• Improved Error Message
  The error message describing problems with Shared HA IPv4 address has been updated to contain interface name and address.

• Reduced Mode Status in InControl
  InControl can now check if a firewall has been put into reduced mode.

• Updated ACME CLI Commands
  The output of the "acme" CLI command has been updated to better match other CLI commands.

• Upgraded TLS/SSL Library
  The embedded TLS/SSL library has been updated to the latest version.

• Warning Added for SHA1
  A warning has been added for users that still use SHA1 in their IPsec configuration, since the algorithm is no-longer considered safe.

• New Application Control Library
  

  • Streaming

    • FuboTV (fubo_tv)
    • AMC Networks (amc_networks)
    • Optus Sport (optus_sport)
    • nimo_tv (Nimo TV)
    • filmin (Filmin)

  • SaaS

    • Genesys (genesys)
    • Files.com (files_com)
    • catalystone (CatalystOne)
    • zapier (Zapier)

  • VPN / Password Manager

    • star_vpn (Star VPN)
    • dashlane (Dashlane)
    • 1password (1Password)

  • AI

    • DALL-E (dall_e)
    • Midjourney (midjourney)
    • codewhisperer (Amazon CodeWhisperer)

  • Middleware/ERP

    • Datalogic (datalogic)
    • Primion (primion)
    • melsec (Mitsubishi MELSEC)
    • zntrichter_pac (ZNT-Richter PAC admin tool)
    • omron_nbdesigner (Omron NB Designer)

  • ERP

    • gestor (Inetum Gestor)
    • miller_centerpoint (Miller
    • Insight Centerpoint)
    • bmi_gforce (BMI G-Force Plus RF)
    • zebra_rfid (Zebra RFID)
    • llrp (Low Level Range Protocol)

  • IANA Port based protocols

    • 50+ New protocols.

• ACME and Let's Encrypt (BETA)
  Many find working with certificates complicated. We are therefore happy to introduce support for the ACME protocol in cOS Core. The ACME protocol can be used to automatically create and update certificates. One well known certificate provider that uses the ACME protocol is Let's Encrypt. With this new beta feature an administrator can quite easily get a free and trusted Let's Encrypt certificate (a chain of three certificates) that can be used by OneConnect VPN, IKEv2 Roaming VPN (Simplified), the TLS ALG, the Reverse Proxy, and the Admin web user interface etc. In this version the administrator needs to configure a reverse proxy to handle the certificate verification process. The received certificate chain will be available as usual in the key ring. Future versions will extend ACME support.

• Linktest Command for Network Investigation
  This release adds the "linktest" CLI command. Linktest enables simple network troubleshooting towards NDT7 servers over HTTP and HTTPS as well as custom web servers. Please note that linktest is not a test of the network speed, but a diagnostic tool to check network functionality. More details can be found in the Administration Guide.

• Improved Interface Statistics
  A new option has been added to the "ifstat" CLI command to show low level interface statistics. Typing "ifstat -extend" will show information that could be useful in troubleshooting scenarios. The change is available on the NetWall 100, 300, 500 and 6000 Series, as well as in 64bit versions for VMware and KVM.

• Admin Control of OneConnect TCP Only Mode
  OneConnect clients communicate with cOS Core using a Control Channel via TLS and a Data Channel via DTLS. Bulk data is sent via the Data Channel efficiently with the drawback that it is easier to detect and block DTLS. The Control Channel is also able to tunnel data but less efficiently. Data sent over the Control Channel has the advantage that it is cloaked as ordinary HTTPS traffic. This feature makes it possible to disable the data channel from the admin interface, forcing clients to use TCP only mode.

• Upgraded Crypto Library
  The embedded TLS/SSL library has been updated to the latest version.

• Security Advisory
  Older insecure DH groups have been marked with "avoid" in IPsec tunnel configuration in the web user interface.

• Rule Details in the REST API
  New REST endpoints, which show the most important information about the rules in the system, have been added. For IP Rules, the information includes the source interface, source network, destination network, service, action and target ruleset for goto rules. Pipe rules, routing rules, threshold rules and IDP rules do not list action, but otherwise contain the same information. The new endpoints can be used together with the usage endpoints to get a more detailed picture without having to also parse the configuration. For details, see the REST API Guide.

• New Application Control Library
  

  • Cryptocurrency

    • huobi (Huobi)
    • zcash (Zcash)
    • crypto_com (Crypto.com)
    • bitmart(BitMart)

  • Games

    • diablo (Diablo)

  • ChatBot

    • bard (Google Bard)

  • Network Services/Management

    • 6lowpan (IPv6 over Low-Power Wireless Personal Area Network)
    • 802_15_4 (IPv6 over Low-Power Wireless Personal Area Network)
    • roughtime (Roughtime)
    • rockwell_thinmanager (Rockwell ThinManager)
    • honeywell_smartte (Honeywell SmartTE)

  • VPN

    • ec_tunnel_vpn (EC Tunnel Pro VPN)
    • softether_vpn (SoftEther VPN)

• License and SECaaS Status in the REST API
  It is now possible to get the some of the details of the installed license over the REST API. The information includes end dates for the license and subscriptions like Tech support, Antivirus, Web Content Filtering and so on. If the installed license is a SECaaS license (subscription based license) the current status will also be shown (similar to the information shown in the CLI).

• Hardware Sensor Status in the REST API
  Values from hardware sensors used for Hardware Monitoring can now be retrieved using the REST API.

• ECDSA Signed Certificates
  Support for certificates signed with elliptic curve algorithms has been added for use in IPsec tunnels.

• IPsec: Support for Diffie-Hellman Group (DH) 31
  The list of algorithms supported for DH and Perfect Forward Secrecy (PFS) in IPsec has been extended to include support for the Curve25519 algorithm, DH group 31.

• SLB Maintenance Mode Over the REST API
  In previous versions it was possible to set SLB servers in maintenance mode using the REST API, but only if the distribution method "resource usage" was used. Now servers can be set in maintenance mode over REST for all distribution methods. Note that ServerID needs to be set.

• System Error Reports and InControl
  When used together with InControl 3.16.00 or later, system error reports from the 100, 300, 500 and 6000 Series can now be downloaded to InControl.

• New Application Control Library
  

  • Chinese Apps

    • 17zuoye (17zuoye)
    • jxedt_com (Jiaxiao Yidian Tong)
    • midu_reader (Midu Reader)
    • qzone (Qzone.qq.com)
    • tencent_mobile_manager (Tencent Mobile Manager)

  • Enterprise

    • juniper_mist (Juniper Mist)
    • securid (RSA SecurID)
    • quickbooks (Quickbooks)
    • tareas_idei (Tareas IDEI A&T)
    • ibm_as_database (IBM iAccess SQL Database Access)
    • ibm_as_netprt (IBM iSeries Network Printer)
    • dahua (Dahua)

  • Games

    • asphalt9 (Asphalt 9 Legends)
    • final_fantasy (Final Fantasy)
    • rainbow6 (Rainbow6)
    • source_engine (Valve Source Engine)
    • square_enix (Square Enix)

  • Streaming

    • wynk (Wynk Music & Podcasts)

  • VPN

    • hotspot_vpn (Hotspot VPN)
    • freevpn_org (Free VPN)
    • surfshark (Surfshark VPN)
    • protonvpn (Proton VPN)
    • melon_vpn (Melon VPN)

  • Web Applications

    • mcdonalds (McDonald's)
    • h_and_m (H & M)
    • about_you (ABOUT YOU)
    • myfitnesspal (MyFitnessPal)
    • autoscout24 (AutoScout24)
    • check24 (Check24)

  • IANA Port based protocols

    • 437 New protocols

• Updated GeoIP and Ethernet Vendor Databases
  The GeoIP and Ethernet vendor databases have been updated to the latest releases.

• Reverse Proxy
  The system can now act as a reverse proxy for web servers using HTTP and HTTPS. The reverse proxy is configured as a new type of policy in the rule list. The proxy can handle HTTP->HTTP, HTTPS->HTTPS and HTTPS->HTTP, meaning that the firewall handles the decryption offloading the web server.

  Reverse Proxy requires Enhanced subscription or higher.

• Blacklist for Reverse Proxy
  The Reverse Proxy has been extended with the possibility to blacklist URLs, giving the administrator the possibility to block certain URLs from external access.

• IPsec: Support for More Diffie-Hellman Groups (DH)
  The list of algorithms supported for DH and Perfect Forward Secrecy (PFS) in IPsec has been extended to include support for Brainpool algorithms, DH group 28, 29 and 30.

• Rule Usage in the REST API
  Support for polling rule usage (number of times a rule has triggered) has been added to the REST API. The output is similar to the "rules" CLI command. Rule usage for the main IP ruleset, additional rulesets, IDP rules, threshold rules, pipe rules and routing rules can be polled. See the REST API guide for paths and more details.

• New Application Control Library
  The Application Library has been updated to version 1.650. Major additions/updates:

  • Chinese apps

    • baidu_mobile_guard (Baidu Mobile Guard - Baidu Shouji Weishi)
    • baidu_short_videos (Baidu Short Videos)
    • bestpay (China Telecom BestPay)
    • bobo_video (Bobo Video)
    • easou (Easou)
    • easou_book (Easou Book)
    • Keep (keep)
    • Migu Reading (migu_reading)
    • pp_assistant (PP Assistant)
    • qimao (Qimao)
    • QingTing FM (qingting_fm)
    • tencent_weishi (Tencent Weishi)
    • yidian_zixun (Yidian Zixun)
    • Zhuanzhuan (zhuanzhuan)
    • Meituan Takeway (meituan_takeaway)
    • Tonghuashun (tonghuashun)
    • China Telecom (china_telecom)
    • Tencent Sports (tencent_sports)
    • Lan Ren Ting Shu (lanren_tingshu)
    • Zhonghua Wannianli (zhonghua_wannianli)
    • Meiyou (meiyou)
    • Weili Technology (weili)
    • Tiantian Pitu (tiantian_pitu)

  • Games

    • Genshin Impact (genshin_impact)
    • Mihoyo (mihoyo)

  • VPN

    • Aloha VPN (aloha_vpn)
    • iTop VPN (itop_vpn)
    • NordVPN (nordvpn)

  • Enterprise

    • 8x8 (8x8)
    • Airtable (airtable)
    • AppSheet (appsheet)
    • bigfix (HCL BigFix)
    • epic_emr (Epic EMR)
    • ibm_tsm (Tivoli Storage Manager)
    • intersystem_iris (Intersystem IRIS)
    • oracle_bi (Oracle Business Intelligence)
    • IBM iSeries Remote Command (ibm_as_rmtcmd)
    • IBM iSeries (ibm_iseries)
    • IBM iSeries File Server (ibm_as_file)
    • IBM iSeries Central server (ibm_as_central)
    • IBM iSeries Data Queues (ibm_as_dtaq)
    • Apache ActiveMQ (activemq)
    • Intermec Printer Language (intermec_printer)
    • Zebra Programming Language (zebra_zpl)

  • CryptoCurrency

    • CoinGecko (coingecko)
    • CoinMarketCap (coinmarketcap)

  • Streaming

    • Crunchyroll (crunchyroll)
    • Formula 1 - F1 (formula1)
    • Rakuten Viki (rakuten_viki)
    • StarHub TV+ (starhub_tv_plus)
    • Anvato (anvato)
    • WSC Sports (wsc_sports)
    • Vix (vix)

• Updated Default IPsec Configurations
  The proposal lists for existing IPsec Simplified Roaming, Simplified LAN to LAN and Azure VPN types have been updated to include the new DH Groups (19-21) and AES-GCM. New IPsec tunnels will also have new algorithms selected by default. Existing IPsec tunnels will not be changed, but Clavister recommends all customers to update their IPsec Tunnel configuration, IKE Algorithms and IPsec Algorithm settings to include DH Group 19-21, 28-30 and AES-GCM. DH Groups below 15 are not recommended.

• Reconnect of OneConnect Clients
  When used together with version 3.5.1 or later of the OneConnect Client for macOS, iOS, iPadOS and Android, cOS Core allows OneConnect sessions to be restarted without the need for re-authentication if the session is re-established within two minutes. This gives an improved end-user experience when for example moving from WIFI to 4G/5G.

• Polling of active DHCP Server Leases in the REST API
  Support for polling active DHCP Server leases has been added to the REST API. Active leases for a specific DHCP server or all DHCP servers can be listed. When listing a specific server, additional statistics such as pool usage will be included. See the REST API guide for path and more details.

• Updated GeoIP Database
  The GeoIP database has been updated to the latest release.

• New IPsec Algorithm
  The encryption algorithm AES-GCM can now be used in IKE (IKEv2 only) and IPsec.

• Support for ECDH Groups 19-21
  Support has been added for using IPsec tunnels with Elliptic Curve Diffie Hellman (ECDH) groups 19, 20 and 21.

• OneConnect Client Information Log
  Client information is logged to configured log receivers when OneConnect client is connecting, before user authentication. The logged information is device ID (Windows/macOS/iOS/Android/Chromebook), client version, OS version, OS architecture and a UID. The UID is an ID unique for each installation of OneConnect client. Windows clients also send information if Antivirus is enabled and if Antivirus signatures are up to date.

• Traffic Shaping Status Page
  A new status page has been added in the Web User Interface, showing the status of configured traffic shaping pipes. The page provides the same information as the existing CLI command.

• Extended URL Filter Redirect with Tag Support
  The URL Filter now allows populating the resulting URL with dynamic information from client and server using predefined tags.

• Renamed IPv6 Log
  The log message for invalid_ip6_tc has been renamed to invalid_ipv6_tc and the logged rule name to IPv6TC.

• Updated GeoIP Database
  The GeoIP database has been updated to the latest release.

• Updated GeoIP Database
  The GeoIP database has been updated to the latest release.

• Application-based Policies and Routing
  Support for routing connections based on the identified protocol or application has been added to the IP Policies. By leveraging a technique called First Packet Inspection the firewall can make routing decisions based on the first packet arriving.
  Since the routing decision needs to be taken on the first packet of the connection, only a subset of the applications supported by Application Control can be used.

• Simplified Migration Tool for IP Rule to IP Policy
  It is now possible to migrate old IP Rules to corresponding IP Policy using a simplified converter from a menu alternative in the data-grid. The automatic conversion can only be done for a limited number of IP Rule types. Supported IP Rule Types:

  • Allow
  • Drop
  • Reject
  • NAT

  Note, the old rule is not automatically deleted in the conversion. The administrator needs to delete the old IP Rule after reviewing that the changes in the ruleset produce the same end result.

• Spam Sources Added to Threat Prevention
  Protection against spam sources has been added to Threat Prevention. It uses IP Reputation data to block and blacklist IPs that have been categorized as sources for spam.

• Phishing Protection Added to Threat Prevention
  Phishing has been added to Threat Prevention. It uses IP Reputation data to block and blacklist IPs that have been categorized as sources for phishing attacks.

• Routes Status Page
  The routes status page has been improved and now also contains information about monitored routes.

• Status Page for OneConnect
  A new status page has been added in the web user interface showing status for connected OneConnect clients, similar to the "oneconnect" CLI command.

• One-time Passwords (OTP) for Authentication of OneConnect Clients
  One-time password can now be used as authentication with OneConnect. Requires OneConnect Windows version 3.5 or later, OneConnect macOS/iOS/iPadOS 3.4,1 or later, OneConnect Android 3.4.2 or later.

• Interface Group and Zone Support in the SSH Server
  The SSH Server now also supports using interface groups and zones as listening interface, in addition to a single interface and "any".

• Link to Online Documentation
  A button with a question mark symbol has been added at the top-right of the Web User Interface menu. Clicking the button will open a new browser window and display the latest online version of the documentation, such as Administration Guide, Log Reference Guide, CLI Reference Guide and Release Notes.

• Improved Naming in the Web User Interface
  The options available in the Hardware Monitoring "Type" combobox have been renamed with clearer names and measuring unit has been added.

• TCP/UDP Support for the Ping Simulation Command over IPv6
  The ping simulation command in the CLI has been enhanced with support for TCP/UDP over IPv6.

• Monitored Routes in the REST API
  Support for polling route monitor information from the REST API has been added. The API provides the same level of information as the "routemon" CLI command, The path is /api/oper/routemon.

• Updated Tooltip for PlainText MTU
  The tooltip for plaintext MTU on IPsec tunnels has been updated to contain correct information.

• InCenter Management Status Command
  A new CLI command has been added to show remote management settings. The CLI command also shows runtime status for the InCenter management connection ("management -type=InCenter").

• Cloud-initialization Enhancement
  To ensure cloud init functionality, an increasing delay between each cloud initialization attempt has been added.

• Extended "services" CLI Command
  The "services" CLI command has been updated to output more detailed information about the service.

• Upgraded TLS/SSL library
  The embedded TLS/SSL library has been updated to the latest version.

• New Application Control Library
  The Application Library has been updated to version 1.620. Major additions/updates:

  • VPN

    • IPVanish VPN
    • DotVPN
    • Google One VPN

  • Cloud Services

    • Environmental Systems Research Institute (esri)
    • Drift (drift)
    • Oracle Eloqua Marketing Automation
    • Adobe Fonts

  • Enterprise

    • Microsoft Active Directory (ms_ad)
    • Invar Systems AS/RS Control (invar_asrs)
    • Clavister
    • Clavister InControl
    • Clavister NetWall
    • Sentinel RMS
    • ZooKeeper
    • Windows Remote Management (WinRM)
    • Helpsystems QMessage Monitor
    • MS-NRTP
    • Microsoft Directory Replication Service Remote Protocol
    • Jaspersoft
    • NUSP protocol
    • OV Solutions
    • GlobalScape Enhanced File Transfer
    • Microsoft Netlogon Remote Protocol
    • Remote Management and Control Protocol
    • HelpSystems
    • MIME-Based Secure Peer-to-Peer Business Data Interchange Using HTTP Applicability Statement 2 (AS2)
    • RabbitMQ

  • SQL Server

    • Resolution Protocol (MC-SQLR) (ms_ssrp)

  • Gaming

    • Pokemon Unite (pokemon_unite)
    • Valorant (valorant)

  • Streaming

    • Paramount+ (paramount_plus)
    • Hotstar (hotstar)

  • SaaS

    • GoodData
    • PagerDuty
    • MuleSoft
    • Adobe Creative Cloud
    • JFrog
    • Onlyoffice Cloud
    • Qlik
    • Practice Ignition

  • SCADA

    • Bosch Security Conettix
    • Codesys Protocol (IDE-PLC)

  • Chinese Apps

    • Agricultural Bank of China
    • China Construction Bank
    • China Unicom - China United Telecommunications Corporation
    • CMB - China Merchants Bank
    • Fun Headlines (qutoutiao)
    • Tencent Map
    • Vipshop - Wei Pin Hui
    • WeCom - Enterprise Wechat
    • Chang Ba
    • Kingsoft
    • WPS Office
    • Idle Fish
    • NetEase News
    • B612 Kaji
    • Baidu News
    • Taote
    • China Individual Income Tax
    • ICBC - Industrial and Commercial Bank of China

• More Detailed Disconnected Reasons for OneConnect Clients
  cOS Core will now send the reason why it disconnected the OneConnect client. Example of reasons are "max idle time expired" and "administrator forced user logout".

• Link Monitor Status Page
  A new status page has been added in the web user interface, showing the status of configured link monitors. The page provides the same information as the existing CLI command.

• Geo IP Information Added to the Blacklist Status Page
  The Blacklist Status page in the web user interface has been extended with Geo IP information showing country/region flag for blacklisted addresses where available.

• High Availability (HA) Status in the REST API
  It is now possible to get the status of an HA cluster using the REST API. The information available is the same as in the "ha" CLI command, namely the role, if the node is active or inactive, number of seconds for that state and if the other HA peer is found to be dead or alive. The path is /api/oper/ha.

• Updated GeoIP Database
  The GeoIP database has been updated to the latest release.

• Monitored Hosts in the REST API
  Support for polling host monitor information from the REST API has been added. The API provides the same level of information as the "hostmon" CLI command, The path is /api/oper/hostmon.

• Updated SECaaS HA System Messages
  When using SECaaS HA, the reduced mode and lockdown system messages were not clear in stating that entering reduced mode was due to cluster peer request. Those messages now clearly state the mode is due to a peer request.

• Improved Hostmonitor CLI Command
  The "hostmon" CLI command has been improved. A new column in the standard width has been added that shows which subsystem created the host monitor. The design of the list has also been changed to better align with other CLI commands and taking less vertical space. In verbose mode, subsystem has also been added to the output.

• WebUI Quick Search
  The WebUI now has a quick search functionality that allows simple and fast navigation between configured objects.

• Improved Custom Timeout Setting for Better Connection Handling
  It is now possible to set "TCP Closing Idle Lifetime" to zero when configuring TCP Service custom timeouts, meaning any connection will not be placed in the FIN_RCVD state but rather moved immediately to zombie state (queued for immediate connection closure) when an RST or FIN is received.

• Support for Downloading System Error Reports for 64 bit Versions in WebUI
  System Error Reports can now be downloaded from the web user interface under 64 bits version of cOS Core.

• Time Sync Log Entry
  A log entry has been added to indicate when a successful NSTP/NTP query was made.

• Status Page for Host Monitor
  A new status page has been added for host monitor. It will give the administrator the same information as in the "hostmonitor" CLI command from the web user interface.

• Modernized Application Library Browser
  The Application Library browser has got a more modern look and feel.

• Upgraded TLS/SSL library
  The embedded TLS/SSL library has been updated to the latest version.

• Updated GeoIP Database
  The GeoIP database has been updated to the latest release.

• Auto Save for Extension Modules
  If changes in Ethernet interface module configuration (PCI hardware addresses) are detected on boot or after synchronized configuration from InControl, the configuration file with the updated extension modules configuration automatically will be saved to media. These changes are detected on the first start up after interface modules have been added, removed or moved.

• Enhanced UTM Information in the CLI
  The number of signatures in Antivirus and IDP databases is now shown when using the CLI command "updatecenter".

• Password-less Login for OneConnect
  Now the OneConnect interface can be used without logging in using a password with our designated IAM solution and the accompanying mobile app.

• SECaaS Registration in the Web User Interface
  SECaaS license registration can now be done in the Web User interface. Previously this was only possible in the CLI.

• 64-bit Support for Hyper-V and Azure Virtualization
  NetWall 64-bit version can now be installed in a Hyper-V and Azure environment.

• Updated GeoIP and Ethernet Vendor Databases
  The GeoIP and Ethernet vendor databases have been updated to the latest releases.

No new features were introduced in the 14.00.03 release.

• Support for Clavister NetWall 500 Series
  cOS Core now supports the new NetWall 500 Series. See our web page for more information about this model.

• New File Type Filter When Restoring Backup Files
  When uploading a backed up configuration or system file, the browser dialog now only lists files of type ".bak".

• Firmware Version over SNMP
  It's now possible to retrieve the cOS Core version using SNMP.

• Upgraded TLS/SSL Library
  The embedded TLS/SSL library has been updated to the latest version.

• Updated GeoIP and Ethernet Vendor Databases
  The GeoIP and Ethernet vendor databases have been updated to the latest releases.

• New Application Control Library
  The Application Library has been updated to version 1.580. Major additions/updates:

  • SCADA

    • Dr Schenk Inspection System[dr_schenk_is]
    • AAON PRISM 2[aaon_prism]
    • High-Level Data Link Control [hdlc]

  • Enterprise

    • Simple Protocol for Independent Computing Environments (SPICE) [spice]
    • Bill.com
    • Synology Active Backup for Business Agent [synology_backup]
    • Pipeliner CRM [pipeliner]
    • Veeam [veeam]
    • SAP MaxDB[maxdb]
    • IBM Application System - Server Mapper [ibm_as_srvmap]
    • SendGrid [sendgrid]
    • Jenkins[jenkins]
    • Apache Solr [apache_solr]
    • Microsoft Distributed Transaction Coordinator [ms_dtc]
    • Microsoft Local Security Authority Remote Protocol [ms_lsad]

  • VPN

    • HA Tunnel Plus, HA Tunnel Pro, HA Tunnel Lite [ha_tunnel]
    • Wire Tun [wire_tun]

  • SaaS

    • FreshBooks [freshbooks]
    • HubSpot[hubspot]
    • Xero[xero]
    • Mailchimp [mailchimp]
    • Nextroll [nextroll]
    • Codesignal [codesignal]
    • Domo [domo]
    • ClickUp [clickup]
    • Tableau [tableau]

  • Chinese Apps

    • DingTalk/DingDing [dingtalk]
    • Tencent Appstore [tencent_appstore]
    • QQ Browser [qq_browser]
    • Snodehome [snodehome]

  • Health

    • Health Level 7 [hl7]
    • Epic Hosting [epic_hosting]

  • Misc

    • Private Relay (iCloud Private Relay) [private_relay]
    • Garena Free Fire [free_fire]

• Improvements in the Web User Interface
  

  
  

  • The tooltip in the WebUI's Application Control selection filter was clarified to make it more user friendly.
  • IPsec statistics in the IPsec Status page has been made easier to read with the MB, GB and TB suffixes instead of just one number without unit after.
  • A version number has been added to the "Update Center History" IP Reputation logs and time stamp for IDP and Antivirus downloads.

• Clearer Application Control Log Messages
  Application Control logs have been enhanced with the addition of "allow" as "Action" when an application has been identified so the flow can be traced more easily.

• Improvements in the CLI
  The output of the CLI command "ipsec -globalstats" has been changed from "Quickmode" to "Phase 2" in order to be consistent with IPsec wording in general.

• Support for Fallback Server for Server Load Balancing
  It is now possible to specify a fallback server in SLB that will be used when no other server is reachable.

• Improved Interface Statistics for InControl
  Improved the accuracy of InControl statistics over highly stressed interfaces.

• Improved System Backup
  Full Backup files now include the DHCP Server lease databases if present.

• SECaaS Grace Period Extension
  The SECaaS grace period has been extended from 6 hours to 2 weeks or the end date of the license, whichever comes first.

• Security Equivalent Added to Zones
  The "Transport / Security Equivalent" option has been added to "Zone" interface objects.

• Proxy Settings for OneConnect Clients
  Added the possibility to push a proxy auto-config URL to OneConnect clients.

• New SNMP Values
  New OIDs have been added for SNMP retrieval, namely "Hardware Model", "License Model" and "Serial Number".

• New Server Load Balancing Distribution Method
  This release introduces a new SLB distribution method "Strict" that will always send to the first active server in the list.

• Better Support for SECaaS Licenses in High Availability
  The inactive node of an HA cluster can now verify the license status using its active peer, when access to the CSPN servers is not possible (for example when the HA cluster shares one public IP address).

• Updated GeoIP and Ethernet Vendor Databases
  The GeoIP and Ethernet vendor databases have been updated to the latest releases.

• Support for KVM Hypervisor on ARMv8
  The cOS Core firewall can now run under the KVM hypervisor under 64-bit ARMv8.

• Support for Clavister NetWall 6000 Series
  cOS Core now supports the new NetWall 6000 Series. See our web page for more information about this model.

• New Antivirus Signature Provider
  The antivirus subsystem now uses the Bitdefender antivirus engine which provides optimum security as well as improved memory usage and efficiency.

• Support for Clavister NetWall 100 Series
  cOS Core now supports the new NetWall 100 Series. See our web page for more information about this model.

• HTTPS Support For HTTP Poster
  The HTTP Poster has been enhanced with support for HTTPS. This includes all the Dynamic DNS services. As a security measure it's possible to specify Root, Intermediate or Host certificate to validate against the server certificate during connection.

• Support for Duck DNS
  Support for the Duck DNS client has been added to the list of available DynDNS alternatives.

• New Parameter to Activate a Virtual License in the CLI
  The possibility to activate a virtual SECaaS license using the console command "license" has been added.

• New Parameter to Remove the License in the CLI
  The console command "license" has been enhanced with the option to remove the a SECaaS license if present.

• MAC Vendor Lookup Support
  A new console command "enet_vendor" has been added to enable the lookup of MAC vendor addresses.

• HTTP 1.1 in Cloud-Init
  The Cloud-Init functionality has been enhanced with support for HTTP 1.1 for communication.

• Updated Application Control Engine
  The Application Control Engine has been updated to version 5.7.

• MyApps Support for OneConnect Clients
  When used together with Clavister EasyAccess, cOS Core can now provide the MyApps web portal to OneConnect clients (if the client supports it).

• New Application Control Library
  The Application Library has been updated to version 1.560. Major additions/updates:

  • Audio/Video

    • Anghami (anghami)
    • BeIN SPORTS (bein_sports)
    • Triton
    • Digital (tritondigital)
    • Libsyn (libsyn)

  • Education

    • ClickView (clickview)
    • Zuoyebang(zuoyebang)
    • Udemy (udemy)
    • OpenSesame (opensesame)

  • SCADA

    • Socomec (socomec)
    • DLMS/COSEM over IP (dlms)
    • iWarehouse (iwarehouse)
    • Automation (br_automation)

  • Enterprise

    • Tress Poll (tress_poll)
    • .NET Message Framing Protocol (ms_nmf)
    • Active Directory Web Services (ms_adws)

  • Instant Messaging

    • Botim (botim) WhatsApp Business API (whatsapp_api)

  • SaaS

    • MeisterLabs (meisterlabs)
    • Fleetsmith (fleetsmith)

  • Social Networking / Instant Messaging

    • Omegle (omegle)
    • Douyin (douyin)

• Information About "Legacy" Functionality
  IP Rules and SSL VPN are now marked as legacy in the Web User Interface. &company; recommends using IP Policies instead of IP Rules. &company; also recommends using OneConnect instead of SSL VPN. OneConnect has wider support of &company; branded clients (Windows, macOS, iPadOS, iOS and during 2022 also Android), has higher throughput and is not limited in number of clients and routes in the same way as SSL VPN is.

• Updated GeoIP and Ethernet Vendor Databases
  The GeoIP and Ethernet vendor databases have been updated to the latest releases.

• Improved Readability of the Memory Log
  Log entries generated in the local firewall memory log that are empty (without values/data), are now listed after parameters with values. Empty values also have a lighter color for enhanced readability.

• COP-24150: In older versions of Chrome, there was a problem to log in to HTTPS Web User Interface management due to the way certificates were treated by the browser.

• COP-24707: The system could in certain scenarios restart unexpectedly during reconfiguration, after changes to multiple interfaces.

• COP-24733: Traffic inside an IPsec tunnel using the encryption algorithm AES-GCM was dropped if Integrity Algorithm proposal "None" was received during a tunnel negotiation.

• COP-23704: In the event of an error, the High Availability (HA) wizard would not finish but also would not show any error message to the user.

• COP-22715: The list of additional seen DHCPv6 offers in the "dhcpv6" CLI command was unaligned. The table width has been increased and a max size has been set for each column. If the address is longer than allowed, it will be cut.

• COP-24701: The HTTP ALG could sometime fail to parse the SNI name from HTTPS ClientHello. The parser has been updated to handle SNI names correctly.

• COP-24711: The icon indicating Geolocation filter in the WebUI datagrid could sometimes overlap with the text. The rendering has been updated to correctly truncate the text if overlap was going to happen.

• COP-24712: On the Interface Status page in the Web User Interface, the private IP address was written twice for HA setups. The shared IP is now correctly written within parentheses.

• COP-24734: Responses to ACME challenges would in some cases be done twice for a request.

• COP-24494: The system could on some rare occasions restart unexpectedly due to an error in the Web Content Filtering subsystem.

• COP-24500: The system sometimes restarted unexpectedly when using OneConnect. Affected models: 300, 500 and 6000 Series.

• COP-24551: The system could on rare occasions restart unexpectedly when polling statistical values. Affected models: 100, 300, 500 and 6000 Series.

• COP-24552: The firewall could on rare occasions restart unexpectedly due to an error in OneConnect.

• COP-24658: IPsec tunnel negotiation failed when the integrity algorithm "none" was used together with AES-GCM cipher.

• COP-24343: VLANs would not work in some virtual environments when using 64 bit cOS Core.

• COP-24626: Cloud-init could fail when network MTU was set to null or an invalid value.

• COP-24627: Cloud-init failed if the system name contained a space character.

• COP-22227: The log messages "fragments_available_freeing" (02000100) and "fragact_contains_frags" (02000002) had severity level "critical". Both have now been lowered to severity level "warning". The revisions of the two messages have been increased by one as a result of the correction.

• COP-23634: It was not possible to remove a license permanently when using subscription-based licenses on virtual installations of cOS Core.

• COP-24372: When deploying a configuration using InControl to an active node in an HA cluster the local configuration version should remain the same but could in some cases incorrectly be increased, causing an alarm in InControl to be set.

• COP-24402: A closing or failed OneConnect session was sometimes left open for an unnecessary long time.

• COP-24589: The log messages "failed_to_link_ike_and_userauth" (01803300) and "failed_to_find_userauthobject_for_ipsec_sa" (01803302) contained a misspelled word. The revisions of the two messages have been increased by one as a result of the correction.

• COP-24591: The setting Security/Transport Equivalent on a Zone did not work as expected.

• COP-24596: The web user interface pages for Threshold Rules and Pipe Rules were not aligned with other Rule and Policy pages in the Filter section.

• COP-24604: With the addition of the CLI command for ACME, it was no-longer possible to use the short form "ac" of the activate command for the activate and commit procedure. The abbreviation "ac" has now been added as an alias for activate.

• COP-24608: ACME could sometimes start its process on the activate command, i.e. before commit was issued. This has now been changed to always start only after the commit command.

• COP-24633: Download of system error reports to InControl could in some rare scenarios fail.

• COP-24634: The CA Path Length Constraint could be set to an incorrect value when generating a certificate.

• COP-24644: An IPsec tunnel using AES-GCM was sometimes closed after an HA failover.

• COP-24350: Using a Multicast Policy, it was not possible to forward the same multicast group in a bi-directional fashion. cOS Core only had the notion of a multicast group; either being "joined" (requested from the source) at a given interface, or "queried" (verified that there are any listeners). This was partially due to design, as this is the only scenario supported by the original IGMP specification. As an extension, cOS Core will now handle the same group both; being "joined" and "queried" at the same interface. Note that IGMP "querier election" will have to be disabled in order to make this useful.

• COP-24489: Reverse Proxy could in some High Availability subsystems cause an unexpected restart.

• COP-24364: Certain traffic patterns with a high number of connections with the same IP and port inside an IPsec tunnel generated higher CPU load than expected.

• COP-24506: Authentication in SNMPv3 was inefficient and caused a high CPU load.

• COP-23626: It was not visible enough when firewalls entered "recovery mode". Affects: NetWall 100, 300, 500 and 6000 Series, as well as 64bit versions for VMware and KVM.

• COP-24223: An SLB Policy would incorrectly try to configure VoIP when selecting Service with a SIP or H323 Protocol. The SLB Policy now correctly ignores the Service Protocol information. Service Protocols/ALGs are not supported in Server Load Balancing.

• COP-24423: IPsec rekey using AES-GCM as cipher could fail on a High Availability cluster member after fail over from the node that was active when the IPsec SA was created.

• COP-24461: Setting DTLS port to 0 for OneConnect interfaces caused errors when connecting OneConnect clients. It is no longer possible to set port to 0.

• COP-24464: It was possible to choose 192 bits as key size when generating a certificate in the web user interface, but the generation of the certificate always failed. The 192-bit option is now removed, since eg NIST recommends using higher key sizes.

• COP-24492: The "slb" command did not handle policies in other rulesets than the default correctly. The command has been updated to correctly handle multiple rulesets and also use currently running information instead of configured values.

• BAI-317: KVM installation images before 14.00.11 had a disk image that in some cases could be too small. Clavister recommends taking a configuration backup, downloading a new KVM installation from my.clavister.com with version 14.00.11 or higher, reinstall the virtual machine and then restore the backup. The new installation file has a disk that is 512MB.

• COP-24366: IPsec IKEv1 negotiation failed with "No_Proposal_chosen" when the IKE algorithm for the IPsec tunnel contained AES-GCM together with at least one other cipher.

• COP-24367: In some rare scenarios, hardware acceleration could fail with interrupted IPsec traffic as result. Affects 500 and 6000 Series.

• COP-24373: Some web user interface status pages did not correctly check CSRF allowing actions using external links when logged in as administrator.

• COP-24425: Reverse Proxy could on occasion enter a loop causing the system perform an unexpected restart.

• COP-23859: System realtime clock (RTC) was not updated together with system clock which could cause the clock to be incorrect after a reboot. Affects 100, 300, 500 and 6000 Series, as well as 64bit versions of VMware and KVM.

• COP-23916: Configurations with a total of more than 32 interfaces could fail to correctly populate the connected Zone object. Zone handling has been updated to correctly add all interfaces.

• COP-24375: Some input fields in the web user interface did not correctly escape text allowing possible Cross-Site-Scription (XSS) code injection when logged in as administrator.

• COP-22916: The output from the CLI command "dns" has been updated to make it more aligned with how DNS servers are configured in the CLI.

• COP-24326: A OneConnect client could look like it was re-connected after switching between networks, e.g. from Wi-Fi to 5G, but the VPN tunnel was in fact disconnected.

• COP-24353: A Reverse Proxy Policy could only be added to the Main IP Rules. Now it can also be added to an Additional IP Rule Set.

• COP-24368: Refreshing the SLB (Server Load Balancing) status page would always reset to showing the first SLB rule. The SLB page has been updated to refresh to currently selected page.

• COP-24389: When using Server Load Balancing (SLB) the system could in some rare cases go into an unstable state.

• COP-24412: ALG module names were not aligned to same case in logs. All ALG module names should now be in lowercase.

• COP-23466: When the active node switched to the other node in High Availability systems, loop detection sometimes triggered on certain vendors' switches.

• COP-24227: The LW HTTP ALG could in some very rare cases cause an unexpected restart of the firewall.

• COP-24236: The system could in some rare occasions restart unexpectedly when receiving traffic on an OneConnect Interface.

• COP-24208: Systems running under the x86_64 architecture could in some rare occasions restart unexpectedly if Poll Offloading was disabled.

• COP-24212: A configuration with an IPsec tunnel using a group of addresses as remote endpoint could create incorrect traffic matching rules that could fail configuration verification and cause an endless loop of reboots.

• COP-24256: The IPsec CLI command for an existing IPsec SA showed an incorrect value for Lifetime in bytes if the lifetime was large.

• COP-20108: The system could in some rare occasions restart unexpectedly if IPsec Interfaces with ongoing CRL lookups were changed during reconfiguration.

• COP-22708: On certain hardware models like the 6000 Series or the 100 Series, the system sometimes reported incorrect Link Status in the "Ifstat" CLI command.

• COP-24261: Real time monitor for stat values of type 'counter' used the wrong threshold set in the configuration.

• COP-24263: The error message when using AES-GCM cipher only and selecting an Integrity Algorithm in IKE and IPsec algorithms were unclear and has been updated with a more detailed description.

• COP-23886: When no DNS server IP was configured, there could be an unexpected restart.

• COP-23948: The firewall could go into an endless reconfigure loop for certain configurations using DHCPv6 server.

• COP-24240: The HTTP ALG could incorrectly strip one of the newline character for Accept-Encoding in the HTTP header if the value was empty. The HTTP ALG now correctly handles empty Accept-Encoding values.

• COP-24155: Real Time Monitoring could in some cases calculate the average value wrong for statistical values of type 'counter'. This has now been changed to always count the average 'count per second' over the sample time. Furthermore, the monitoring has been extended to also include 64-bit counters.

• COP-22490: The error message shown in the Web User Interface when trying to add an SSH key of size 4096 was not very descriptive and has been updated.

• COP-24135: Anti-virus engine error reporting under the diagnostics console could in some scenarios lead to too many reports on the same error. The reporting frequency is now reduced for similar errors.

• COP-24151: The log message when no LDAP server was found could trigger a faulty behavior and lead to an unexpected restart.

• COP-23919: Configurations featuring OSPF may occasionally indicate insufficient memory. This is applicable to 100 Series, 300 Series, 500 Series and 6000 Series.

• COP-23990: There was a problem with an interface buffer that could result in problems sending/receiving traffic on multiple interfaces. This is applicable to 100 Series, 300 Series, 500 Series and 6000 Series.

• COP-24112: There was a data buffer issue in the poll-offloading subsystem that could lead to unexpected behavior.

• COP-22639: The system sometimes restarted unexpectedly when handling fragmented traffic.

• COP-23774: The license expiration warning was giving notifications too early when using subscription based licenses. The system now notifies when there is less than 5 days left of the license.

• COP-24036: The serial console access process did not correctly handle reloading the user database, which in some cases could result in an unexpected restart. Affects: 100-Series, 300-Series, 500-Series and 6000-Series.

• COP-24037: Long passwords could not reliably be used in the serial console due to a limited buffer length. Affects: 100-Series, 300-Series, 500-Series and 6000-Series.

• COP-22827: Connection logs could show incorrect MAC addresses when issuing pings from the firewall itself.

• COP-23797: The text box for specifying password-less user message on the OneConnect configuration page was too small.

• COP-23932: Two KEX INIT messages were sometimes sent during the SSH connection attempt to an InCenter server.

• COP-23945: MAC addresses in logs were sometimes not displayed correctly.

• COP-23950: It was not possible to view the host monitor status page in the web user interface when logged in as an auditor user.

• COP-23962: The HTTPSBlockPage was not sent when a blacklisted URL in the URL list of a WebPolicy was blocked if Web Content Filtering was not enabled on the WebPolicy.

• COP-23969: Processing certain Link Aggregation packets could in some rare situations cause memory corruption.

• COP-23970: The packet buffer management was not optimal and has now been enhanced.

• COP-23972: A buffer leakage could in some rare occasions occur in DHCP Relay during an error condition.

• COP-24038: The system could fail to start if the Remote Management HTTPS certificate could not be read.

• COP-23851: The system could make an unexpected restart when performing a reconfigure with certain OneConnect configurations present.

• COP-23915: The system could in rare occasions restart unexpectedly if active SIP sessions existed during reconfigure.

• COP-23852: The system could under rare occasions restart unexpectedly if a OneConnect connection lasted over several reconfigurations.

• COP-23906: SIP and H323 traffic connected to an IP Policy was using old values after a configuration update. SIP and H323 now correctly update the values on configuration update.

• COP-23922: The system could under rare occasions restart unexpectedly during IDS, Anti Virus or IP reputation updates if a memory allocation failure occurred.

• COP-23372: The Email control whitelist function did not work for addresses with an initial capital letter.

• COP-23513: Some runtime values in the WebUI license page showed incorrect values. The WebUI license page has been updated to show correct runtime values.

• COP-23631: The log "conn_open_nat" was only generated for connections that were NAT:ed and used the ordinary "conn_open" that missed the translated information for SAT:ed connections. The "conn_open_nat" is now generated for connections that use either NAT or SAT.

• COP-23654: There was no log event printed when a OneConnect user was logged out.

• COP-23714: The system could on some rare occasions during reconfiguration read from freed memory in the PPTP ALG and the IMAP ALG.

• COP-23819: HTTPS requests through an IPPolicy with Web Profile that is made without SNI value would incorrectly ignore URL Filter and Web Content Filter on IPPolicy. The request now fallbacks to use the destination IP address as SNI value for URL filter and Non-Managed Action for WCF.

• COP-23828: Renaming an interface with active DHCP client lease could in some situations generate an unexpected restart.

• COP-23844: The OneConnect VPN tunnel was disconnected when congestion occurred. Now packets will be dropped instead of disconnecting the tunnel.

• COP-23855: Faulty error handling in WebUI rendering could result in problems when rendering non-existing pages. The error handling has been updated to return correct status code when problem is detected.

• COP-23896: The Log Message ID for Real-time Monitor alert log messages could be set to a higher value than the available number of figures in the log message. The setting now has a max value.

• COP-23918: The WebUI would incorrectly try to refer to icons that did not exist in the data grid. The WebUI will fallback to rendering an empty image when the icon for an object in the data grid doesn't exist.

• COP-23941: The SIP module's error handling was not optimal and has been improved.

• COP-23853: Interfaces on the NetWall 100, 300, 500 and 6000 Series could end up not receiving packets and constantly increase the input "nobuf" interface counter making the interfaces unable to forward any traffic.

• COP-23505: Memory allocation for Application Control could on rare occasions malfunction and print an error message in the diagnostic console that said VChunk_Alloc failed.

• COP-23821: The maximum allowed IPsec tunnels limit was in some situations incorrectly reached causing IPsec negotiations to be aborted.

• COP-23805: Uploading a configuration containing an invalid "ConfigDate" in the Device node could not be activated. The invalid value is now removed and automatically created on activation.

• COP-23829: Performing a factory reset from the boot menu could result in platform specific files being deleted. Affected models: 100, 300, 500 and 6000 Series.

• COP-23717: The system could on rare occasions restart unexpectedly during IDP or LWHTTP ALG processing together with Antivirus.

• COP-23748: The X-interfaces and 10 GbE interfaces on modules on the 6000-series were unable to receive full size frames with VLAN.

• COP-23511: When using the OneConnect interface in TCP-only mode, the VPN tunnel would not forward traffic after a short while.

• COP-17752: The output for the CLI command "dhcprelay -show" regarding relays actually being tracked was wrong and has been corrected.

• COP-20017: The tool tip for custom timeout settings on services was not clear and has been extended and clarified.

• COP-21743: IKE and IPsec SAs were sometimes not synced correctly between the High Availability peers.

• COP-23627: During local lockdown, configurations using InCenter management could trigger unexpected behavior.

• COP-23657: High Availability sync of IKE SAs could in some cases fail it the IPsec interface was configured to use ConfigMode.

• COP-23664: Failed IPsec EAP negotiations could under some rare occasions cause memory corruption.

• COP-23671: SMTP ALG sessions active during a reconfiguration were sometimes not removed resulting in a small memory leak.

• COP-23677: POP3 ALG sessions active during a reconfiguration were sometimes not removed resulting in a small memory leak.

• COP-23698: If more than 3 DNS servers were received during cloud-init, the process would fail to complete configuration.

• COP-23701: The system could on some rare occasions during reconfiguration read from freed memory in the SMTP ALG and the POP3 ALG.

• COP-23707: The system could on rare occasions restart unexpectedly shortly after reconfigure. This happened if a DNS query for an antispam DNSBL lookup, active during the reconfigure, failed.

• COP-23713: The system could in some cases read from uninitialized memory if IMAP ALG sessions were active during system shutdown.

• COP-23716: Uploading a configuration backup using "scp" could print a strange filename in the CLI on the 6000 series.

• COP-23731: The embedded TLS/SSL library contained a vulnerability when using TLS v1.3. The library has been updated to the latest version, which removes the vulnerability.

• COP-23644: The system could restart unexpectedly due to an error in the POP3 ALG antispam subsystem.

• COP-23694: The system could restart unexpectedly during InControl Remote Management connection attempts if both InCenter and InControl Remote Management was configured.

• COP-23651: The system could restart unexpectedly due to an error in the SMTP ALG antispam subsystem.

• COP-23490: The system could on rare occasions become unresponsive or restart unexpectedly after system upgrade.

• COP-23638: Packets could be incorrectly dropped as "incorrect IP version" in scenarios with certain interface types in combination with VLANs. Only affected the 100 and 6000 Series.

• COP-23590: UDP packets of size 1265 or larger were dropped when sent through a OneConnect tunnel.

• COP-23592: The system could in some rare occasions make an unexpected restart due to an error in the LW-HTTP ALG subsystem.

• COP-23655: Loading a configuration from external source could clear value used to calculate shared MAC address resulting in fallback value to be used. This value was only calculated on boot and set in running configuration to be saved on local config change. The value is now also calculated if needed when loading external configurations.

• COP-23709: SECaaS license checks were performed on non SECaaS enabled HA nodes resulting in erroneous lockdown events. SECaaS license cheks will now only be performed in SECaaS enabled nodes.

• COP-23560: The log categories 88 (SSL), 89 (DEVICE) and 90 (ONECONNECT) were missing in the WebUI log filter.

• COP-23414: The system could sometimes restart unexpectedly when low on system memory during UpdateCenter updates.

• COP-23587: The system could on rare occasions, when low of free memory, make an unexpected restart.

• COP-23597: The CLI's command "time" was not clear when it showed whether or not DST was in use so the command has been updated with more informative output to make it more clear.

• COP-23615: The system could on rare occasions, when low on system memory, restart unexpectedly during reconfiguration due to an error in the Blacklist subsystem.

• COP-23212: The "arpsnoop" CLI command was missing information when there was a switch route present.

• COP-23435: Cloud-init did not work on virtual NetWall images running 14.00.00 (or 13.10 beta). Cloud-init now also accepts HTTP 1.0 responses from the web servers serving Cloud-init files.

• COP-23545: The CLI command for showing Vendor based on MAC address has been renamed from "enet_vendor" to "enetvendor" to better align with other commands.

• COP-23552: It was possible to select IPv6 HA addresses in the WebUI dropdown for configuration sections where they were not supported.

• COP-23553: It was not possible to establish a OneConnect tunnel using a secondary routing table.

• COP-23575: The system could under some rare occasions, when low on memory, make an unexpected restart if White or Blacklist URLs were configured.

• COP-23579: The system sometimes restarted unexpectedly when an InCenter Remote Management connection attempt was made to a non InCenter device.

• COP-23584: The tooltip description for the option "Broadcast Forwarding" in "Transparent Mode" was not clear and has been extended and clarified.

• COP-23590: Large UDP packets were dropped when sent through a OneConnect tunnel.

• COP-18567: VLAN interfaces with both IPv6 and the Transparency parameter "Broadcast Forwarding" enabled were not able to process traffic.

• COP-21147: In certain scenarios, high availability clusters could end up in a loop where the HA nodes reconfigured with a message saying that antivirus or IDP license had expired.

• COP-20930: The "connection denied" and "policy lookups" counters used by the WebUI dashboard did not include IPv6 connections. The counters have been updated to correctly include IPv6 traffic.

• COP-21592: Application Control logs contained redundant phrasing that has been removed. Console command options descriptions with the mentioned logs have also been aligned with these changes.

• COP-22809: The POP3 ALG responded to the CAPA "UTF8 USER" despite not supporting this.

• COP-23145: There was no info about the number of users authenticated via OneConnect in the web user interface dashboard tooltip.

• COP-23218: Using proxy-ARP on OneConnect interfaces did not function as intended.

• COP-23243: Application Control did not identify COAP traffic over TCP correctly.

• COP-23328: HTTPS Remote Management could under some rare occasions stop working when switching Remote Management certificate from PKAType RSA to EC.

• COP-23364: On rare occasions, the firewall restarted unexpectedly during reconfiguration due to antivirus or IDP updates.

• COP-23379: The Neighbor Devices status page did not correctly handle all states resulting in invalid JSON generated breaking the status page. The serialization has been updated to handle all cases.

• COP-23386: Pipes statistics for dropped packets were sometimes incorrectly registered on the high precedence pipe instead of the lowest.

• COP-23405: Due to changes needed for OneConnect, the possibility to run OneConnect/SSL VPN on the same port as HTTPS User Auth failed. It's now possible to use the same port with OneConnect/SSL VPN and HTTPS User Auth when the interface and network do not overlap.

• COP-23428: The column "created" on the Blacklist status page was always empty.

• COP-23448: There was no log generated when an inbound connection was closed in an SLB scenario when no SLB servers are reachable.

• COP-23454: In the CLI command "updatecenter -servers", server response times could be shown incorrectly just after a new ping sweep started and before the first result was available.

• COP-23487: The reported number of (the legacy) SSL VPN users authenticated against the firewall was not shown correctly.

• Centralized Management via InControl
  When using InControl for Centralized management, make sure the latest version of InControl is used to ensure the best experience and compatibility.

• Browse to the Web User Interface and log in as a user with full administrative rights.

• From the "Maintenance" menu select "Backup & Restore".

• Click the "Backup Configuration" button and save the file.

• From the "Maintenance" menu select "Upgrade".

• Click the "Browse..." button and select the .upg file which contains the upgrade.

• Click the "Upload firmware image" button to upload the image and start the upgrade procedure.

• When the file has been uploaded to the gateway, the message "Firmware upload complete." will be presented and the system will restart.

• When the system has been restarted the login screen will appear and the system upgrade is complete.