Release Notes CSG 7.2.28

Collax Security Gateway
23.04.2024

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to Menu → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this version

System Management: Linux Kernel 6.6.28

With this update the Linux Kernel 6.6.28 is installed.

Intrusion Detection: Extended IP blocking

The intrusion detection and prevention system has been expanded to include detection. It can now be configured so that repeated attempts to reach an unused port are blocked by the firewall.

GUI: Firewall Viewer

The firewall viewer presents the firewall rules defined in the matrix in a list view. In this version, an additional checkbox has been added to the search field. If this checkbox is activated, not only the “parent” elements but also all associated “child” elements of the matching entries in the tree are displayed.

Two-factor authentication: acceptance of the next token

For a more user-friendly experience, many 2FA login pages allow both the previous and the next token. In the latest version, we have also integrated this functionality and accept both the previous and the next token for authentication.

Net: Routing of networks with 31-bit netmask

Ethernet PtP links can now route networks with a 31-bit netmask.

Backup: Sender domain for status messages

Previously, backup status messages were sent to the e-mail address entered here, whereby the sender was also identical. In future, a suitable sender domain will be searched for, similar to “cron” scripts, and “backup” from this domain will be used as the sender.

Various software packages have been updated in this release. In addition to security-related updates, general maintenance and care updates were also carried out.

The updates and bug fixes affect the following packages<p

  • microcode: 20240312
  • bind: 9.16.48
  • curl: 8.6.0
  • ImageMagick: 7.1.1-29
  • gnutls: Patches
  • openssh: Patches
  • tar: Patches
  • ncurses: Patches
  • mariadb: 10.5.24
  • openssl: Patches
  • squid: 6.8
  • heimdal: 7.8.0
  • bitdefender: 3.5.5.303

Issues fixed in this version

Mail: Hostname mismatch with encrypted collection

When fetching emails via encrypted connections, the error “Server certificate verification error: Hostname mismatch” occurred in the system log of the fetchmail service. This was caused by an incorrect interpretation of a dot at the end of the server name when checking the server certificate. This problem has been fixed in the current release version.

Web proxy: Avoid unnecessary status e-mails after log rotation

Emails with superfluous information that indicate a restart of the web proxy service after a log rotation should be avoided. In this version, we have implemented appropriate adjustments to suppress such notifications.

Notes

Additional software: Bitdefender - Proxy for updates

The virus pattern updates are carried out according to a set cycle. It is currently not possible to use an http proxy for the pattern update of the Bitdefender virus and spam filter.

Additional software: Bitdefender - pattern update after commissioning

After starting up the Collax Antivirus powered by Bitdefender module, it may take a few minutes for the current virus patterns to be downloaded. If you click on Update Bitdefender in the virus scanner form during this time, you will receive an error message “Error connecting to server at /opt/lib/bitdefender//bdamsocket: -3”, because the background process has not yet been fully executed.

GUI: Sporadic hangs during running jobs

The progress of configuration jobs is displayed in the top right-hand corner of the web administration. In the case of extensive changes in the network area, especially with country locks (geo-ip), it can happen in rare cases that the job display hangs during activation. As of release 7.2.28, you will now receive the message “Network connection has been interrupted: Messages may be lost until the connection can be re-established.” informs you about such situations.

VPN: Fix for IKEv2 with Microsoft Windows crashes after 7.6 hours

VPN connections with IKEv2 and the on-board tools of Microsoft Windows are interrupted after interrupted after exactly 7.6 hours. The error occurs because Microsoft Windows proposes different algorithms during the IKE re-encryption than during the first connection. The problem can be solved with a registry fix by the value “NegotiateDH2048_AES256” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters to 1 is set.

Under the following link you will find a REG file (registry entry) that adds the registry key. Collax accepts no liability for system errors resulting from this.

Table of Contents

Newsletter Subscription