NG Firewall Release History

Overview

This page collects release/patch notes for each version of NG Firewall currently available for download from ETM Dashboard. It is organized in descending chronological order, with the newest notes at the top. As older versions of the software are removed from ETM Dashboard, so will release notes pertaining to them.

17.3

Bugfixes:
- Fixed WireGuard Interfaces not visible in rules for Cloud Appliances
- Fixed WireGuard access rule not added for Cloud Appliances
- Fixed Active Directory user and group names were not populating in rule dropdown list
- Fixed Google authentication failed if SSL inspection was enabled for all traffic
- Fixed WAN Failover not working with static IP configurations
- Fixed Apps could change to Invalid state in specific situations of license reassignment
- Fixed IPsec routes could become invalid in specific situations during upgrades or restarts
- Fixed Reporting data was missing events on systems under heavy load
- Fixed QoS value of 0 could cause instability and failure to start after upgrade
- Fixed IPsec Xauth sessions were implicitly NAT'd for local traffic
- Fixed Policy Manager session switching events were set to info, causing high disk usage on busy systems
- Fixed Kernel events were unnecessarily duplicated to syslog

Security updates:
- Patched CVE-2024-47175 with updated libraries
- Added encryption of keys and passwords to exported data for specific screens that support export
- WPA password in WiFi configuration was not hidden in web administration
- Added sanitization of import function on multiple screens

Updates and Enhancements:
- Re-enabled Google Drive connector for automatic reports sync to Google Drive
- Updated ClamAV to LTS version
- Updated Webroot Brightcloud plugin
- Updated the root certificate store used by the system for SSL connections
- Added option to automatically map Wireguard profile description as a username of the authenticated device
- Added option to define search domains to Wireguard profiles
- Added hard disk health check prior to upgrades
- Consolidated SNI extraction used by multiple apps to optimize performance of HTTPS filtering

Other changes:
- Removed UPnP and associated access rule due to security implications
- Removed EU version of NGFW installer

- Dynamic Routing options tab moved from Config > Network > Advanced to Config > Network

Important Notice:
This release includes an updated cipher configuration with OpenVPN to comply with the latest security requirements. If you use the OpenVPN feature, we strongly recommend upgrading your OpenVPN clients to the current release version prior to upgrading NG Firewall.

17.3.1

This patch release addresses the following issues:

- Bypass option in IPsec tunnels was not functional after upgrade to 17.3.0.

- OpenVPN was not adding a secondary WAN to profiles.

- Secondary PPPoE links were not connecting.

- Java exception when exporting custom reports

- Installation error when attempting to re-install on Q4 hardware.

 

17.2

NG Firewall version 17.2 includes a variety of small enhancements, user interface sanity checks, bug fixes, security updates, and general housekeeping.

Notes:

The Google Connector feature that provides remote backup to Google Drive is no longer available and is removed from the management interface. 

This release includes an automated reboot.

Feature enhancements, additions, and user interface updates
Added MAC vendor field to the Interfaces screen
Added daily maintenance of the email queue to prevent excessive buildup up of messages
Added support for wildcards in the email quarantine address field
Added checks to prevent upgrades if disk space is insufficient
Added ability to configure multiple remote syslog servers
Added human readable formatting of data transfer rates in related grids and reports
Added searching by tags in Hosts, Devices, and Sessions screens
Added ability to query more than 1000 users in Microsoft Active Directory and Entra ID
Added WireGuard VPN interfaces to OSPF interface override feature
Added mapping of WireGuard VPN tunnel description to username field in users screen to associate WireGuard VPN tunnels to named users
Added warning message to WireGuard VPN screen after making general settings changes and there are existing tunnels which require updates
Added sanity checks to prevent conflicting ID or IP configuration of VLAN interfaces
Added sanity checks to prevent conflicting IP peers and subnets of WireGuard VPN tunnels
Added sanity checks to prevent invalid characters in interface names Improved DNS query handling so that requests are always forwarded using the corresponding WAN interface
Improved handling of licensed features during temporary outages to the license service
Improved UI field input validations across all related screens
Improved validation of imported data across all related grids
Improved wording in OpenVPN client download screen
Improved copy function in WireGuard tunnels to omit unique data
Improved user navigation in offline setup wizard
Improved Web Filter rules to no longer require flagging

General updates and other maintenance
Updated Geo-IP database
Updated IPS signature database
Updated multiple libraries used by the logging facilities and web services
Updated EULA in all affected screens
Updated the feedback link in the navigation menu
Replaced Quagga with FRR for Dynamic Routing features
Replaced keep-alive modules with FRR for VRRP when using dynamic routing
Removed custom page support from Captive Portal
Removed option to import current users
Removed option to import current devices
Removed Facebook from Captive Portal authentication options
Removed invalid URL reference in IPS screen
Removed community languages
Removed the option to configure Cloud Hosted Relay in the Email screen
Removed ping probes from IPsec and WireGuard VPN tunnels with roaming remote endpoints
Removed Auth Type column in specific Captive Portal reports in cases where this datapoint is not valid
Removed skins. On upgrade, custom skins will be reverted to default skin
Increased the high memory threshold in IPS from 2 GB to 4 GB

Bug fixes
Fixed booting and installation issue with EEE and Realtek adapters
Fixed “synchronize time” button that caused indefinite loading screen
Fixed UI issue with DHCP server settings not rendering when DHCP is disabled on the corresponding interface
Fixed UI error when setting conflicting remote address in OpenVPN clients tab
Fixed UI layout issues in Syslog screen
Fixed UI error when performing a lookup of the vendor by MAC address on the Networks screen
Fixed TunnelVPN screen where the Done button was not enabled in some situations
Fixed issue with recent Web Filter categories not populating in reports
Fixed filtering by “Last Seen Time” field in grids
Fixed upgrade failures on systems with a floppy drive
Fixed kernel panic under specific bypass configuration for IPS
Fixed issue with Q4 appliance not showing the serial number in About screen
Fixed UI scrolling issues on screens with large data sets
Fixed issue with backup recovery not restoring the custom icon from Branding Manager app
Fixed upgrade failure caused by L2TP address field malformatting.
Fixed network settings update could not be performed after duplicate values entered to DHCP Server screen
Fixed loading of offline setup wizard when a default admin password exists
Fixed UI issue where duplicate routes in the Routes screen were not removed which prevented the ability to save
Fixed Bandwidth Control app was not starting QoS if QoS was previous disabled
Fixed “is not” operator was not working for protocol based conditions and IP ranges
Fixed “glob” matcher was not working for MAC addresses
Fixed rules not working with conditions using a range in descending order (e.g. 192.168.1.200 - 192.168.1.100)
Fixed error loading Apps screen after installation
Fixed invalid formatting of date fields after setting the Web UI to Japanese language
Fixed safe search enforcement on Yahoo search engine
Fixed safe search when using Youtube retry option
Fixed error when assigning online access to Reports users
Fixed system logs which did not include some logs due to prior directory structure changes
Fixed issue with uploaded SSL certificates not working due to trailing spaces or extra line feeds in the certificate file
Fixed issue with WireGuard VPN tunnel copy button not functional when many networks exist in the configuration
Fixed issue with OpenVPN client profiles not including secondary WANs when added after the app was installed
Fixed Web Filter was not blocking web searches which included the “$” character
Fixed group membership was not working when failing over to a secondary Microsoft Active Directory server
Fixed Virus Blocker reports not pulling the correct data for FTP based sessions
Fixed IPS not starting with specific network settings having null values
Fixed Threat Prevention causing network performance issues with network devices using Anydesk software
Fixed error when trying to delete a Policy which has installed apps
Fixed error trying to download reports which use charts or graphs
Fixed issue with WireGuard VPN that allowed new tunnels after the peer IP address pool was exhausted
Fixed issue deleting custom reports which contained invalid settings
Fixed typo in Firewall app events Summary field
Fixed error when local interface configuration conflicted with the WireGuard VPN address pool
Fixed static routes not populating on PPPoE interfaces after re-authentication
Fixed OpenVPN tunnels were not disconnecting after disabling the tunnel

Security updates
Improved security handling for various types of SQL injection attacks
Improved security handling for tokens used by remote access feature
Improved security handling for local account passwords
Improved security handling of uploaded backup files to prevent man in the middle attacks
Improved sanity checking and handling of various UI inputs to prevent execution of arbitrary code
Patched vulnerability in Glibc library when using Chinese character encoding CVE-2024-2961
Patched vulnerability in Linux kernel module Netfilter CVE-2023-32233

17.1

Summary
Version 17.1 includes the following enhancements and bug fixes:

- Updated GeoIP database
- Updated default IPS signatures database
- Updated Application Control library
- Fixed IPS rules for severity levels required signature update
- Fixed IPS signatures were not updated immediately after app installation
- Fixed Web Filter responses for unknown categories being blocked
- Fixed specific Javascript exceptions caused instability of the main process
- Fixed long delay when saving changes in the local web administration
- Added full tunnel IPsec negotiation for Arista Wi-Fi Access Points. 
- Added options for Energy Efficient Ethernet in the advanced network card properties
- Added Web Filter category for Generative AI
- Applied security fixes for CVE-2023-41993 CVE-2023-41074 CVE-2023-39928 CVE-2023-32359
- Applied security fixes to mitigate SQL injection attempts
- Disabled TLS v1.1
- Increased capacity of URL lookups in Web Filter
- Increased capacity of DHCP leases

Notice regarding cloud hosted email relay
The cloud hosted relay option has been permanently taken offline and is no longer supported. This option will be removed in the next release. See Receiving alerts from NG Firewall for alternative options. 

 

17.1.1
Version 17.1.1 is a minor update which addresses an issues identified in 17.1.

Bug Fixes
Issue with PPPoE WAN connections

 

17.0

Summary
Version 17.0 includes the following enhancements and bug fixes:

Enhancements
Multi-factor authentication - You can configure a TOTP code to log into the local web administration as a secondary authentication method.
DHCP Relay - The DHCP server for LAN interfaces can forward DHCP requests to a remote DHCP server to centralize IP address assignment across a distributed network.
WiFi regulatory domains - You can assign the regulatory domain based on your selected region so that NG Firewall updates the list of available frequencies.
Bug Fixes
IPsec - Forcing client disconnect from the status page was not functional for IKEv2 based tunnels.
IPsec - The service continued to run on the system after disabling or uninstalling the app.
IPsec - Shrew Soft VPN client could not connect.
OpenVPN - Full tunnel VPN clients could not access resources on the local network behind the NG Firewall hub.
OpenVPN - A missing directory could prevent the service from starting.
OpenVPN - If TOTP is enabled, site to site tunnels could not be created without manually editing the configuration file.
Reports - Adding a global condition in interface usage report resulted in an error.
Reports - Reports users could not log in due to inaccurate determination of password strength.
VLANs - No error or warning was displayed when the maximum number of interfaces was reached.
VLANs - VLANs with ID value below 100 were not allowed.
Firewall app - Rules using Threat Prevention based conditions were not evaluated.
WireGuard - The service could not start if a conflicting route was detected.
Dynamic routing - BGP with a null router ID / AS value generated errors.
System - Nullsoft scriptable install system was identified as malware in the ISO by virus scanners.
System - The option to run the setup wizard from the Support screen is removed.
System - Network interface configuration to physical adapter association was rearranged after reboot on specific types of hardware
System - Admin login events from the localhost were not captured in the log.
System - An issue causing unexpectedly high CPU load is resolved.

Notice regarding NIC mapping on upgrades
Some installs may continue to experience interfaces remapping following the upgrade to this release. The fix for this issue resolves the behavior for subsequent upgrades and reboots. If your appliance was affected by this issue with previous upgrades make sure to perform the upgrade from a local network in case you need to reconfigure the interfaces.

Notice regarding email alerts

The option to relay email via the "Cloud hosted email relay" will be removed in the next release. Refer to Receiving email alerts from NG Firewall for alternative options.  

16.6

16.6
Version 16.6 includes an update of the operating system to Debian 11 Bullseye. Other changes include branding updates and official localization of the web administration to German and Japanese.

Bug Fixes
Fixed - IPsec cipher list was incomplete for phase 1. It now includes the same cipher options as phase 2. The default ciphers have also been updated to match modern standards.
Fixed - LDAP queries to Active Directory with Smart card authentication enabled now work.
Important notice:

This is a significant release and may take more than an hour to complete.
This release requires a system restart.
Some CSS files may be cached resulting in inconsistent colors. Clearing the browser cache is recommended.
Python scripts in Captive Portal custom pages is no longer supported. Any custom scripts may not work after upgrading. This includes custom templates which were once available from this Wiki.

16.6.1
Version 16.6.1 is a minor update which addresses some issues identified in 16.6.0.

Bug Fixes
Issue with Tunnel VPN routing all traffic across a tunnel
Issue with OpenVPN authentication
Issue with RADIUS server not starting/running
Issue with WAN Balancer routing traffic incorrectly
Issue with Google Drive syncing backups and/or Reports

16.6.2
Version 16.6.2 is a minor update which addresses some issues identified in 16.6.0 or 16.6.1.

Bug Fixes
Issue with RADIUS server and Local Directory not showing usernames after login
Issue with some upgrades from 16.5.x failing
Issue with Reports data retention setting failing to apply correctly

 

16.5

16.5
Version 16.5 includes a new ISO installer that enables admins to install and manage NG Firewall entirely via serial console for hardware appliances that do not have standard video output.

Bug Fixes
Fixed - OpenVPN server enforces 2FA if enabled. Users with sufficient access rights could modify the client configuration file to exclude the 2FA requirement.
Fixed - Specific types of bypass rules prevented IPS from working. A bypass rule using a specific set of conditions caused Intrusion Prevention to fail when writing out the rule.
Fixed - License update check failure notice moved to warning message. If the device could not contact the licensing server the user received a notice at the top of the screen. This notice is now displayed as a general warning message.
Fixed - License changes are no longer logged to the Settings Changes report. License checks resulted in frequent events reported to the Settings Changes report. These checks and any other license changes are no longer included in the Settings Changes report.
Fixed - System could not start if ACPI function is disabled. If a system had this feature disabled in the BIOS, it created a fault in the UVM.
Known issues:

If OpenVPN requires 2FA, the tunnel configuration file includes the parameter to use 2FA. Prior to importing the tunnel configuration file, you must remove the following parameter: static-challenge "TOTP Code " 1
Important notice:

The OVA installation method for VMware is no longer available. For VMware installations, you can deploy via the ISO installer as a new virtual machine.
16.5.1
Minor security updates.
16.5.2
Updated certificate used for remote management from Edge Threat Management Dashboard (formerly Command Center).

 

16.4

16.4
NG Firewall 16.4 is a maintenance release with bug fixes and minor enhancements.

Bug Fixes & Updates
Improved reliability of Web Filter with updated Brightcloud daemon.
Added notification mechanism in admin UI to inform user of connectivity and license issues such as the inability to contact the licensing service.
Increased frequency of license update checks to 4 hours when online, and every 10 minutes when offline.
Updated app install behavior when no connection is detected. During initial setup, apps do not install until connectivity is detected.
Fixed - trials were starting when appliance was configured in offline mode. Trials now start when appliance becomes online.
Fixed - passwords for reports users were not successfully updated when edited.
Fixed - OpenVPN 2FA timeout is now configurable. The default behavior now does not have a timeout. The previous timeout was 1 hour.
Fixed - a trial license for the support app was not getting assigned during initial setup.
Fixed - shield feature was not initializing when appliance was configured in offline mode.
Fixed - resolved a clickjacking vulnerability in the admin web UI.
Fixed - IPsec bypass was always applied to tunnels regardless of the IPsec bypass option. Filtering is now applied if the bypass option is disabled.
Known issues:

Backups cannot be restored from prior versions - will be resolved in a patch release.
16.4.1
Resolves issue of restoring backups from prior versions.

 

16.3

16.3.2
16.3 streamlines the setup process by consolidating the setup wizard into the ETM Dashboard add appliance wizard and installing the recommended apps by default. Other enhancements include TOTP based two factor authentication for OpenVPN, and a storage watchdog that disables Reports when free space falls below 5 GB.

Bug Fixes & Updates
Fix: Excessive logging of Serial Getty error messages to syslog on systems without a Serial interface.
Fix: Renamed WireGuard Connection Events to WireGuard VPN Events to better describe the reported data.
Fix: WireGuard connection events report was only reporting the first configured tunnel.
Fix: Copy button in WireGuard profile is now visible in Safari browser and in cases with many allowed IPs.
Fix: WireGuard Events were are now showing accurate "Out" bytes data. Previously this information was inaccurately reported using cumulative values.
Fix: WireGuard tunnels now support using Hostnames in the endpoint address field. Previously this field only allowed IP address input values.
Fix: Improved the accuracy of Threat Prevention for incoming connections.
Fix: Improved automatic detection of available private subnets in WireGuard address pool configuration.
Fix: WireGuard tunnels no longer perform implicit NAT.
Fix: Improved parsing of imported SSL certificates to correct missing line terminators in the PEM file.
Fix: IPS updates are now performed as a differential to preserve bandwidth.
Fix: The AD Workgroup name in RADIUS proxy is now converted to upper case.
Fix: MSS clamping now applies to PPPoE and WireGuard interfaces.
Fix: Added safeguards against certain types of injection attacks.
Fix: Web Filter rules based on URL conditions now evaluate hostnames based on SNI.
Fix: Changes to network configuration prevented traffic across WireGuard tunnels.
Fix: Improved WAN Failover detection in specific network environments.
Fix: Youtube restricted mode and search filtering was not being enforced due to changes in the Google API.
Fix: Increased the max number of permitted concurrent DNS requests in the local resolver (DNSmasq).
Fix: Threat prevention app returned errors if Reports app was not installed.
Fix: DHCP client default route not added with specific types of WAN links such as Starlink.
Fix: Some licensed apps were able to continue working after license expiration.

 

16.2

Summary
16.2 brings the ability to use WPA-2 Enterprise for wireless network authentication. With this release, NG Firewall can be set up as a RADIUS Server to authenticate local or Active Directory users when joining the wireless network.

For more information, see the RADIUS Server and RADIUS Proxy documentation.

Bug Fixes & Updates
Fix: WireGuard licensing issues on startup
Fix: QoS & IPsec issues on Lanner NCA-4210B hardware
Fix: Port forwards on 443/80 not working after 16.0.1 upgrade without changing service ports
Fix: TLS v1.3 causing website loading issues
IPS signatures updated
Updates for applications list for Application Control app
Note on upgrades
The RADIUS Server requires UDP ports 1812 and 1813 to be accessible from your access points if you intend to use the WPA2-Enterprise authentication feature added to this release. Access rules are added by default for new installations, but not for upgrades. Refer to the Access Rules section of the RADIUS Server documentation for details.

16.2.1
16.2.1 is a minor release that resolves bugs in the RADIUS Server introduced by version 16.2.0.

Bug Fixes
Fixed RADIUS rules not added during upgrade
Fixed RADIUS name mapping not working due to incorrect script permissions
Fixed login names by RADIUS truncated at 10 characters
Fixed Winbind service not starting after enabling RADIUS Proxy
Fixed Freeradius server failing to start on upgrades
16.2.2
16.2.2 is a minor release that resolves an upgrade issue introduced in the 16.2.1 release.

 

16.1

Summary
16.1 is a minor release that includes extending the WireGuard app, released as part of NG Firewall 16.1, to cloud deployments Amazon Web Services, and Microsoft Azure. This release also includes a kernel update, updating to Linux 4.19.0-11. Being on the latest version of the operating system ensures robust security and performance at the kernel level.

Bugfixes & Updates
Fix - Captive Portal authentication page is not displayed for WireGuard clients
Update - NAVL libraries are updated to the recent version (4.7.0.36)
Technical Notes
There is no 32-bit build for this release. It is no longer possible to upgrade or install from scratch on a 32 bit system. Backups from 15.1, and from 16.0 can be restored to a 16.1 version of NG Firewall.

 

16.0

Overview
16.0.1 is a major release containing the new WireGuard VPN application, UEFI support, and many improvements and bug fixes. There was a minor package change in early 16.0.1 testing which created 16.0.1 release. Previous 15.1.x releases will upgrade directly to 16.0.1.

WireGuard
WireGuard is a very simple, yet fast and modern VPN technology that uses state-of-the-art cryptography. It can be used in both site-to-site environments as well as mobile devices. Learn more about the WireGuard App in the WireGuard VPN wiki page

UEFI
You can now install NG Firewall on UEFI for most modern BIOS platforms.

IPsec

Failover
If you use WAN Failover, you can now specify to use any "Active WAN". When the primary WAN switches, IPsec tunnels reconnect using the new link. On the remote endpoint, there is a new option to allow the incoming tunnel connection from any address.

Better performance
IPsec now uses AES-GCM as the default cipher resulting in a significant performance boost.

Improved reliability
The mechanism to detect the tunnel status has been improved, resulting in better reliability of IPsec tunnels.

Remote GUI over IPsec tunnel
Added the ability to access the remote NGFW over the IPsec tunnel.

General VPN Improvements
Tunnel Persistence
Active OpenVPN and IPsec tunnels are not affected by configuration changes such as adding a new tunnel.

Automatic LAN configuration
If you change the IP address of a LAN interface, this change will propagate to WireGuard, OpenVPN, and IPsec tunnels.

Threat Prevention
Threat lookup
The Threat Lookup tool now shows the results from both "client" and "server" reputation values. Prior to this release, the lookup returned only the server reputation.

Custom block actions
You can now redirect the user to an external block page URL or you can choose to block the connection without redirecting the user to a block page.

Pass Sites
You can now create exceptions for IP addresses and URLs without having to create individual rules for each item.

Other
Numerous performance improvements have been made to reporting and HTTP traffic processing.
Admin UI now operates on applicable interface aliases.
SSL Inspector now supports TLS 1.3.
Under Config, System, the new Logs tab allows you to better control disk space used by logs by specifying retention.
Report retention can now be configured at an hourly resolution.
Event reports can now export what is displayed or the entire table.
Web event reports now have the host field before the URI field.
Remote syslog events are no longer cut off at a certain size limit.
Disk space now uses a more accurate calucation.
Exporting JSON content columns issues has been fixed.
L2TP local directory auth fails after deleting IPsec tunnels has been fixed.
Removing remote server from OpenVPN does not close connection has been fixed.
Better error messaging on OSPF configuration issues.
Policy Manager rules race condition on upgrade fixed.
Parse large log directories correctly.
Upload root certificate.
Enforcement of strong cryptography SHA-512 for credentials
System Requirements and Technical Notes
32 bit upgrades will no longer be provided from 16.1 onwards
The software appliance installer for USB disks now uses the ISO file format, the same as for CD media. Therefore, as of 16.0 the IMG file download is no longer necessary and removed from the download page.
The WireGuard app is not available for cloud deployments (Amazon Web Services or Microsoft Azure). AWS and Azure deployments will update to version 16.0.1 if automatic updates are on, but the WireGuard app will not be included in that update.
Ports 80 and 443 are now reserved on all IP Addresses, including aliases. This means that port forwarding on TCP ports 80 and 443 are not functional unless the services are moved to alternate ports. Additional considerations regarding service ports are described in the Knowledge Base article What happens when I change my service ports?

Follow