Release Notes for Firmware 2.20.02

New Features and Enhancements
1. PPPoE Interfaces.
It is now possible to configure the MTU (Maximum Transmission Unit) for PPPoE Interfaces.

1. PPTP/L2TP Client Interfaces.
It is now possible to configure the MTU (Maximum Transmission Unit) for PPTP/L2TP client Interfaces.


Problems Resolved
1. ICMP Destination Unreachable packets were not sent when UDP packets hit a Reject rule.

2. Web authentication and web server connections were not closed correctly at reconfiguration.

3. The DHCP Server did just send replies back on the receiving interface without regarding routing decisions. The DHCP Server now performs a route lookup if the reply is destined for a host address (i.e. not an IP broadcast).

4. HA setups with IDP scanning enabled, packets could be lost during a failover.

5. Some services were using the private IP in HA setups for communicating. This is now changed and the shared IP is used.

6. The DNS lookup of the IP address to a remote gateway failed under certain circumstances for IPSec interfaces.

7. The CLI command for displaying updatecenter AV/IDP update status did not show enough information. It has now been improved.

8. TCP connections could sometimes fail due to an incorrect sequence number check.


9. A missing Content-Transfer-Encoding header field in e-mails could sometimes cause the SMTP-ALG session to malfunction.

10. With TCP sequence validation turned on, closing existing connections would cause all subsequent attempts to reopen the same connection to be dropped with a log message about a bad sequence number. The situation would resolve itself after a timeout of about 50 seconds, but would still cause severe traffic impairment in certain situations (most noticeably HTTP traffic). This change will by default loosen the restrictions when an attempt to reopen a closed connection is received (ValidateSilent, ValidateLogBad), while still enforcing RFC correctness.

11. The SMTP-ALG could not tell the difference between the new Microsoft Office 2007 document file types and file type ZIP. This is because there is no difference that can be easily discovered (the new Microsoft Office files are in fact ZIP files with a different extension). An ALG configured to make file integrity checks would therefore signal these files as invalid (wrong mime type, wrong file suffix...). The ALG will now identify Office 2007 files as ZIP files. Anti-virus checks will, if enabled, scan the contents of the new Office 2007 files just like it would with a regular ZIP file.

12. IP address with suffixes .0 and/or .255 could incorrectly be assigned to IPSec config mode clients.

13. Nested MIME bodies could in some scenarios be blocked by the SMTP-ALG. For example, the SMTP-ALG could block images inserted as 'inline' with an error message indicating base64 decoding error. The recipient received the email without the attached image but an error message saying: "The attachment xxxx has been blocked by the Security Gateway". The ALG has been updated with better support for nested MIME blocks.

14. A user logging in via Web based user Authentication, when configured to handle user credentials via one or several RADIUS servers, it could cause an unexpected abort if no RADIUS server was reachable. This issue has been fixed.

15. The web user interface, the properties in "Dynamic Black Listing" were incorrectly enabled when action was set to something else than "protect".

16. The icon for removing IKE SA was missing, hence making it impossible to remove an IKE SA using the web user interface.


17. DNS Blacklist CLI command showed wrong status of blacklist servers on inactive HA member. Inactive HA member does not perform any anti-spam inspection so the inactive node is unaware of the status of the blacklist servers.

18. Email attachments with very long file names could cause memory corruption in the SMTP-ALG.

19. Log string sent to syslog receivers was not always correctly formatted. Some log arguments were not separated by a whitespace, resulting in invalid parsing by syslog receivers.

20. When restarting an interface on the DFL-1600 or DFL-2500, there has been a theoretical possibility of memory corruption. This issue has been fixed from F/W v2.20.02 and later.

21. Connections were, under certain circumstances, incorrectly dropped by the IDP scanning engine when audit mode was used.

22. After IPSec tunnels were modified, the reconfiguration of the gateway was not done correctly. The result was that the gateway could go into unexpected abort state.

23. A configured external log receiver that does not accept log messages might send ICMP destination unreachable packets to the firewall. These packets would trigger new log messages resulting in high CPU utilization. Logging is now connection-based and the sending rate of log messages will be decreased by the firewall when it receives ICMP destination unreachable packets regarding log receiver connections.

24. TCP connections with SYN relay were not synchronized correctly. In case of HA failover, traffic on these connections would freeze.

25. Unnecessary DynDNS and HTTP-Poster re-posts were triggered during reconfigure. This is now avoided by always considering if the local interface IP address has been changed or if the HTTP-Poster/DynDNS configuration has been changed.

26. Some H.323 messages were incorrectly disallowed by the ALG. The H.323 Status Enquiry message is now allowed to be forwarded through the H.323-ALG.

27. The Fail Mode setting in the HTTP-ALG was not honored by the Dynamic Web Content Filtering.


28. The log message for expired or no valid Web Content Filtering license did only show up once. There is now a log message generated once a one minute. This should be more noticeable to the administrator.

29. The SMTP-ALG could in some scenarios cause instability to the system by losing track of SMTP state synchronization. The SMTP-ALG has been updated with improved state tracking and email syntax validation.

30. It was not possible to configure the primary NBNS server for L2TP/PPTP server interfaces in the web user interface.

31. The TCP monitoring of Server Load Balancing did not increase TCP sequence number in the reset packet sent to server in case of connection timeout. The sequence number is now increased by one.

32. Server Load Balancing did not use All-To-One for port numbers. When using a range on the service, the destination port would be the specified port plus the offset from the low port number in the service.

33. One of the log messages had an incorrect format. When the log message was placed first in the log table, the web user interface memlog would display an empty page.

34. The description text for IP Pools incorrectly specified that IP Pools could be used by L2TP and PPTP.

35. A confusing Anti-Virus status message was visible in status page on non UTM capable devices. The message has been removed.


Known Issues:
1. For DFL-210/260/800/860, both LAN and DMZ port cannot support to manually configure interface speed, since IXP4NPE driver only allows auto/auto configuration. If users try to configure the interface speed manually, the configuration will revert back to auto/auto on Web GUI as a dummy-proof mechanism in the firmware v2.20.02.

2. For DFL-1600/2500, the duplex status of all Ethernet interfaces would be changed to “Half” when duplex setting is configured manually as “Full” on Web GUI.


3. The Oray.net for Peanut Hull DDNS client does not work after supplier changed the protocol.

4. HA: Transparent Mode won't work in HA mode
There is no state synchronization for Transparent Mode and there is no loop avoidance.

5. HA: No state synchronization for ALGs
No aspect of ALGs are state synchronized. This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. if, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

6. HA: Tunnels unreachable from inactive node
The inactive node in an HA cluster cannot communicate over IPSec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
ź Inactive HA member cannot send log events over tunnels.
ź Inactive HA member cannot be managed / monitored over tunnels.
ź OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

7. HA: No state synchronization for L2TP, PPTP and IPSec tunnels
There is no state synchronization for L2TP, PPTP and IPSec tunnels.
On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 seconds range.

8. HA: No state synchronization for IDP signature scan states.
No aspects of the IDP signature states are synchronized. This means that there is a small chance that the IDP engine causes false negatives during an HA failover.