Network Security Firewall

Release Notes
D-Link Security NetDefendOS Version 2.12.00
D-Link Corporation Published 2007-05-03 Copyright 2007

Copyright Notice
This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reproduced without written consent of the author.

Disclaimer
The information in this document is subject to change without notice. The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes.

Limitations of Liability
UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE, LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.

Page 2 of 16

D-Link NetDefendOS Release Notes

Version: 2.12.00 Platform Compatibility: DFL-210/260/800/860/1600/2500 Hardware Version: A1 (for all series), A2/A3 (for DFL-210/800/1600/2500) Date: May 3, 2007 New Features and Enhancements
1. Support stream based Anti-Virus feature for HTTP, FTP and SMTP protocol.
The Anti-Virus scanning feature has been integrated into HTTP ALG, FTP ALG and SMTP ALG. It affects in DFL-260 and DFL-860 only.

2. Support Asynchronous Mode for Anti-Virus Scanning

The Anti-Virus subsystem has been upgraded to support asynchronous scanning. It will be able to ensure higher scanning performance when firewall is performing multiple connections scanning. It affects in DFL-260 and DFL-860 only.

3. Hardware Accelerated for IDP/IPS Scanning

The Hardware acceleration supports IDP/IPS scanning. It affects in DFL-260 and DFL-860 only.

4. Hardware Accelerated for Anti-Virus Scanning

The Hardware acceleration supports Anti-Virus scanning. It affects in DFL-260 and DFL-860 only.

5. Support for Disabling objects in the Web UI and CLI

It is now possible to enable and disable objects in the configuration. Disabled object will still be saved but not used in the running configuration. It could be useful in debugging for example.

6. Support connections control by host/network based

Threshold rules have been extended to support the number of allowed connections as well as the allowed setup rate of new connections from a host or a network.

7. Support "Dead Peer Detection" (DPD) for IPSec VPN 8. Enhanced WebUI for IP rules handling
It supports to move an IP rule to a specified position in the rulelist.

Page 3 of 16

9. DHCP Server status page information improvement

It supports to show more information about IP leases time, IP/MAC mappings and IP activity status on DHCP server status page.

10. Support Static DHCP IP address leases in the DHCP Server 11. Enhanced PPPoE interface logging
The PPPoE interfaces activity (connection/disconnection) will be recorded on system logging page.

12. Support D-Link NTP server for time synchronization

D-Links NTP server can now easily be selected as time sync server on the time and date page. By selecting the D-Link NTP, the firewall will automatically get all the correct settings for time synchronization.

13. The number of signatures in the IDP database is now shown on WebUI 14. Add the Advanced Port Manager to efficiently handle port allocations
The new port manager uses new port allocation mechanism to provide an infinite number of possible connections from the same IP address.

15. Support BPDU (Bridge Protocol Data Unit) relaying 16. Service activation status message improvement
The license page now shows if the downloaded license file is newer than the local one, or if the file is resent.

17. Support D-Link Dynamic DNS 18. Support MaxConnections parameter on advanced settings page
The MaxConnections has been added under State Settings of Advanced Settings. The number of connections can be lowered from the default value for the model. This option can be used to free system memory.

19. Enhanced traffic management configuration possibilities

It supports more pipe precedence levels and more options for advanced users and granular Page 4 of 16

control purpose.

20. CRLs optional

It is now optional to require CRLs (Certificate Revocation List) when certificates are used (IPsec).

21. Support RADIUS Accounting

It supports RADIUS accounting feature on User Authentication Rules.

22. Updated reconfigure message when new IDP/Anti-Virus signature database has been downloaded 23. New Advanced setting
It is now possible to allow UDP source port 0 though the firewall. The new setting is located under Misc. Settings of Advanced Settings.

Problems Resolved
1. It was not possible to create all custom code options in the DHCP Server. 2. The SNMPv1 ifSpeed counter was of the wrong data type (Counter32 changed to Gauge32). 3. It was not possible to set the min/max key size for IKE/IPSec algorithms, only preferred key size. 4. Default value for TimeSyncMaxAdjust changed from 36000 seconds to 600 seconds. 5. DNS update of IPSec tunnels could cause a dead lock. 6. Routes added by IPSec were not synced between cluster members. RESULT: Connections that were synchronized to the cluster member and that had the tunnel as an endpoint would be removed on the inactive node. When a fail over occurred the active node did not have any state of connections going through the IPSec tunnel. 7. The interface status in the CLI and WebUI was incorrect for DFL-1600 and DFL-2500 after configuration save and activate. 8. User web authentication redirection did not work if a file path was requested. It is possible to set up SAT/NAT rules in combination with user authentication and redirect all HTTP request to the login page. This did not work if the specified request was a request with a file path e.g.
Page 5 of 16

"www.domain.com/somepath". 9. It was not possible to use IP address ranges for SLB hosts. 10. DHCP lease information was not saved to disk on shutdown. 11. Only the first item in ProxyARP lists was used. 12. It was not possible to set OSPF route type to none/empty in the "Dynamic routing policy rule". The start and stop dates in schedules were not handled correctly. 13. The start and stop dates in schedules were not handled correctly. 14. It was only possible to select SYN Relay for a TCP services, not TCP/UDP services. 15. An error message was shown after completing the setup wizard, if the WAN interface type was PPPoE. 16. The RNG (random number generator) for DSA signatures used the original SHA-1 transform as opposed to the permuted SHA-1 transform as described in FIPS 186-2. RESULT: The DSA signature generation was not compliant with FIPS 186-2. 17. Circular references in IP4Groups could cause configuration problems. 18. The Access action type "Expect" was incorrectly called "Except". 19. Groups (e.g. service groups) containing other groups caused configuration parsing errors. 20. It was not possible to add an IP4 object with comma separated IP addresses (e.g. IP_A,IP_B,IP_C). Limitation: The addresses can not be separated by spaces (e.g. IP_A, IP_B, IP_C). 21. The "notice" icon in the WebUI had incorrect size. 22. Obsolete Usage log messages caused unwanted logging. 23. Restoring a configuration backup sometimes caused problems.

Page 6 of 16

24. Empty IDP signature groups were erroneously shown. 25. The size of the drop down menus was calculated incorrectly. 26. IP-packets with high protocol numbers would not be forwarded through the system when using Allow or NAT rules. Allowing the traffic using FwdFast rules would however work. 27. The SMTP ALG WebUI page had spelling errors. 28. The rule folders in the navigation tree was not updated when rules was moved. RESULT: Clicking on a rule folder in the navigation tree sometimes showed another folder than the one that was clicked. 29. Drop down boxes lost their value if an error was found in the configuration when a new object was submitted. 30. The PPP/CCP implementation used by PPTP/L2TP could not handle the case when a peer rejects the MPPE/MPPC option. 31. Threshold rules connection rate limiting included connections that would not be allowed by the threshold rule in the rate computations. 32. White-listed hosts were allowed to exceed the threshold of protect actions that triggers blacklisting. 33. IDP and Antivirus signature downloads was not terminated correctly when the download was aborted by a reconfiguration. 34. The IPSec and IKE algorithm drop down menu was too small when Internet Explorer 7 was used. 35. HTML encoded e-mails could in some circumstances be corrupted when passing through the SMTP-ALG. 36. Auditor users were logged out from SSH sessions after a save and activate. 37. If one or more interfaces were configured with 0.0.0.0 as IP address the SGW would use it as local IP address in IKE negotiations.
Page 7 of 16

RESULT: IKE negotiations failed in phase 2. 38. Some property values (e.g. Address in IP4HAAddress) was handled incorrectly. It was not possible to revert to the original values when activating a firewall configuration with errors. 39. The web page displaying a "virus found" message did not contain valid HTML. 40. Small files were sometimes passed through the HTTP-ALG without being scanned by the Anti-Virus engine. 41. Several corrections have been made to the User Guide. 42. The CLI command "arp" did not show expected results unless the parameter "-show" was used. 43. The WebUI IPSec status page showed wrong information about "remote net" for L2TP/IPsec when behind NAT. 44. It was impossible to get more than one tunnel working between two gateways if ID-lists were used. 45. Multiple SSH Servers could not use the same port number, even if they were configured on different interfaces. 46. The SMTP-ALG blocked server-to-server SMTP transactions. The sending server received no indications of that the transaction had failed. 47. The IDP engine was previously limited to 8.000 signatures. 48. The IDP engine did not trigger on attacks if the payload was divided into several TCP segments. 49. Some WebUI pages contained invalid HTML. 50. Because of a defect in the sorting function some ports could not be returned to the Port Manager when a connection was closed thus making them unusable. 51. Web Content Filtering stopped working if the connection to the current CSPN server was lost.
Page 8 of 16

52. The description in the comments field on auto created routes was incorrect. 53. The port used for a listening connection was not properly released when the connection was closed, thus making the port unavailable to be re-used. 54. The dropdown menu assumed that each row was one line; this was not true for long descriptions that wrapped. This resulted in that the height calculation was not correct. 55. The counter on the status pages that showed the number of IDP signatures was using the wrong counter; it counted the number of signatures that was used by IDP rules. It should show the number of signatures in the database. 56. The scrollbar in drop down menus was hidden in Internet Explorer 6 (the scrollbar was located outside the visible area). 57. The setting "Block Multicast SRC" under "IP Settings" did not show up in the WebUI (even thou it was possible to set it using the CLI). RESULT: The value defaulted to "Drop and Log". 58. The description for the advanced setting "LogConnection" in "State Settings" was incorrect. 59. Restoring a configuration backup sometimes caused problems with references to IPSec tunnels. 60. It was not possible to specify the order of Radius Servers for User Authentication in the WebUI. The list was automatically sorted by the WebUI if servers was added or removed. 61. The firewall did not log when it failed to contact the update server. 62. User Authentication failed when HTTPS was used in conjunction with a RADIUS server configured to use challenge response authentication. 63. Ordered objects, like rules, did not revert to previous order when the bidirectional confirmation failed (during save and activate).

Known Issues:
1. HA: Transparent Mode won't work in HA mode
Page 9 of 16

There is no state synchronization for Transparent Mode and there is no loop avoidance.

2. HA: No state synchronization for ALGs

No aspect of ALGs are state synchronized. This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. if, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

3. HA: Tunnels unreachable from inactive node

The inactive node in an HA cluster cannot communicate over IPSec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node. Inactive HA member cannot send log events over tunnels. Inactive HA member cannot be managed / monitored over tunnels. OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

4. HA: No state synchronization for L2TP, PPTP and IPSec tunnels

There is no state synchronization for L2TP, PPTP and IPSec tunnels. On failover, incoming clients will re-establish their tunnels after the tunnels are deemed nonfunctional. This timeout is typically in the 30 -- 120 seconds range.

5. HA: No state synchronization for IDP signature scan states.

No aspects of the IDP signature states are synchronized. This means that there is a small chance that the IDP engine causes false negatives during an HA failover.

6. D-Link timesync server option sometimes is malfunction. Workaround solution: Manually input the FQDN of D-Link NTP server with dns:ntp.dlink.com.tw and dns:ntp1.dlink.com into custom timesync server option.

Version: 2.11.04 Platform Compatibility: DFL-210/800/1600/2500 Hardware Version: A1, A2

Page 10 of 16

Date: March 30, 2007 New Features and Enhancements

1. User is automatically redirected to originally requested URL when successfully logged in.
It is possible to set up SAT/NAT rules in combination with user authentication and redirect all http requests to the login page. When the user as successfully logged in, he or she will be redirected to the originally requested URL.

Problems Resolved
1. DNS update of IPsec tunnels can cause a dead lock. 2. Help text for the CLI command "ping" has been updated. 3. There were routing problems when trying to establish L2TP tunnels from Microsoft Windows Vista due to a changed behavior in the NAT traversal functionality. 4. Files larger than 4GB could not be handled by the HTTP ALG. 5. User web authentication redirection did not work if a file path had been specified. It is possible to set up SAT/NAT rules in combination with user authentication and redirect all http request to the login page. This did not work if the specified request was a request with a file path e.g. "www.domain.com/somepath". 6. Malfunction when restarting a PPPoE interface. 7. Incorrect value of internal severity in the log message for some IPsec SA events.
RESULT: in_severity in the ipsec_sa_event log message was incorrect.

8. A problem with the MIME type recognition caused the integrity check to faulty block some files. 9. The RNG for DSA signatures used the original permuted SHA-1 transform.
RESULT: The DSA signature generation was not compliant with FIPS 186-2.

10. Groups (eg service groups) containing other groups caused configuration parsing errors. 11. Empty IDP signature groups were erroneously shown in the webUI. 12. The size of the drop down menus was calculated incorrectly.
Page 11 of 16

13. IP-packets with high protocol numbers would not be forwarded through the system when using Allow or NAT rules. Allowing the traffic using FwdFast rules would however work. 14. The rule folders in the navigation tree was not updated when rules was moved.
RESULT: Clicking on a rule folder in the navigation tree sometimes showed another folder than the one that was clicked.

15. Drop down boxes lost their value if an error was found in the configuration when a new object was submitted. 16. The PPP/CCP implementation used by PPTP/L2TP could not handle the case when a peer rejects the MPPE/MPPC option PPP/CCP goes into negotiation loop when a peer rejects the MPPE/MPPC option.
RESULT: PPP/CCP goes into negotiation loop where both sides keeps insisting on "their way" and neither of the sides ever gives up.

17. Threshold rules connection rate limiting included connections that would not be allowed by the threshold rule in the rate computations. 18. Whitelisted hosts were allowed to exceed the threshold of protect actions that triggers blacklisting. 19. The values in the Syslog priority field has been clarified in the user guide. 20. IDP and Antivirus signature download is not terminated correctly in case of reconfigure If the gateway is reconfigured while an IDP or antivirus update is in progress, the gateway sometimes crashed. 21. The IPsec and IKE algorithm drop down menu was too small when Internet Explorer 7 was used. 22. Logfiles of HTTP Remote management sessions always show HTTP, even when HTTPS was used.

Known Issues
1. HA: Transparent Mode won't work in HA mode
There is no state synchronization for Transparent Mode and there is no loop avoidance. Page 12 of 16

2. HA: No state synchronization for ALGs

No aspect of ALGs are state synchronized. This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. if, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

3. HA: Tunnels unreachable from inactive node

The inactive node in an HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node. Inactive HA member cannot send log events over tunnels. Inactive HA member cannot be managed / monitored over tunnels. OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

4. HA: No state synchronization for L2TP, PPTP and IPsec tunnels

There is no state synchronization for L2TP, PPTP and IPsec tunnels. On failover, incoming clients will re-establish their tunnels after the tunnels are deemed nonfunctional. This timeout is typically in the 30 -- 120 seconds range.

5. HA: No state synchronization for IDP signature scan states.

No aspects of the IDP signature states are synchronized. This means that there is a small chance that the IDP engine causes false negatives during an HA failover.

Page 13 of 16

Version: 2.11.03 Platform Compatibility: DFL-210/800/1600/2500 Hardware Version: A1, A2 Date: January 30, 2007 Important Note:
1. Firmware 2.11.02 and later uses a new configuration format. The new format is not compatible with the format used in 2.05 and earlier. These configuration files will be automatically converted to the new format during the first start-up. Older firmware (2.00 2.05) can not understand the new format. 2. Customers that had firmware 2.00 - 2.05 factory installed can use reset-to-factory to restore their firmware from 2.11 to 2.0x. 3. Customers with firmware 2.11 and later factory installed can not downgrade to 2.00 2.05. 4. All users are encouraged to make a backup of the configuration before upgrading from 2.0x firmware to firmware 2.11.02 and later.

Changes
1. Default value for TimeSyncMaxAdjust has been changed from 36000 seconds to 600 seconds. 2. Extended logging of rejected IKE and ESP packets according to ICSA requirements. 3. The IP rules folders in the navigation tree are now ordered in priority order instead of alphabetic order. 4. A log message has been added when the PPPoE interface connects and disconnects.

Problems Resolved:
1. The IPsec engine could sometimes malfunction during Save&Activate. 2. The advanced setting "TCPAllowReopen" was not always obeyed. 3. The "buffers <num>" CLI command was broken.
Page 14 of 16

It affects DFL-210 and DFL-800.

4. HTTP-ALG: In some cases, content check (MIME) could fail. 5. FTP-ALG: "200 File Transfer OK" message was not forwarded to client at end of file. 6. IDP could malfunction when processing (analyzing) matched results. 7. HA: Pinging of the IDP update servers did not use the shared IP address in HA scenarios. (The change here is in the internal ping monitor in the autoupdate sub system.)
It affects DFL-1600 and DFL-2500.

8. It was not possible to add an IP4 HA address to an IP4 Group.

It affects DFL-1600 and DFL-2500.

9. The number of items that could be added to an IP4Group was limited. 10. HA: License download did not use the shared IP for outgoing traffic.
It affects DFL-1600 and DFL-2500.

11. SSH ClientKey WebUI page always displayed key type as RSA. 12. HA: Cluster heartbeat send rate was directly related to number of interfaces.
It affects DFL-1600 and DFL-2500.

13. An error message was displayed after completing the setup wizard when PPPoE was selected as WAN interface type. 14. The firewall did not parse ProxyARP settings correctly for a routing table. 15. The new IPSec engine does not support the "DontVerifyPadding" setting. The configuration settings have been removed. 16. The SSH server did not respond to EOF when a client is connected without having allocated pseudo terminal. 17. ARP: The IP conflict protection (gratuitous ARP) didn't work unless the traffic was accepted by an access rule.

Page 15 of 16

18. The firewall could malfunction when MIME type checks where enabled in the ALGs. 19. Missing text resources in the WebUI.

Known Issue:
1. When interface type is configured as DHCP client during the setup wizard, it has to manually perform save and activate then full restart device to enable this configuration.
It affects DFL-210, DFL-800, DFL-1600 and DFL-2500.

2. The SSH server did not respond to EOF when a client is connected without having allocated. It is a minor problem in some setups and rare users will be affected.
It affects DFL-1600 and DFL-2500.

Version: 2.11.02 Platform Compatibility: DFL-210/800/1600/2500 Hardware Version: A1, A2 Date: November 7, 2006 Important Note:
1. Firmware v2.11.02 uses a new configuration format. The new format is not compatible with the format used in v2.05 and earlier. These configuration files will be automatically converted to the new format during first start-up. Older firmware's (v2.00 - v2.05) can not understand the new format. 2. Customers that had firmware 2.00 - 2.05 installed from factory can use reset-to-factory to restore their firmware from v2.11.02 to v2.0x. 3. Customers with firmware v2.11.02 and later installed from factory can not downgrade to v2.00 - v2.05. 4. All users are encouraged to take a backup of the configuration before upgrading to firmware v2.11.02.

Enhancements:
1. The IPS/IDP engine has been upgraded and the Advanced IPS/IDP Subscription Service is available from D-Link. The new service has fast and frequent updates (up to several
Page 16 of 16

updates per day). More information can be found on D-Links NetDefend Center website (http://security.dlink.com.tw). 2. The IPSec Engine has been upgraded. 3. The CLI (Command Line Interface) has been upgraded and do now support changing of the firewall configuration. 4. SSH server has been added. Remote management is now possible via SSH and the CLI. A SSH key generator has been added. It can be found under Tools->SSH-Keygen. 5. TCP pseudo reassembly has been added. IDP scanning is now stream based instead of packet based. 6. The log system has been enhanced. All log messages have been assigned unique IDs. The ID number can be used to find more information about the log message from the Log Reference Guide. (Available for download from D-Link) 7. Firewall can block traffic locally by network threshold or IPS/IDP signature database. This new feature is called IP Blacklisting in WebUI. It has been integrated into Threshold Rules and IDP Rule Action to block the traffic abnormal hosts. (Only DFL-800/1600/2500 support blacklisting feature) 8. Ethernet interfaces are not reset during activation of new configurations settings. 9. DES-3526 (R4.01-B19 or later) and DES-3550 (R4.01-B19 or later) are now also supported by ZoneDefense. The R4.xx firmware will be recommended for these two switches, since firewall-switch communication is faster than with R3.xx switch firmware. 10. IDP/IPS Logging message in local memory logging and SMTP logging now include a link to the advisory information on D-Link NetDefend Center Website. 11. Support severity filtering in syslog receiver. It can be selected what severity levels will be exported to external syslog server.

Changes
1. The configuration format and engine has changed. The new format is not compatible with
Page 17 of 16

the old one. Configuration files from 2.05 and earlier will be automatically converted to the new format during first start-up. 2. IDS (Intrusion Detection System) has been renamed to IDP/IPS (Intrusion Detection and Prevention). 3. A new folder has been added under Objects, called Authentication Objects. Pre-shared keys (previously found under Objects -> VPN Objects -> Pre-Shared Keys), Certificates (previously found under "Objects -> X.509 Certificates") and SSH Client keys (new) can be configured here. 4. The "Traffic Shaping" folder has been moved to a new folder called "Traffic Management". 5. The "Threshold rules" has been moved to the new "Traffic Management" folder. 6. A new drop down menu, called "Maintenance", has been added in the toolbar. Backup, reset and upgrade has been moved to this menu. New items are "Update Center", "Licence" and "Tech support". The last one can be used in contact with D-Link support to provide information about the firewall while troubleshooting. 7. DHCP packets (UDP port 67/68) sent through the firewall will be dropped if there is no DHCP relayer configured. DHCP packets can not be forwarded using the IP ruleset.

Problems Resolved:
1. The L2TP Server could not handle incoming L2TP client request sent over IPSec if the clients were located behind the same NAT gateway.
It affects all models with firmware v2.00 and above

2. L2TP implementation incompatible with some other L2TP implementations. For one, the L2TP server failed to establish a tunnel with the L2TP client in D-Link DI-604.
It affects DFL-210/800.

3. PPTP server sometimes failed to send any traffic at all through a newly connected tunnel. Packets could only be sent from the client to the server, not from the server to the client. The PPTP client had to be reconnected one or more times before traffic could be sent in both directions through the tunnel.
It affects all models with firmware v2.00 and above Page 18 of 16

4. During high load using SLB and Stickiness the firewall may have malfunctioned.
It affects all models with firmware v2.00 and above

Version: 2.05.00 Platform Compatibility: DFL-210/800/1600/2500 Hardware Version: A1 Date: June 20, 2006 Problems Resolved:
1. When the first IPSec tunnel was configured and saved, no traffic could be sent though the tunnel until the firewall was restarted. When the firewall stated up without any configured tunnels, the crypto accelerator was not initialized correctly.
It affects DFL-1600/2500.

2. The firewall was not rebooted (restarted from power on state) after a firmware upgrade. If the upgrade package included a new loader the new version was not used until next reboot.
It affects all models with firmware v2.00 and above.

3. IPSec Keepalive did not work. The IPSec tunnel would be taken down as no response is received on the keepalive packets.
It affects all models with firmware v2.03 and above.

4. Promiscuous mode was enabled by default on all interfaces. The firewall would pick up packets that do not have the DFL as destination, leaving the DFL to process packets that will be dropped anyway.
It affects all models with firmware v2.00 and above.

5. TCP connections to the DFL itself (WebUI, ALGs, PPTP) did not obey received TCP MSS.
It affects all models with firmware v2.00 and above.

6. Appliances that were rebooted due to software issued reboot or a core crash may have failed to reboot correctly, leaving the unit unreachable. The only way to reboot it correctly from this unreachable state is to do a hard reboot by cutting the power and then put the power back on.
Page 19 of 16

It affects DFL-800 with firmware v2.00 and above.

7. It was not possible to change date or time if the new month was December.
It affects all models with firmware v2.00 and above.

8. The firewall could crash if an IP address was used as ID in an ID-list.

It affects all models with firmware v2.00 and above.

9. Blacklist items on position x and later did not get blocked. The number of working blacklist items depended on the URLs configured, but usually somewhere between 25 and 30.
It affects all models with firmware v2.00 and above.

10. The firewall could crash if IDS rules were deleted and the configuration was saved and activated.
It affects all models with firmware v2.00 and above.

11. The IDS engine could hang the firewall, given an improper signature database.
It affects all models with firmware v2.00 and above.

12. After a reset-to-factory from the WebUI, the browser in some cases tried to reconnect to the wrong IP address.
It affects all models with firmware v2.00 and above.

13. The IDS engine could give false positives for some types of signatures.
It affects all models with firmware v2.00 and above.

14. High Availability (HA) didn't always work as expected.

It affects DFL-1600/2500 with firmware v2.03 and v2.04.

15. ZoneDefense: The firewall failed to reset the lowest used MAC and IP profile after a "save and activate".
It affects all models with firmware v2.00 and above.

16. The DHCP Server will not assign IP information to client when it did not have gateway parameter in DHCP Server configuration.
It affects all models with firmware v2.00 and above.

17. Editing ARP table entries without changing the MAC address gave an error when the
Page 20 of 16

configuration was saved.

It affects all models with firmware v2.00 and above.

18. When downloading a configuration backup from the firewall, some extra garbage was appended to the end of the file. Restoring the configuration using the backup file worked as it should, but the size of the file was larger that required.
It affects firmware v2.00 and above.

19. ZoneDefense: The minimum required firmware version for DGS-3324SR/SRi, DXS3326GSR and DXS-3350SR is changed from 4.10B15 to 4.20B14.
It affects DFL-800/1600/2500.

20. A reset or firmware upgrade did not log the username or IP address of the user that requested the action.
It affects all models with firmware v2.00 and above.

21. When setting Daylight Saving Time (DST) the firewall required that the start month was before the end month. That is however only valid for the northern hemisphere. In the southern hemisphere the start month is after the end month. In Australia (southern) the DST period starts in October and ends in March while the opposite is true for Europe (northern).
It affects all models with firmware v2.00 and above.

22. The wizard did not trigger a refresh of the main window after it finished. Information in the main page like configuration version and last restart was not updated.
It affects all models with firmware v2.00 and above.

23. The Update Now button on the IDS Updates page did not work in all browsers.
It affects all models with firmware v2.00 and above.

24. The close button in the setup wizard did not work in all browsers.
It affects all models with firmware v2.00 and above.

25. L2TP server/client could use Session ID = 0, which is not allowed according to RFC 2661.
It affects all models with firmware v2.00 and above.

26. In some upgraded firewalls, the link to D-Links security portal became wrong. The
Page 21 of 16

window opened when the "register" button on the IDS update page was clicked, would show a "404:Page not found error".
It affects all models with firmware v2.04 and above.

Enhancements:
1. A warning has been added when multiple L2TP/PPTP servers listening on the same IP has been configured. 2. It was only possible to enable IDS Auto update if at least one IDS rule was added. IDS Auto update can now always be enabled. 3. The front panel texts for link speed and uptime have been changed. 4. A popup alert has been added to inform the user that he needs to register his firewall on DLinks security portal. 5. It is now possible to set the MAC address and MTU manually for Ethernet interfaces. Note that the MAC address should not be changed unless it is required by the ISP. 6. Support for fast re-authentication in EAP negotiation has been added. 7. ZoneDefense: Support for DGS-3400 has been added.
It affects DFL-800/1600/2500.

8. ZoneDefense: Support for DXS-3300 series added. Minimum firmware requirement for DES-3350SR changed to R3.02B12, DES-3526 changed to R3.06B20, DES-3550 changed to R3.05B36, DES-3800 Series changed to R1.00B31.
It affects DFL-800/1600/2500.

9. The validation check made by the HTTP ALG that all characters are correctly UTF-8 encoded is now optional. 10. From firmware version 2.05 it will no longer be possible to upload IDS database files manually in the WebUI. The updates will be downloaded automatically by the firewall, when automatic updates have been enabled. 11. The default value for ALG max sessions is changed to 200.

Page 22 of 16

Note:
DES-3500 series is going to release R4 which will enhance its ZoneDefense function. But the support of said R4 is still not available on this v2.05.00, it will be supported in next NetDefend release.

Version: 2.04.00 Platform Compatibility: DFL-/800/1600/2500 Hardware Version: A1 Date: November 23, 2005 Problems Resolved:
1. Vulnerabilities in IKEv1 Implementation (CERT-FI 7710; 273756/NISCC/ISAKMP). CERTFI and NISCC published a joint vulnerability advisory on 14 Nov 2005 about several vulnerabilities in various IKEv1 protocol implementations. The vulnerabilities were found with PROTOS ISAKMP Test Suite for IKEv1 Phase 1, developed by Oulu University Security Programming Group (OUSPG). 2. On WebUI, the delete option in the right-click menu has been disabled for entries in the web user interface that can't be deleted. 3. The email recipients of the SMTP Log receiver were not configured correctly in the web user interface, which caused invalid email headers to SMTP Log receivers. 4. Server Load Balancing did not log all changes that occurred to the health status of monitored servers. 5. The HTTP ALG now allows compressed data. The HTTP ALG always asked the web server not to send compressed data as this does not work with content stripping. As of 2.04, the HTTP ALG will allow the server to send compressed data as long as the HTTP ALG isn't configured to do content stripping. This means that compressed data is allowed as long as the HTTP ALG isn't configured to perform stripping of ActiveX objects, Java
Page 23 of 16

Applets and Javascripts/VBScripts. 6. The Nessus test utility triggered a timing bug in the TCP stack which could cause the firewall to malfunction. 7. Redirecting traffic between two interfaces that are part of a Security/Transport equivalent interface group did not work when the interfaces are running in Transparent Mode. 8. Under some circumstances, when thresholds which limit the number of new connections per second are exceeded, many log events could be sent. The new improved implementation limits the number of duplicate log events. 9. Transparent Mode feature can cause memory leakage. If excessive amounts of memory are consumed to the point that the system is out of memory, the firewall will eventually cease to work correctly and finally reboot. 10. ARP handling in Transparent Mode incompatible with Microsoft Network Load Balancing. Microsoft NLB sends ARP queries with a source MAC address in the ARP data that differs from the source address in the Ethernet header. The firewall only allows ARP responses sent to the MAC address found in the Ethernet header of the ARP query. When hosts on the other side of the firewall sends ARP responses to the MAC address found in the ARP data the responses are dropped instead of forwarded back to the original querier. 11 Threshold rules could cause the firewall to malfunction when many new connections from different source IPs were spawned in a short period of time. 12. Time sync servers were only parsed correct if a net object from the address book was used, not if the IP or DNS name was specified directly in the textbox. 13. Only hostnames using the DynDNS.org domain was supported (eg test.dyndns.org). DynDNS.org also has a lot of other domain names to choose from, and all of them are now possible to use. 14. On WebUI, network object groups were not available in dropdown menus on some interface pages (Remote Network: Ethernet, VLAN, PPPoE client, L2TP/PPTP client and Allowed Networks: L2TP/PPTP server). 15. It was possible to configure mail subjects with up to 256 characters in the webUI, but only
Page 24 of 16

the first 32 characters was used by the firewall. The firewall also sent empty X-Mailer and Identity values to the mail server.

Enhancements:
1. The URLs to the online manual and help has been changed. 2. While configuration, it is now possible to reset only the firewall configuration to factory default. Previously both firmware and configuration had to be reset. The new option is available in both the boot menu (serial console) and the WebUI. 3. The time the firewall will wait until it reverts the last configuration change after a "save and activate" is now user configurable. The default value for revert timeout is 30 seconds. 4. For IPSec, the default values for IKE and IPSec life times have been defined as 28000 seconds and 3600 seconds. 5. The default action for an IDS rule is changed to audit. 6. The possibility to trigger ZoneDefense via the Intrusion Detection System was added. The intruder's source IP address is blocked via ZoneDefense. 7. For IM/P2P block triggered by ZoneDefense, it is now ready for blocking most popular IM/P2P software, including MSN messenger 7.5, Windows messenger 4.73, Emule v0.46c, RevConnect 0.674g (DirectConnect), WinMX Client v3.54 beta4, and Bear Share 5.1.0 (Gnutella). 8. IDS events can now be logged to a special memory log receiver which can be browsed at the IDS Status page in the web user interface. Only IDS-related events (including thresholds) are logged to this particular memory log receiver. 9. For ZoneDefense, support for DES-3828, DHS-3618 and DHS-3626 has been added. For DES-3828, note that switches using firmware version earlier than 1.00B23 will need a firmware upgrade in the switch to be able to use full ZoneDefense support. For DHS-3618 and DHS-3626, switches using firmware version earlier than 1.00B03 will need a firmware upgrade in the switch to be able to use full ZoneDefense support. 10. The last 10 IDS auto update attempts are now logged in a separate history log on the Status->IDS page. In previous firmware versions only the last attempt was shown on the
Page 25 of 16

status pages. 11. "SNMP Before Rules" is now enabled in the default configuration. 12. Front panel: The time format (for current time) shown on the front panel has been changed to "Time: hh:mm". Affects: DFL-1600 and DFL-2500 13. In SMTP Log, a simple verification of the entered email address has been added. This verification will check that the user input at least follows the basic structure that an email address needs to have. 14. A unique ID has been added to all IDS signatures. This ID will be displayed in the log when a signature triggers. To find the corresponding advisory, a search can be performed in D-Links security portal using the logged ID or signature name. 15. To continue to receive automatic IDS signature databases updates, the firewall needs to be registered in D-Links security portal. A button has been added on the IDS Updates page that will direct the user to the correct webpage. Note that D-Link Security Portal will be ready by February 2006, before that IDS signature databases can be updated without registration. 16. A new button has been added on the IDS update settings page. The button can be used to manually trigger an IDS signature database update request. 17. The IDS auto update server is no longer user configurable. 18. For DHCP Service on DFL firewalls, it is now possible to configure default gateway and/or DNS server when running the setup wizard.

Note: Well-known ZoneDefense Switch issue:

1. DES-3350SR (R3.02-B03) On DES-3350SR, when setting up the ACL profile initially via SNMP and adding rules, ZoneDefense will not work correctly. However, if setting up the ACL profile initially via Web UI, the issue will not appear. 2. DES-3526 (R3.05-B09) / DES-3550 (R3.05-B24) / DES-3828 (R1.00-B23) These models can not create ACL profiles to block specific UDP source port.
Page 26 of 16

============================================================= Version: 2.03.00 Hardware Version: A1 Date: July 5, 2005 Problems Resolved:
1. PPTP/L2TP could only use physical interfaces as interface filter 2. Correction the DGS-3324SR switch supported for ZoneDefense. 3. The Zone Defense will not be triggered if there were no related ACL rules configured. 4. ARP: Fixed a case where verbose mode wouldn't be toggled. 5. Added summary message about suppressed output if the max show limit is reached in the "conn" command. 6. OSPF: Updated HA failover behavior. 7. OSPF: Miscellaneous small updates. 8. Route Failover (ARP monitoring) feature correction.

============================================================= Version: 2.03.00-PRE001 Hardware Version: A1 Date: June 29, 2005 Problems Resolved:
1. You don't have to create firewall rules before triggering the ZD rules.

============================================================= Version: 2.02.00 Hardware Version: A1 Date: June 22, 2005 Problems Resolved:
1. ZoneDefense and Logging cannot be used at the same time for threshold.

2. 3. 4. 5. 6. 7. 8.

Core interface cannot be chosen when adding static route. Memlog: Conn info is not parsed to the right columns. New URL for online manual and help. Static webcontent after firmware upgrade. Timezone settings are not used if DST is disabled. Firewall will be hang up when use the Nessus software to scan it. Firewall sometimes will crash when using an IP4 group in IPSec feature.

9. The "Any" interface can be illegally selected in various places.

Page 27 of 16

10. Minor GUI changes Enhancements:

1. Add IDS, User Auth and Server Load Balancing statistics on status page. 2. Changing the memory logging format to column based.

Notes: Well Known issue:

1. The Reset to factory default function will be rollback firmware version to v2.00. 2. When firewall get one IP address from DHCP server, the routing table will not add one default route in this table automatically. It need user to add it by manually.

============================================================= Version: 2.00 Hardware Version: A1 Date: May 11, 2005 The First Release Version

Page 28 of 16