3Changes compared to the previous version
3.1Overview of the changes in Version 8.9
For a more detailed overview of the changes, see mGuard-Firmware Version 8.9.x – Release Notes.
The following functions have been added to or removed from firmware Version 8.9:
–Time synchronization with some NTP clients, especially PLC systems, can be optimized (see variable "‘discard minimum1‘" on page 49).
–The establishment of a data connection via the cellular modem can be optimized (see variable "Data roaming" on page 165).
3.2Overview of the changes in Version 8.8
For a more detailed overview of the changes, see mGuard-Firmware Version 8.8.x – Release Notes.
The following functions have been added to or removed from firmware Version 8.8:
–Filtering TCP packages with set URGENT flag
–Encrypted state synchronization in activated firewall and VPN redundancy is no longer supported
Filtering TCP packages with set URGENT flag
IT security experts have discovered eleven vulnerabilities in the real-time operating system VxWorks (URGENT/11). Six of the vulnerabilities allow an attacker to install and execute code on affected devices (Remote Code Execution):
–CVE-2019-12256
–CVE-2019-12257
–CVE-2019-12255
–CVE-2019-12260
–CVE-2019-12261
–CVE-2019-12263
Pre-connected mGuard devices can use their firewall functionality to protect affected devices from related attacks (see detailed description at phoenixcontact.com).
mGuard-Firmware version 8.8.0 provides a new function for this purpose which can be used to block TCP packets that have an URGENT flag set in the TCP header (see Section 8.1.7: Block URGENT-flagged TCP traffic).
Encrypted state synchronization in activated firewall and VPN redundancy is no longer supported
With mGuard firmware 8.8.0, the "Encrypted State Synchronization" in activated firewall and VPN redundancy is no longer available.
An update to firmware version 8.8.0 is only possible if the function "Encrypted State Synchronization" has been deactivated before.
3.3Overview of the changes in Version 8.7
For a more detailed overview of the changes, see mGuard-Firmware Version 8.7.x – Release Notes.
The following functions have been added to firmware Version 8.7:
–QoS features in VPN connections are no longer supported
–New versions of the MEM PLUG configuration memory are supported
QoS features in VPN connections are no longer supported
The following Quality of Service features have been removed and are no longer supported in VPN connections:
–Egress Queues (VPN)
–Egress Rules (VPN)
New versions of the MEM PLUG configuration memory are supported
New versions of the MEM PLUG external configuration memory with higher capacity for the FL MGUARD GT/GT device are supported.
3.4Overview of the changes in Version 8.6
For a more detailed overview of the changes, see mGuard-Firmware Version 8.6.x – Release Notes.
The following functions have been added to firmware Version 8.6:
–The BusyBox program was updated
–SNMPv3 user name and password can be changed
–Simplified search for firewall rules on the basis of log entries
–NTP time synchronization via VPN
–In "Autodetect" stealth mode, the mGuard can use the DNS server of its (protected) client
–DHCP server on the DMZ- interface
–SSH remote access for the user root can be deactivated
The BusyBox program was updated
The BusyBox program was updated to Version 1.26.1.
Users who run UNIX service programs or shell scripts (e.g., rollout scripts) on the mGuard should check them for changed behavior.
SNMPv3 user name and password can be changed
The SNMPv3 user name "admin" specified in earlier mGuard versions can be changed via the web interface, an ECS configuration, or a rollout script. The same applies for the corresponding SNMPv3 password (see "Management >> SNMP" on page 95).
Simplified search for firewall rules on the basis of log entries
Clicking a log entry of the network security log opens the configuration page containing the firewall rule that caused the log entry (see "Logging >> Browse Local Logs" on page 411).
NTP time synchronization via VPN
The request from the NTP server for time synchronization can be performed via a VPN tunnel if a suitable one is configured (see "NTP server" on page 49).
In "Autodetect" stealth mode, the mGuard can use the DNS server of its (protected) client
In "Autodetect" stealth mode the mGuard can automatically determine the used DNS server of its (protected) client, and can also use it. For this, "Provider defined (i. e. via PPPoE or DHCP)" must be selected in the DNS settings as nameserver (see "Servers to query" on page 205).
DHCP server on the DMZ- interface
The mGuard can function as DHCP server on the DMZ interface and automatically assign a network configuration to querying clients via the DHCP protocol (see "DMZ DHCP" on page 215).
SSH remote access for the user root can be deactivated
SSH access via the external interface (WAN) can be deactivated for the user "root" (see "Enable SSH access as user root" on page 53).
3.5Overview of the changes in Version 8.5
For a more detailed overview of the changes, see mGuard-Firmware Version 8.5.x – Release Notes.
The following functions have been added to firmware Version 8.5:
–Proxy authentication by means of VPN Path Finder
–SNMP trap “Service input/CMD”
–TLS authentication in OpenVPN connections
–Firewall functionality in mGuard devices of the RS2000 series
–The CIFS Anti-Virus Scan Connector function is no longer required
–1:1 NAT in OpenVPN connections
–COM server functionality extended
Proxy authentication by means of VPN Path Finder
The Path Finder function of the gateway being initiated supports the proxy authentication mechanisms: “NTLM”, “Basic”.
The new hardware-based “Service-input/CMD” trap is sent if a service input/CMD is switched by a switch or button.
TLS authentication in OpenVPN connections
OpenVPN connections can also be protected by exchanging static pre-shared keys (TLS-PSK).
1:1 NAT in OpenVPN connections
A local 1:1 NAT can be used in OpenVPN connections.
Firewall functionality in mGuard devices of the RS2000 series
The previous functionality of the “2-click firewall” for mGuard devices from the RS2000 series has been extended. The creation of firewall rules and use of IP and port groups is now possible. Firewall access is recorded and represented in log files.
The CIFS Anti-Virus Scan Connector function is no longer required
The CIFS AV Scan Connector function is no longer required.
COM server functionality extended
The COM server functionality for the serial interface also supports packet lengths of 7 bits.
3.6Overview of the changes in Version 8.4
The following functions have been added to firmware Version 8.4:
–Support for the LTE mobile network modem (4G)
–Automatic login with CDMA mobile network provider
–Restart of the mGuard via text message
–Modbus TCP (Deep Packet Inspection)
–Use of host names in IP groups (firewall rules)
–Restricted access (internal/external) for the mGuard NTP server
Support for the LTE mobile network modem (4G)
mGuard devices with built-in LTE mobile network modem (4G) are supported.
Automatic login with CDMA mobile network provider
Login and activation of a device previously registered with the CDMA mobile network provider (Verizon – USA) is carried out automatically when the mobile network connection to the provider is established for the first time ("Mobile network cdma2000 OTASP Registration" on page 161).
Restart of the mGuard via text message
mGuard devices with integrated mobile network function can be restarted (rebooted) with a text message and the token contained in it (see "Restart" on page 119).
Modbus TCP (Deep Packet Inspection)
The mGuard can inspect incoming and outgoing Modbus TCP connections (Deep Packet Inspection), i.e., usually connections to TCP port 502, and filter them if required.
The rules for filtering Modbus TCP packets are configured in Modbus TCP rule sets. These rule sets can be selected in the following firewall tables as actions: general packet filter / DMZ / GRE / IPsec VPN / OpenVPN client / PPP (see "Modbus TCP" on page 282).
Use of host names in IP groups (firewall rules)
Host names can also be specified in IP groups in addition to IP addresses (DNS-based firewall rules).
The use of host names is therefore possible in firewall tables where IP groups can be selected (see "IP/Port Groups" on page 273): general packet filter / DMZ / GRE / IPsec VPN / OpenVPN client / NAT / user firewall.
Restricted access (internal/external) for the mGuard NTP server
Incoming requests to the NTP server of the mGuard via any interface can be restricted by means of firewall rules (see "Enable NTP time synchronization" on page 49).
Before performing the recovery procedure, the current device configuration is stored in a new configuration profile (“Recovery DATE”). Following the recovery procedure, the device starts with the default settings. The previously active configuration can be restored with or without changes via the recovery configuration profile.
Switching a CMD contact (CMD 1–3) using the connected switch or button generates a log entry.
3.7Overview of the changes in Version 8.3
The following functions have been added to firmware Version 8.3:
–Establishing OpenVPN connections
–Dynamic routing (OSPF)
–Support for GRE tunnels
–Support for the Path Finder function of the mGuard Secure VPN Client
–Use of IP and port groups
–New access check and modified test report creation (logging) for CIFS
–Improved display of the VPN status (IPsec)
–Improved timeout behavior for VPN connections
–New VPN license model
–Improved use of configuration profiles
–Optional use of the proxy server by the secondary external interface
–Support for XAuth and Mode Config (iOS support)
Establishing OpenVPN connections
As an OpenVPN client, the mGuard can establish VPN connections to peers which support OpenVPN as the server (see "OpenVPN Client menu" on page 363).
Dynamic routing (OSPF)
Support for the OSPF (Open Shortest Path First) dynamic routing protocol. As an OSPF router, the mGuard can dynamically learn the routes of neighboring OSPF routers and distribute its own as well as learned routes. This simplifies the configuration of complex network structures, since fewer routes have to be entered statically (see "Network >> Dynamic Routing" on page 220).
The OSPF routes can be learned and distributed via every selected interface (internal, external, DMZ) as well as via IPsec connections (with the aid of a GRE tunnel in the case of IPsec).
Support for GRE tunnels
The mGuard supports the use of GRE tunnels. It is therefore possible to encapsulate other network protocols and transport them in the form of a tunnel via the Internet Protocol (IP). This also enables the dynamic distribution of OSPF routes via IPsec connections (see "Network >> GRE Tunnel" on page 224).
Support for the Path Finder function (mGuard Secure VPN Client)
The “Path Finder” function enables the connection to be established by the mGuard Secure VPN Client when it is located behind a proxy server or a firewall (see "TCP encapsulation with enabled “Path Finder” function" on page 316).
Use of IP and port groups
IP and port groups enable the easy creation and management of firewall and NAT rules in complex network structures.
IP addresses, IP areas, and networks can be grouped in IP groups and identified by a name. Likewise, ports or port ranges can be grouped in port groups.
If a firewall or NAT rule is created, instead of IP addresses/IP areas or ports/port ranges, the IP or port groups can be selected directly in the corresponding fields and assigned the rule (see "IP/Port Groups" on page 273).
New access check and modified test report creation (logging) for CIFS
Access check
In order to prevent a comprehensive integrity check being aborted due to the absence of access permissions to the destination drive, access permission can be checked before the actual scan. This access check is much faster and generates a test report which can be downloaded and analyzed. If all access permissions are present, the integrity check can then be performed (see "CIFS Integrity Monitoring >> CIFS Integrity Checking" on page 298).
Test report (log file)
The old results of the integrity check are not deleted from the test report when a new test is performed. The new results are simply added to the report. When the report reaches a specified file size, it is stored as a backup file and a new test report is created. When this test report also reaches a specified file size, the backup file is overwritten with the new report and another report is created (see "Report" on page 305).
Improved display of the VPN status (IPsec)
The status page for displaying information about VPN connections has been revised. The status of all VPN connections is clearly displayed ("IPsec VPN >> IPsec Status" on page 361).
New VPN license model
The new VPN license model allows tunnel groups to be created with all VPN licenses.
The license no longer limits the number of tunnels established, but instead the number of connected peers (VPN peers). If several tunnels are established to a peer, only one peer is counted, which is an improvement over the old model.
The license status, i.e., the total number of licensed peers and the number of licensed peers currently used, is clearly shown in the “IPsec VPN” and “OpenVPN Client” menus.
Improved use of configuration profiles
Before the settings of saved configuration profiles are applied, the changes to the current configuration can be shown and therefore checked. The changes can be applied unmodified. However, individual settings can also be freely modified before being applied (see "Configuration Profiles" on page 90).
Improved timeout behavior for VPN connections
A timeout can stop a VPN connection that was started via a button on the web interface, text message, a switch, a pushbutton or the script nph-vpn.cgi. This VPN connection is terminated after the timeout has elapsed and is set to the “Stopped” state.
A VPN connection that is initiated (established) by data traffic is also terminated by a timeout. However, this VPN connection is not set to the “Stopped” state after the timeout has elapsed, instead it remains in the “Started” state. When data traffic resumes, the VPN connection is established again. This function is particularly useful when using the mobile interface (3G).
Support for XAuth and Mode Config (iOS support)
The mGuard now supports the “Extended Authentication” (XAuth) authentication mode and the frequently required “Mode Config” protocol extension, including split tunneling as server and as client (e.g., support of Apple iOS). Network settings and DNS and WINS configurations are communicated to the IPsec client by the IPsec server (see "Mode Configuration" on page 329).
Optional use of the proxy server by the secondary external interface
If a proxy server is used, the secondary external interface may be exempted from its use. This can be useful if the secondary external interface is a mobile network modem (3G) (see "Network >> Proxy Settings" on page 218).
3.8Overview of the changes in Version 8.1
The following functions have been added to firmware Version 8.1.
–User firewall in VPN connections
–Dynamic activation of the firewall rules
–Function extension of the service contacts
–OPC Inspector for Deep Packet Inspection for OPC Classic
–Extended DynDNS providers
–New mode for pre-shared key (PSK) authentication method
–On the web interface, dynamic modifications are displayed in gray.
–Verbose logging of modems
User firewall in VPN connections
The user firewall can be used within VPN connections.
A VPN connection in which the user firewall rules apply can now be selected for the user firewall (under Network Security >> User Firewall >> User Firewall Templates).
Dynamic activation of the firewall rules (conditional firewall)
The firewall rules can now be activated via an external event:
–A button on the web interface (under Network Security >> Packet Filter >> Rule Records)
–An API command line that is activated using the name or the row ID.
/Packages/mguard-api_0/mbin/action fwrules/[in]active <ROWID>
–/Packages/mguard-api_0/mbin/action_name fwrules/[in]active <NAME>
–An externally connected pushbutton/switch (for mGuards that allow connection, see "Dynamic activation of the firewall rules (conditional firewall)" on page 38)
–The starting or stopping of a VPN connection. It can be set whether a started or stopped VPN connection activates or deactivates the firewall rule set. Successful establishment of the VPN connection is not important. (The VPN connection can be started via a button on the web interface, text message, a switch, a pushbutton, data traffic or the script nph-vpn.cgi.)
–Incoming text message (for TC MGUARD RS4000/RS2000 3G only). See "Token for text message trigger" under Network Security >> Packet Filter >> Rule Records.
–CGI interface. The CGI script “nph-action.cgi may” can be used to control firewall rule sets.
If the status of the firewall rule sets changes, an e-mail can be sent automatically. In the case of the TC MGUARD RS4000/RS2000 3G, a text message can also be sent in such an event.
Function extension of the service contacts
Service contacts (service I/Os) can be connected to some mGuards.
–TC MGUARD RS4000/RS2000 3G
–FL MGUARD RS4000/RS2000
–FL MGUARD RS
–FL MGUARD GT/GT
A pushbutton or an on/off switch can be connected to inputs CMD 1-3. The pushbutton or on/off switch is used to establish and release predefined VPN connections or the defined firewall rule sets.
For the VPN connections it can be set whether the VPN connection is to be switched via one of the service contacts (IPsec VPN >> Connections >> Edit >> General). If a switch is connected, the switch behavior can also be inverted.
For the firewall rule sets it can be set whether a rule is to be switched via one of the service contacts or if a VPN connection is to be switched (Network Security >> Packet Filter >> Rule Records).
In this way, one or more freely selectable VPN connections or firewall rule sets can be switched. A mixture of VPN connections and firewall rule sets is also possible.
The web interface displays which VPN connections and which firewall rule sets are connected to an input (Management >> Service I/O >> Alarm output).
In addition, the behavior of outputs ACK 1-3 can be set on the web interface (Management >> Service I/O >> Alarm output).
Outputs ACK 01-2 can be used to monitor specific VPN connections or firewall rule sets and to display them using LEDs.
Alarm output ACK 03 monitors the function of the mGuard and therefore enables remote diagnostics.
The alarm output reports the following, if it has been activated.
–Failure of the redundant supply voltage
–Monitoring of the link status of the Ethernet connections
–Monitoring of the temperature state
–Monitoring of the connection status of the internal modem
OPC Inspector for Deep Packet Inspection for OPC Classic
When using the OPC Classic network protocol, interconnected firewalls virtually have no effect. In addition, conventional NAT routing cannot be used.
When the OPC Classic function is activated, the OPC packets are monitored (see "OPC Inspector" on page 286).
The TCP ports that are negotiated during the connection opened first are detected and opened for OPC packets. If no OPC packets are transmitted via these ports within a configurable timeout, they are closed again. If the OPC validity check is activated, only OPC packets must be transmitted via OPC Classic port 135.
Additional functions
Extended DynDNS providers
–When establishing VPN connections, it is useful if the devices obtain their IP address via a DynDNS service.
More DynDNS providers are supported in Version 8.1.
New mode for pre-shared key authentication method
When selecting the pre-shared key (PSK) authentication method, “Aggressive Mode” can be selected (under IPsec VPN >> Connections >> Edit >> Authentication).
On the web interface, dynamic modifications are highlighted gray.
Status messages are displayed on the web interface and updated continuously. To identify these dynamic entries more easily, they are displayed in gray.
Verbose logging of modems
Only for mGuards that have an internal or external modem or that are capable of mobile communication (under Logging >> Settings).
3.9Overview of the changes in Version 8.0
The following functions have been added to firmware Version 8.0.
Configuration extensions
–Improved CIFS Integrity Monitoring (see "New in CIFS Integrity Monitoring" on page 42)
–Integrated COM server for mGuard platforms with serial interface (see "New in CIFS Integrity Monitoring" on page 42)
–Configurable multicast support for devices with internal switch in order to send data to a group of receivers without the transmitter having to send it multiple times (see "Multicast" on page 195)
–VPN extensions (see "VPN extensions" on page 42).
–Dynamic web interface for configuration. Incorrect entries are highlighted in color and help is also offered in the form of system messages.
–Support for 100 Mbps SFPs for FL MGUARD GT/GT. SFPs are hot-swap-capable interfaces for Ethernet or fiber optics in different forms.
Support for mGuard platforms TC MGUARD RS4000 3G and TC MGUARD RS2000 3G
–Support for mobile network and positioning functions (see "Network >> Mobile Network" on page 156)
–Support for integrated Managed and Unmanaged Switches (see "Network >> Ethernet" on page 193)
–Support for a dedicated DMZ port (only TC MGUARD RS4000 3G)
The DMZ port can be set so that it forwards packets to the internal, external or secondary external interface.
The DMZ port is only supported in router mode and requires at least one IP address and a corresponding subnet mask. The DMZ does not support any VLANs.
Removed functions
–HiDiscovery support
–The “Save” button which only applied changes for the current page has been removed. Changes are made across all pages.
New in CIFS Integrity Monitoring
Time schedule
The time schedule has been improved in Version 8.0. Now more than one scan per day is possible. Continuous scanning can also be set.
If the scan takes longer than planned, it is aborted. However you can adjust the settings so that a scan is started regularly.
Extended display of the current status
Each row of the CIFS Integrity Monitoring also displays the following information.
–The status of the scanned network drives
–The result of the last scan or the progress of the current scan
The menu in the web interface has been extended so that you can now see the status of each scan. The progress indicator shows the number of checked files.
Status of the VPN connections
The setting for the VPN connection is now divided into “Disabled”, “Started”, and “Stopped”. The “Disabled” setting ignores the VPN connection, as if it were not configured. This also means it cannot be dynamically enabled/disabled. The other two settings determine the status of the VPN connection when restarting the connection or booting.
In Version 8.0, the VPN connections can be started or stopped via a button on the web interface, via text message, an external switch or the script nph-vpn.cgi. This takes into account all VPN connections. Packets that correspond to a VPN connection that is not disabled are forwarded when the connection is established or discarded if the connection is not established. VPN connections which were set to “Active: No” in the previous versions are now interpreted as “Disabled”.
Unique names
In Version 8.0, the names of VPN connections are made unique. During the update, a hash or unique number is added to names that are duplicated.
Timeout for the VPN connection
You can set a timeout which aborts the VPN connection if it has been started via a text message, nph-vpn.cgi script or the web interface. VPN connections which have been started by an explicit request via an application are not affected.
Source-based routing
VPN tunnels which only differ in their source network can now be configured.
From Version 8.0, the VPN configuration permits a remote network with different local networks in one configuration. The VPN tunnel groups are extended so that they permit an established VPN connection to select only one subnetwork from the local network. In previous versions, this was only possible for remote networks.