NG Firewall Release History


This page collects release/patch notes for each version of NG Firewall currently available for download from ETM Dashboard. It is organized in descending chronological order, with the newest notes at the top. As older versions of the software are removed from ETM Dashboard, so will release notes pertaining to them.


Version 17.1 includes the following enhancements and bug fixes:

- Updated GeoIP database
- Updated default IPS signatures database
- Updated Application Control library
- Fixed IPS rules for severity levels required signature update
- Fixed IPS signatures were not updated immediately after app installation
- Fixed Web Filter responses for unknown categories being blocked
- Fixed specific Javascript exceptions caused instability of the main process
- Fixed long delay when saving changes in the local web administration
- Added full tunnel IPsec negotiation for Arista Wi-Fi Access Points. 
- Added options for Energy Efficient Ethernet in the advanced network card properties
- Added Web Filter category for Generative AI
- Applied security fixes for CVE-2023-41993 CVE-2023-41074 CVE-2023-39928 CVE-2023-32359
- Applied security fixes to mitigate SQL injection attempts
- Disabled TLS v1.1
- Increased capacity of URL lookups in Web Filter
- Increased capacity of DHCP leases

Notice regarding cloud hosted email relay
The cloud hosted relay option has been permanently taken offline and is no longer supported. This option will be removed in the next release. See Receiving alerts from NG Firewall for alternative options. 


Version 17.1.1 is a minor update which addresses an issues identified in 17.1.

Bug Fixes
Issue with PPPoE WAN connections



Version 17.0 includes the following enhancements and bug fixes:

Multi-factor authentication - You can configure a TOTP code to log into the local web administration as a secondary authentication method.
DHCP Relay - The DHCP server for LAN interfaces can forward DHCP requests to a remote DHCP server to centralize IP address assignment across a distributed network.
WiFi regulatory domains - You can assign the regulatory domain based on your selected region so that NG Firewall updates the list of available frequencies.
Bug Fixes
IPsec - Forcing client disconnect from the status page was not functional for IKEv2 based tunnels.
IPsec - The service continued to run on the system after disabling or uninstalling the app.
IPsec - Shrew Soft VPN client could not connect.
OpenVPN - Full tunnel VPN clients could not access resources on the local network behind the NG Firewall hub.
OpenVPN - A missing directory could prevent the service from starting.
OpenVPN - If TOTP is enabled, site to site tunnels could not be created without manually editing the configuration file.
Reports - Adding a global condition in interface usage report resulted in an error.
Reports - Reports users could not log in due to inaccurate determination of password strength.
VLANs - No error or warning was displayed when the maximum number of interfaces was reached.
VLANs - VLANs with ID value below 100 were not allowed.
Firewall app - Rules using Threat Prevention based conditions were not evaluated.
WireGuard - The service could not start if a conflicting route was detected.
Dynamic routing - BGP with a null router ID / AS value generated errors.
System - Nullsoft scriptable install system was identified as malware in the ISO by virus scanners.
System - The option to run the setup wizard from the Support screen is removed.
System - Network interface configuration to physical adapter association was rearranged after reboot on specific types of hardware
System - Admin login events from the localhost were not captured in the log.
System - An issue causing unexpectedly high CPU load is resolved.

Notice regarding NIC mapping on upgrades
Some installs may continue to experience interfaces remapping following the upgrade to this release. The fix for this issue resolves the behavior for subsequent upgrades and reboots. If your appliance was affected by this issue with previous upgrades make sure to perform the upgrade from a local network in case you need to reconfigure the interfaces.

Notice regarding email alerts

The option to relay email via the "Cloud hosted email relay" will be removed in the next release. Refer to Receiving email alerts from NG Firewall for alternative options.  


Version 16.6 includes an update of the operating system to Debian 11 Bullseye. Other changes include branding updates and official localization of the web administration to German and Japanese.

Bug Fixes
Fixed - IPsec cipher list was incomplete for phase 1. It now includes the same cipher options as phase 2. The default ciphers have also been updated to match modern standards.
Fixed - LDAP queries to Active Directory with Smart card authentication enabled now work.
Important notice:

This is a significant release and may take more than an hour to complete.
This release requires a system restart.
Some CSS files may be cached resulting in inconsistent colors. Clearing the browser cache is recommended.
Python scripts in Captive Portal custom pages is no longer supported. Any custom scripts may not work after upgrading. This includes custom templates which were once available from this Wiki.

Version 16.6.1 is a minor update which addresses some issues identified in 16.6.0.

Bug Fixes
Issue with Tunnel VPN routing all traffic across a tunnel
Issue with OpenVPN authentication
Issue with RADIUS server not starting/running
Issue with WAN Balancer routing traffic incorrectly
Issue with Google Drive syncing backups and/or Reports

Version 16.6.2 is a minor update which addresses some issues identified in 16.6.0 or 16.6.1.

Bug Fixes
Issue with RADIUS server and Local Directory not showing usernames after login
Issue with some upgrades from 16.5.x failing
Issue with Reports data retention setting failing to apply correctly



Version 16.5 includes a new ISO installer that enables admins to install and manage NG Firewall entirely via serial console for hardware appliances that do not have standard video output.

Bug Fixes
Fixed - OpenVPN server enforces 2FA if enabled. Users with sufficient access rights could modify the client configuration file to exclude the 2FA requirement.
Fixed - Specific types of bypass rules prevented IPS from working. A bypass rule using a specific set of conditions caused Intrusion Prevention to fail when writing out the rule.
Fixed - License update check failure notice moved to warning message. If the device could not contact the licensing server the user received a notice at the top of the screen. This notice is now displayed as a general warning message.
Fixed - License changes are no longer logged to the Settings Changes report. License checks resulted in frequent events reported to the Settings Changes report. These checks and any other license changes are no longer included in the Settings Changes report.
Fixed - System could not start if ACPI function is disabled. If a system had this feature disabled in the BIOS, it created a fault in the UVM.
Known issues:

If OpenVPN requires 2FA, the tunnel configuration file includes the parameter to use 2FA. Prior to importing the tunnel configuration file, you must remove the following parameter: static-challenge "TOTP Code " 1
Important notice:

The OVA installation method for VMware is no longer available. For VMware installations, you can deploy via the ISO installer as a new virtual machine.
Minor security updates.
Updated certificate used for remote management from Edge Threat Management Dashboard (formerly Command Center).



NG Firewall 16.4 is a maintenance release with bug fixes and minor enhancements.

Bug Fixes & Updates
Improved reliability of Web Filter with updated Brightcloud daemon.
Added notification mechanism in admin UI to inform user of connectivity and license issues such as the inability to contact the licensing service.
Increased frequency of license update checks to 4 hours when online, and every 10 minutes when offline.
Updated app install behavior when no connection is detected. During initial setup, apps do not install until connectivity is detected.
Fixed - trials were starting when appliance was configured in offline mode. Trials now start when appliance becomes online.
Fixed - passwords for reports users were not successfully updated when edited.
Fixed - OpenVPN 2FA timeout is now configurable. The default behavior now does not have a timeout. The previous timeout was 1 hour.
Fixed - a trial license for the support app was not getting assigned during initial setup.
Fixed - shield feature was not initializing when appliance was configured in offline mode.
Fixed - resolved a clickjacking vulnerability in the admin web UI.
Fixed - IPsec bypass was always applied to tunnels regardless of the IPsec bypass option. Filtering is now applied if the bypass option is disabled.
Known issues:

Backups cannot be restored from prior versions - will be resolved in a patch release.
Resolves issue of restoring backups from prior versions.



16.3 streamlines the setup process by consolidating the setup wizard into the ETM Dashboard add appliance wizard and installing the recommended apps by default. Other enhancements include TOTP based two factor authentication for OpenVPN, and a storage watchdog that disables Reports when free space falls below 5 GB.

Bug Fixes & Updates
Fix: Excessive logging of Serial Getty error messages to syslog on systems without a Serial interface.
Fix: Renamed WireGuard Connection Events to WireGuard VPN Events to better describe the reported data.
Fix: WireGuard connection events report was only reporting the first configured tunnel.
Fix: Copy button in WireGuard profile is now visible in Safari browser and in cases with many allowed IPs.
Fix: WireGuard Events were are now showing accurate "Out" bytes data. Previously this information was inaccurately reported using cumulative values.
Fix: WireGuard tunnels now support using Hostnames in the endpoint address field. Previously this field only allowed IP address input values.
Fix: Improved the accuracy of Threat Prevention for incoming connections.
Fix: Improved automatic detection of available private subnets in WireGuard address pool configuration.
Fix: WireGuard tunnels no longer perform implicit NAT.
Fix: Improved parsing of imported SSL certificates to correct missing line terminators in the PEM file.
Fix: IPS updates are now performed as a differential to preserve bandwidth.
Fix: The AD Workgroup name in RADIUS proxy is now converted to upper case.
Fix: MSS clamping now applies to PPPoE and WireGuard interfaces.
Fix: Added safeguards against certain types of injection attacks.
Fix: Web Filter rules based on URL conditions now evaluate hostnames based on SNI.
Fix: Changes to network configuration prevented traffic across WireGuard tunnels.
Fix: Improved WAN Failover detection in specific network environments.
Fix: Youtube restricted mode and search filtering was not being enforced due to changes in the Google API.
Fix: Increased the max number of permitted concurrent DNS requests in the local resolver (DNSmasq).
Fix: Threat prevention app returned errors if Reports app was not installed.
Fix: DHCP client default route not added with specific types of WAN links such as Starlink.
Fix: Some licensed apps were able to continue working after license expiration.



16.2 brings the ability to use WPA-2 Enterprise for wireless network authentication. With this release, NG Firewall can be set up as a RADIUS Server to authenticate local or Active Directory users when joining the wireless network.

For more information, see the RADIUS Server and RADIUS Proxy documentation.

Bug Fixes & Updates
Fix: WireGuard licensing issues on startup
Fix: QoS & IPsec issues on Lanner NCA-4210B hardware
Fix: Port forwards on 443/80 not working after 16.0.1 upgrade without changing service ports
Fix: TLS v1.3 causing website loading issues
IPS signatures updated
Updates for applications list for Application Control app
Note on upgrades
The RADIUS Server requires UDP ports 1812 and 1813 to be accessible from your access points if you intend to use the WPA2-Enterprise authentication feature added to this release. Access rules are added by default for new installations, but not for upgrades. Refer to the Access Rules section of the RADIUS Server documentation for details.

16.2.1 is a minor release that resolves bugs in the RADIUS Server introduced by version 16.2.0.

Bug Fixes
Fixed RADIUS rules not added during upgrade
Fixed RADIUS name mapping not working due to incorrect script permissions
Fixed login names by RADIUS truncated at 10 characters
Fixed Winbind service not starting after enabling RADIUS Proxy
Fixed Freeradius server failing to start on upgrades
16.2.2 is a minor release that resolves an upgrade issue introduced in the 16.2.1 release.



16.1 is a minor release that includes extending the WireGuard app, released as part of NG Firewall 16.1, to cloud deployments Amazon Web Services, and Microsoft Azure. This release also includes a kernel update, updating to Linux 4.19.0-11. Being on the latest version of the operating system ensures robust security and performance at the kernel level.

Bugfixes & Updates
Fix - Captive Portal authentication page is not displayed for WireGuard clients
Update - NAVL libraries are updated to the recent version (
Technical Notes
There is no 32-bit build for this release. It is no longer possible to upgrade or install from scratch on a 32 bit system. Backups from 15.1, and from 16.0 can be restored to a 16.1 version of NG Firewall.



16.0.1 is a major release containing the new WireGuard VPN application, UEFI support, and many improvements and bug fixes. There was a minor package change in early 16.0.1 testing which created 16.0.1 release. Previous 15.1.x releases will upgrade directly to 16.0.1.

WireGuard is a very simple, yet fast and modern VPN technology that uses state-of-the-art cryptography. It can be used in both site-to-site environments as well as mobile devices. Learn more about the WireGuard App in the WireGuard VPN wiki page

You can now install NG Firewall on UEFI for most modern BIOS platforms.


If you use WAN Failover, you can now specify to use any "Active WAN". When the primary WAN switches, IPsec tunnels reconnect using the new link. On the remote endpoint, there is a new option to allow the incoming tunnel connection from any address.

Better performance
IPsec now uses AES-GCM as the default cipher resulting in a significant performance boost.

Improved reliability
The mechanism to detect the tunnel status has been improved, resulting in better reliability of IPsec tunnels.

Remote GUI over IPsec tunnel
Added the ability to access the remote NGFW over the IPsec tunnel.

General VPN Improvements
Tunnel Persistence
Active OpenVPN and IPsec tunnels are not affected by configuration changes such as adding a new tunnel.

Automatic LAN configuration
If you change the IP address of a LAN interface, this change will propagate to WireGuard, OpenVPN, and IPsec tunnels.

Threat Prevention
Threat lookup
The Threat Lookup tool now shows the results from both "client" and "server" reputation values. Prior to this release, the lookup returned only the server reputation.

Custom block actions
You can now redirect the user to an external block page URL or you can choose to block the connection without redirecting the user to a block page.

Pass Sites
You can now create exceptions for IP addresses and URLs without having to create individual rules for each item.

Numerous performance improvements have been made to reporting and HTTP traffic processing.
Admin UI now operates on applicable interface aliases.
SSL Inspector now supports TLS 1.3.
Under Config, System, the new Logs tab allows you to better control disk space used by logs by specifying retention.
Report retention can now be configured at an hourly resolution.
Event reports can now export what is displayed or the entire table.
Web event reports now have the host field before the URI field.
Remote syslog events are no longer cut off at a certain size limit.
Disk space now uses a more accurate calucation.
Exporting JSON content columns issues has been fixed.
L2TP local directory auth fails after deleting IPsec tunnels has been fixed.
Removing remote server from OpenVPN does not close connection has been fixed.
Better error messaging on OSPF configuration issues.
Policy Manager rules race condition on upgrade fixed.
Parse large log directories correctly.
Upload root certificate.
Enforcement of strong cryptography SHA-512 for credentials
System Requirements and Technical Notes
32 bit upgrades will no longer be provided from 16.1 onwards
The software appliance installer for USB disks now uses the ISO file format, the same as for CD media. Therefore, as of 16.0 the IMG file download is no longer necessary and removed from the download page.
The WireGuard app is not available for cloud deployments (Amazon Web Services or Microsoft Azure). AWS and Azure deployments will update to version 16.0.1 if automatic updates are on, but the WireGuard app will not be included in that update.
Ports 80 and 443 are now reserved on all IP Addresses, including aliases. This means that port forwarding on TCP ports 80 and 443 are not functional unless the services are moved to alternate ports. Additional considerations regarding service ports are described in the Knowledge Base article What happens when I change my service ports?



15.1 replaces the underlying Debian Operating System from Stretch to Buster (Debian 10). This includes a new kernel 4.19 also.

Upgrading to version 15.1 requires a reboot to the appliance. Additionally, the database is reindexed which can take around an hour. Whilst the database is reindexing, NG Firewall is online and working but the main dashboard UI will not update during this time.

15.1 does not come with a 32 bit installer. 32 bit deployments, however, are still supported.

Upgrades are available for 32 bit deployments. 32 bit 15.0 deployments can be upgraded to 15.1
32 bit backups can be used on 64 bit installs
The OpenVPN client for Windows is no longer included. Current installed and configured clients will continue to work. OpenVPN clients are available for Microsoft Windows and Mac OS from OpenVPN which can be used with NG Firewall 15.1. See our OpenVPN documentation for more details.

Note also that most VPN clients no longer support MD5, including the official OpenVPN Windows client as it was found to be a severely compromised security technology a few years ago. Whilst NG Firewall had a temporary workaround to allow administrators the time to update their MD5 certificates, this is no longer supported in 15.1. For deployments that are still using MD5 certificates, administrators will need to uninstall and reinstall the OpenVPN app, and distribute the new OpenVPN configuration to VPN clients.

New 'Close Session' option for Web Filter block pages
Configuration backup to Google Drive does not require Directory Connector anymore
Bug Fixes
Fix: Webfilter categories get reset after a restart
Fix: DHCP relay fixed in dnsmasq 2.80-1
Other Changes
Removed Root Certificate Installer (Windows) from SSL Inspector. To install the root certificate, go to http://your_server/cert to download and install the root certificate. More details in SSL_Inspector
Bug Fixes 15.1.1 is a bug fix release.

Fixes grub rescue issue on z-series.
Includes bugs fixes in date release Date_Changelog#15.1.0_build_2020-08-26
15.1.2 is a minor update to how packages are accepted for upgrade due to changes in Debian Buster.



15.0 is a major new release containing new the new Threat Prevention application and WebFilter enhancements.

Threat Prevention
Threat Prevention is a new application that blocks traffic based on URL or IP address malicious reputation. Blocked web sessions will be redirected to a local block page. All other non-web sessions will be dropped. Reputations are provided by Brightcloud.

Web Filter
Web Filter contains the following enhancements:

Kid Friendly search redirect
A new Advanced option Force searches through kid-friendly search engine will redirect known search engine requests through

Custom block page
A new advanced option Custom block page allows you to redirect block pages to an external site for block page customization.
NOTE: Unblock operations are not available when using a custom block page.

KidszSearch & DuckDuckGo search engine support
Support for search engines Kidzsearch and DuckDuckGo have been added including support for search terms and kid friendly search.

Category Submit Request
The Site Lookup, Suggest a different category operation now properly works and submits the URL to be re-classified.

QUIC messages
If you block QUIC sessions, those blocks will be recorded as WebFilter status metrics instead of logging each instance to the WebFilter log.

Query performance enhancements
Various improvements have been added to the Brightcloud query engine to improve performance.

Custom Email Alerts
Email Alerts can now be customized through the new Email Template tab.

The message now defaults to a key-value formatted message with values converted to "human-readable" formats. For example, a numeric value like 99214905344 will display at 92G.

As you customize the template, a preview is displayed using a live SystemStatEvent event, showing exactly how the template will be applied.

Kernel Upgrade
Kernel upgrade to 4.9.0-11 will be forced with this release.

Important: Please make sure that your hardware is compatible with kernel version 4.9 before upgrading from a previous version.

Network interface mark preservation improves interoperability with other advanced routing technologies.
Google drive backups stopped working due to a Google change. This has been fixed.
Reports now properly escape HTML and JavaScript to prevent injection out of band XSS

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk