SSL VPN Multi-Factor Authentication
For improved security, SSL VPN now supports client authentication using a One-Time Password (OTP) in addition to regular authentication with certificate and password.
Packet Forwarding Optimization
To achieve higher packet rates in setups running multi-core dataplane, the packet processing has been optimized. Depending on the hardware setup, forwarding performance has been increased with up to 30% compared to previous releases.
The "ping" CLI command has been extended with a "srciface" parameter, which can be used to test configured rules and routes. When this parameter is specified, system will generate traffic as if it is received by that interface. The generated traffic will be matched against the configured rules. If system configuration allows, flows will be opened to forward the traffic. Otherwise, the traffic will be dropped, and logs will be generated if logging is enabled.
Password-only SSL VPN authentication
It is now possible to allow SSL VPN connections from clients without certificates by setting the SSLVPNServer option "ClientCACert" to .
Extended FQDN Address Support
It is now possible to use FQDN address objects when configuring Access Rules, Threshold Rules and Traffic Shaping Rules.
Extended Centralized Management Audit Trail
For security reasons, issuing the command "localconfiguration -enable" will now cause a warning log event to be generated. Reverting the command by rejecting configuration changes will also produce a log event.
The "pcapdump" CLI command now supports SCTP
SCTP packets are no longer displayed as an "unknown protocol". Packet layout is displayed with chunks and chunk parameters.
Possibility to reboot the HA peer from the CLI
The "ha" CLI command has been extended with "-reboot -peer" option for rebooting the HA peer.
Improved "ruledb" CLI usability
The "ruledb" CLI command has been changed to be more user friendly. Read the corresponding "ruledb" section in the CLI reference guide for details.
Geolocation Database Updated
The geolocation database has been updated to a newer version.
Improved SSL VPN handshake error logs
Log and snoop messages for TLS handshake errors have been extended with more details.
Extended SCTP state cookie validation
The system now implements the cryptographic state cookie validation described in RFC 4960, section 5.1.3. The cookie data is also obfuscated before being forwarded to the responder; the initiator and responder does not see the same cookie.