CacheGuard-OS
User's Guide - Version UF-2.2.2

Change logs

Version UF-2.2.2 (31 July 2024)

OpenSSH has been upgraded to its latest stable version (9.8p1).
Apache Web Server has been upgraded to its latest stable version (2.4.62).
Squid has been upgraded to its latest version (6.10).
StrongSwan has been upgraded to its latest version (5.9.14).
Duplicated lease end time errors and records in the DHCP report have been fixed.
The IPsec VPN report has been fixed to properly display certificate based authenticated connections.
The Kerberos initialisation issue has been fixed.
Some minor bugs have been fixed.

Version UF-2.2.1 (6 April 2024)

The Linux kernel has been upgraded to the version 6.6.14 and all drivers have been upgraded to support the latest hardware in the market.
The installation program has been fixed to allow an installation from a USB memory stick.
The firewall has been improved to support the SIP protocol.
The bug which prevented the restore operation since the UF-2.0.1 OS version has been fixed.
The reverse Web mode has been enhanced to allow configurations in which backend Web servers (real hosts) are accessed via the external network interface or via site to site IPsec VPN tunnels established with the system. In addition, the reverse Web proxy can now communicates with real hosts. As a consequence, the syntax of the rweb command has been changed (see the rweb host usage form). In case where the appliance is upgraded using a patch, the rweb interface and the http protocol are used for existing configurations.
The installation program has been enhanced to support an installation on a machine with only 512 MB of RAM.
The size of the installation CDROM image has been reduced.
The PXE installation program has been enhanced to support UEFI based machines (64 bits only).
Some minor bugs have been fixed.

Version UF-2.1.3 (25 January 2024)

The Web access module has been fixed to allow clients that are connected via the 802.1q pseudo interfaces (in VLAN mode) to use the embedded Web proxy.
The firewall command has been improved to allow the modification of default limits for DoS (Denial of Service) attack. See the firewall dos command for further information.
The default maximum number of TCP new connections (SYN) per source IP address has been raised. New default values can be obtained using the firewall dos command.
The access command has been improved to allow the specification of 802.1q pseudo interfaces in Web access rules (see the access web command).
In absence of any other specifications, a blank manager template is now initialised with a default system CA certificate and a default server certificate.
Some minor bugs have been fixed.

Version UF-2.1.2 (11 December 2023)

The proxy, the name server and the antivirus have been upgraded to their latest stable versions.
The IPsec VPN server has been enhanced to allow remote VPN servers having a non fixed IP address to establish a site to site IPsec VPN tunnel.
Some minor bugs have been fixed.

Version UF-2.1.1 (1 December 2023)

The OS has been adapted to suit Microsoft Azure (TM) and Amazon AWS (TM) clouds requirements.
The installation program has been improved to detect NVMe and virtual block based disks.
Default associations between physical and logical network interfaces have been changed on a gateway system. Now by default, the external interface is associated to eth0 and the internal interface is associated to eth1.
The generated system CA certificate during the first appliance start-up, is now properly installed.
Admin access management has been fixed to properly allow newly added IPs.
The password command has been enhanced with the possibility to modify both the console and Web administration passwords in a single operation.
The CDROM installation program has been enhanced to support UEFI based machines (64 bits only).
The Linux kernel has been upgraded to the version 4.19.288.
The ssh password authentication can now be disabled (see the admin ssh password command).
The bug that blocking explicit log rotations in case where the web (or tweb ) mode is deactivated, has been fixed.
Some minor bugs have been fixed.

Version UF-2.0.2 (11 April 2023)

The waf command has been fixed to do not erase the bypass application set for a website in case where the bypass rule list is erased for that website.
The WAF Auditing module has been fixed to properly decode HTML encoded data in POST requests.
The system report service command has been fixed to display the DNS server state.
Now the DNS server can be queried even if the web and tweb are both disabled.
The appliance access manager has been fixed to take into consideration override names setup with the ip name command. In addition, in case of any modification in override names, the Firewall and QoS are restarted.
The rweb site del... command has been fixed to do not remove back end Web servers associated to a website in case where the deleted website name will remain present for another protocol (http or https). The fix has been also applied to other configuration related to reverse websites (rweb via..., waf rweb...).
The Web GUI automatic logout has been fixed.
Now the apply check command displays possible warnings.
The routing issue via the auxiliary network interface has been fixed.
The firewall rules management module has been fixed to do not apply the default policy to new connections incoming from the internal zone in case where the VLAN mode is deactivated and rule sets other than the web rule set are not empty.
The firewall has been fixed to allow fragmented IP packets in IPsec traffic.
The SSL mediation mode has been fixed to automatically download intermediate certificates even in case where the Web access has been restricted by the access webcommand.
The tls command has been enhanced to allow for setting the size of generated RSA private keys.
The bug that was preventing to install the OS without the Web caching feature has been fixed.
Some minor bugs have been fixed.

Version UF-2.0.1 (3 February 2023)

A new command called manager have been added to the system to manage remote gateways. To use this command, the OS should be installed as a manager system (as opposed to a system installed as a gateway system).
The Linux kernel has been upgraded to the version 4.19.231.
All open source packages have been upgraded to their latest versions and have been rebuild from scratch using latest GNU C library (glibc-2.35) and GNU C compiler (gcc-11.2.0).
The new usage form system report connection has been added to the system command to display the number of active connections with the appliance.
The new usage form system report antivirus has been added to the system command to display the status of the last automatic antivirus signatures update.
The apply reporting has been fixed to report 100% (instead of 99%) when the antivirus update is fully completed.
Trusted CA certificates have been updated from Mozilla as of: Thu Sep 30 21:39:27 2021 GMT. The OS has been enhanced to automatically update trusted CA certificates once a month.
The system has been upgraded to support TLS 1.3.
The maximum period for log retentions has been modified from 365 to 366 days (available during installation only).
Some basic open source software have been upgrade to their latest stable versions.
The tls command has been enhanced to allow the generation of certificates that do not use OCSP.
The tls server and tls ca command usage forms of the tls command have been changed to be uniform with the tls client usage form.
The syntax of tls command has been changed. Now to manage server certificate the server keyword should be systematically used as the first argument. To manage the system CA components (certificate and key) the system keyword should be specified after the ca keyword. To manage third party CA certificate the third keyword should be specified after the ca keyword. To import third party CA certificate, the load keyword replaces the import keyword.
The apply command has been modified to automatically generate new TLS objects in case where explicit TLS generations or loadings are note invoked.
Restricted administrator users can now be deleted properly without generating an error during the apply operation.
The syntax of the admin command has been changed for SSH key management. Now an identifier should be associated to an SSH key first. Then, its content can be loaded from a trusted file server.
Now, the first time a new restricted administrator is logged in, she/he is invited to modify her/his password.
The cancel command can now be invoked by restricted administrator users without generating any errors.
OWASP Core Rule Set (CRS) has been upgraded to its latest version (3.3.2). This involves the renaming and renumbering of generic filters.
CAUTION: the syntax of the waf has been modified as follows: "waf rweb bypass" becomes "waf rweb bypass rule". Also generic WAF filters has been renamed and renumbered. If your configuration includes the bypass of some generic rules in order to avoid false positive matches, you are invited to review your configuartion. Please refer to the documentation for further details.
Now the blocking of Web requests/responses by the WAF is based on an anomaly scoring principal. Please refer to the documentation for further details.
The WAF module has been enhanced to offer the following functionality: blocking of DoS (Denial of Service) attacks, blocking of requests based on IP reputation, blocking of requests coming from a particular country, bypass of generic filters based on the type of the application (WordPress, Drupal...). Please refer to the documentation for further details.
The logging has been enhanced to allow the activation or deactivation of logging on remote syslog servers as per the type of traffic (see the command log).
The syntax of the authenticate... command has been slightly changed. Please refer to the documentation for details.
The ip, access and vpnipsec commands have been improved to accept IP addresses in CIDR notation (in the form <ip/prefix> instead of <ip> <netmask>).
The limitation associated to the IPsec VPN usage in a multi WAN configuration has been removed. Now it is possible to route IPsec traffic via a master gateway and automatically switch the routing via a backup gateway in case of a failure on the master gateway. See the vpnipsec command manual for further information.
A new command called file has been added to the system to load or save all files related to the configuration in a single operation.
The rights of restricted administrator users have been changed. Now restricted administrator users can only read (consult) the system configuration. Restricted administrator users are now called unprivileged administrator users (refer to the admin command for further information).
The traceroute command has been added to the system.
The association of multiple client SSL certificates to the SVMP-v3 user name has been removed from the system (now only one client SSL certificate can be associated to the SVMP-v3 user name). See the admin command for further information.
The management of TLS chain certificates has been modified. Now when defining an HTTPS reverse website, you have the possibility to specify an intermediate CA certificates. Please refer to the tls and rweb commands for further information.
The system integrity checking has been modified to allow the deactivation of web, tweb and rweb modes at the same time.
The CacheGuard-OS License Agreement has been upgraded to version 2.5 to include OS installation as a manager system.
Lots of minor bugs have been fixed.

Version EH-1.5.5 (20 April 2021)

The QoS controller has been fixed to properly shape the traffic on the external and auxiliary interfaces when the VLAN mode is activated.
The system has been improved to avoid any latency in web browsing during the antivirus update process. This requires about 1280 KB of additional RAM so a RAM upgrade may be needed on the target machine.
Some minor bugs have been fixed.

Version EH-1.5.4 (16 March 2021)

The issue that was slowing down the AV signatures downloads has been fixed.
TCP communications have been tuned to get better performances.
The proxy, the VPN and the antivirus have been upgraded to their latest stable versions.
Some minor bugs have been fixed.

Version EH-1.5.3 (11 February 2021)

The installation program has been fixed to include all required SCSI drivers in the boot loader initial RAM disk.
The access control module has been fixed to properly allow administration accesses when the VLAN mode is activated.
The installation module has been fixed to detect VirtIO devices.
In order to comply with the RFC 5280, the "OCSP Signing" Extended Key Usage has been removed from generated X509v3 certificates (only the "TLS Web Server Authentication" Extended Key Usage is kept).
Some minor bugs have been fixed.

Version EH-1.5.2 (2 December 2020)

The network name resolution module has been enhanced to resolve the embedded OCSP responder host name to the system's external IP address (external VRRP IP in HA mode). This helps to avoid asymmetric routing when the ocsp mode is activated.
Some minor bugs have been fixed.

Version EH-1.5.1 (31 October 2020)

The IPsec VPN support has been added to the system and a new command called vpnipsec has been added to manage IPsec VPNs. Both site to site (site) and remote access VPN configurations are supported. The embedded forwarding Web proxy and resources behind the embedded firewall can securely communicate via the IPsec VPN.
The Linux kernel has been upgraded to the version 4.9.230 and all drivers have been upgraded to support the latest hardware in the market.
The reporting in the Web GUI dashboard has been fixed to properly refresh all reports (including reports on NICs and disks).
The system report cpu usage form of the system command has been replaced by system report load.
The tls command has been enhanced to allow the loading of a CSR file in order to generate signed certificate by the system's CA certificate. With this enhancement the system can now act as a mini PKI.
When a CA certificate is added to the system it is automatically considered as a trusted CA for Web browsing. Now it is possible to do not trust a CA certificate for browsing by specifying the optional off argument when adding the CA certificate with the tls command. In this case the CA certificate can only be for other purposes (such as the VPN server).
The authenticate ldap certificate usage form of the authenticate command has been removed. If an LDAPS server SSL certificate has to be verified against a CA certificate, the CA certificate should be imported first using the tls command and then the CA certificate verification can be activated using the authenticate ldaps ca ... command. In case where the system is upgraded using a patch, an existing LDAPS CA certificate is purged and then it should be configured again manually.
The authentication type for SNMP-v3 user has been changed from SHA-1 to SHA-256.
The md5 and sha (for SHA-1) authentication hash functions are no longer allowed for SNMP-v3 traps. Allowed authentication hash functions are now: sha256, sha384 and sha512.
Access policies to (from) the appliance from (to) remote networks/hosts have been reinforced by the specification of the involved network interface. Therefore, the syntax of the access command has been changed. In case where the system is upgraded using a patch, an access entry for every interface is added to the system and access policies should probably be reviewed after having patched the system.
When defining a transparent network with the transparent command, the network interface from which traffic are transparently caught should be specified now. In case where the system is upgraded using a patch, the same transparent network is added for every interface and transparent networks should probably be reviewed after having patched the system.
Some minor bugs have been fixed.

Version EH-1.4.2 (29 June 2020)

The ICAP service not restarted with the previous patch is restarted to properly handle the brotli compression format.
The tls command has been enhanced to allow you to create client certificates signed by the system's CA certificate. Client certificates can be used to authenticate VPN clients (VPN features are coming soon).
The tls ca command can now be used to add and import an intermediate CA as well as a root CA.
Self signed SAN certificates generation has been fixed to properly generate a self signed certificate and not a CA certificate.
Certificates can now be revoked with the tls command.
An OCSP (Online Certificate Status Protocol) responder has been added to the system. You can use the tls and port commands to configure it. Use the mode command to activate it.
Some minor bugs have been fixed.

Version EH-1.4.1 (11 June 2020)

A new mode called tnat (for transparent NAT) has been added to the system. When the tnat mode is deactivated,Web traffic in transparent mode go to the internet with their real IP addresses (and are not source NAT with the appliance's external IP address).
The transparent mode activation has been moved from the "[GENERAL]/[Main Settings]/[Main Features]" page to the "[NETWORK]/[Main Settings]/[Network Services]" page in the Web GUI.
The transparent command has been enhanced to take into account the QoS for traffic exchanged via the auxiliary interface.
The DNS has been fixed to properly listen on VRRP IP addresses.
The proxy configuration has been fixed to add the X-Forwarded-For header to all HTTP(S) requests if at lease one next peer is configured.
The maximum period for log retentions has been modified from 31 to 365 days (available during installation only).
Internal access policies have been modified to allow the connect method to ports 1024-49151 (in addition to the port 443) from the forwarding proxy
The CSR and signed certificate generation programs has been fixed to properly handle Certificate Signing Requests and CA signed certificates for SAN certificates.
Failed login via the Web GUI are now logged and reported with SNMP traps and syslog alerts.
Some additional ciphers has been added to the SSH server. This command prints a report on the current running operation in background. The Web GUI has also been enhanced with an animated icon to show the current running operation.
A new command called job has been added to the system.
Now the antivirus uses HTTPS instead of HTTP to download virus signatures.
Reports displayed in the Web GUI dashboard are now automatically updated.
The option report has been added to the qos to print a report on the traffic managed by the QoS controller.
Some minor bugs have been fixed.

Version EH-1.3.7 (29 May 2018)

The CacheGuard-OS License Agreement has been upgraded to version 2.4.
The bug making the main proxy to crash while the web mode is deactivated has been fixed.
The system end command has improved to display the scheduled state when the subscription renewal is scheduled for the next day.
A new command named keyboard has been added to the system. This command allows you to set the console key map.
The installation module has been improved to allow the creation of partitions larger than 2TB.
The SNMP agent has been enhanced to give SSDs lifetime.
The ip command has been fixed to do not allow names for pinged servers in static routes.
Some minor bugs have been fixed.

Version EH-1.3.6 (9 March 2018)

The Web proxy default access rights have been modified to allow the "PATCH" method in both forwarding and reverse modes.
The waf command has been enhanced to offer the possibility to globally allow or deny the "PATCH" method as an insecure HTTP method.
Custom WAF rules has been extended to support the "PATCH" HTTP method.
The apply command has been fixed to properly check the integrity of destination NAT rules and do not erroneously produce the error 212.
The internal firewall rules have been fixed to properly allow DHCP request broadcasts and lease renewals.
The dhcp report command has been fixed to display DHCP lease end times in local time instead of UTC time.
Some minor bugs have been fixed.

Version EH-1.3.5 (8 January 2018)

The antivirus module has been enhanced to bypass a white list of domain names. Therefore the antivirus whitelist usage form of the antivirus command has been modified to allow you to define a white list of domain names as well as a white list of virus signatures.
The Web proxy default access rights have been modified to allow the "PUT", "DELETE" and "TRACE" methods in both forwarding and reverse modes.
The setup command has been enhanced to use dialogues boxes.
The dialogue box version of the setup command has been enhanced to allow you to set the timezone in the virtual edition.
The virtual edition has been enhanced to set the console keyboard layout during the first startup.
The bug making the guarding module to crash with some malformed URLs has been fixed.
The textual configuration view in the Web GUI has been improved to have a more user-friendly representation of the whole configuration.
Some minor bugs have been fixed.

Version EH-1.3.4 (17 September 2017)

Communication between the appliance and the patch download service has been switched from HTTP to HTTPS.
Communication between the appliance and the subscription/registration service has been enhanced to support HTTPS.
Custom WAF rules have been enhanced to allow the specification of more than one HTTP method separated by the pipe character.
The waf command has been enhanced to offer the possibility to globally allow or deny insecure HTTP methods such as "PUT", "DELETE", "CONNECT" and "TRACE".
Some minor bugs have been fixed.

Version EH-1.3.3 (4 September 2017)

The bug that prevented caching big objects has been fixed.
ICP (RFC 2187) has been replaced by HTCP (RFC 2756) for communications between cache peers.
The dns command has been enhanced to allow the explicit resolution of all names to IPs.
Custom WAF rules has been extended to support the "PUT", "DELETE", "CONNECT", "OPTIONS" and "TRACE" HTTP methods.
Some minor bugs have been fixed.

Version EH-1.3.2 (20 July 2017)

The Web cache is no longer cleared after the antivirus activation.
The RAM vs HDD capacities tuning has been improved to have better performance for the caching.
The memory consumption for the caching has been improved and the usage of the available persistent cache has been reviewed accordingly.
Due to the instability of the compress mode while combined with the antivirus mode, the compress mode is automatically disabled for forwarding web traffic when the antivirus mode is activated. This fix should be considered as a workaround before the complete resolution of the issue in future releases.
The bug that prevented saving logs has been fixed.
The bug that prevented activating the DHCP server has been fixed.
Due to a high number of InvalidState and IllegalSyn rejected TCP packets on networks, rejected InvalidState and IllegalSyn TCP packets are no longer logged.
Some minor bugs have been fixed.

Version EH-1.3.1 (29 June 2017)

The antivirus module can now be used as a service by external systems such as an MTA (Mail Transfer Agent).
The antivirus module has been enhanced with the possibility to integrate a white list of virus names to eliminate false positive matches.
The authentication mode has been upgraded to support the Kerberos protocol.
The system report usage form of the system command has been enhanced to print the total number of blocked or allowed contents.
The WAF has been enhanced to offer the possibility to expose original HTTP error messages generated by backend Web servers.
The time format in all logs has been changed to be compliant with the RFC3339 (with the caveat that the time offset format may not be respected for some logs).
The compression module has been fixed to properly compress javascript files.
The embedded firewall has been enhanced to protect against UDP flood attacks.
The CA certificate bundle has been updated to its latest version.
The subscription system has been fixed so the renewal of an expired subscription takes into account the date of purchase as the start date. In this case, the renewal is done for the given period rounded to the nearest whole day.
The subscription system has been fixed so the reactivation of a suspended appliance is completed without errors.
The dashboard layout has been enhanced.
A Donate button has been added to the Web GUI of the free edition in order help us to maintain CacheGuard-OS and and develop new features
The trial period has been extended from 15 to 21 days.
Some minor bugs have been fixed.

Version NG-1.2.6 (29 December 2016)

The upgrade from v1.2.4 to v1.2.5 by applying a patch has the side effect that some processes swap on disk. This issue has been fixed by applying a patch to upgrade to the present version. Please note that for the v1.2.5, CacheGuard-OS requires a minimum of 1 GB of RAM to activate the antivirus mode. Therefore if the antivirus mode is activated on an appliance running under the v1.2.5, the applying of the patch may require upgrading the RAM on the target machine. Otherwise the appliance may stop working properly.

Version NG-1.2.5 (21 December 2016)

A workaround has been added to the system to resolve the inability of some Microsoft (TM) OS's to download updates while the compress mode is activated.
The upload of a local configuration file from the Web GUI has been fixed to support Web browsers other than Firefox.
The Web GUI has been upgraded to support Microsoft (TM) IE11.
The antivirus basic module has been upgraded to its latest version.
Some minor bugs have been fixed.

Version NG-1.2.4 (20 October 2016)

The firewall and access control modules have been fixed to support the active FTP protocol with a data port other than 20 (in EPRT and PORT mode).
The forwarding proxy has been modified to allow the HTTP method OPTIONS. However the method OPTIONS remains denied for reverse websites.
The CacheGuard logo has been slightly modified.
The conf command has been fixed to properly save authentication modes.
Network diagrams in the User's Guide have been enhanced.
The dashboard in the Web GUI has been enhanced to display the available OS updates and the end of the system subscription.
Some minor bugs have been fixed.

Version NG-1.2.3 (11 September 2016)

The free edition has been limited to 5 users in forwarding mode and 3 users in reverse mode.
The syntax of the register command has been modified according to the new licensing terms.
The SSL mediation has been modified to allow the usage of 3DES algorithm to encrypt data between the system and target HTTPS servers.
The authenticate mode usage form of the authenticatecommand has been changed.
The automatic loading of a URL list has been improved so in the case where a URL list has never been loaded, it is entirely loaded from scratch.
The bug in the Web GUI that prevented adding new SNMP traps has been fixed.
The installation program has been fixed to properly generate the default and CA certificates.

Version NG-1.2.2 (2 June 2016)

A critical bug fix related to the basic forwarding proxy module has been integrated into the system. The bug made the appliance totally unstable.
The bug that prevented to start the integrated DHCP server has been fixed.
Some minor bugs have been fixed.

Version NG-1.2.1 (2 May 2016)

The guard command has been enhanced with the possibility to update an existing rule without changing its order in the guard list.
The CLI has beed enhanced with the possibility to move an element in an ordered list. Commands in question are: ip, guard, qos and firewall.
The Web GUI has been fixed to not change the order of a guard rule in the guard rule list when its associated URL lists are updated.
The Web GUI has been fixed to not erase the list of URL lists associated to a guard rule when the order of that rule is modified in the guard rule list.
The redirection to an error page has been fixed in the guarding module to work properly in conjunction with the SSL mediation module.
Some minor bugs have been fixed.

Version NG-1.2.0 (6 April 2016)

An SSL mediation (sometimes called inspection) mode has been added to the system. This mode allows you to cache HTTPS traffic and/or block unwanted contents in HTTPS traffic. The mode command has been updated to allow you to activate this new feature (mode sslmediate on) and the new command sslmediate has been added to the system in order to configure the SSL mediation module.
A new command named urllist has been added to the system. This command replaces the guard category usage form of the guard command. URL lists can be used by the guard command but also the new command sslmediate.
The IP routing has been enhanced to support the usage of multiple gateways to route the traffic to the same network.
The Linux kernel has been upgraded to the latest stable version.
Concurrent accesses to loaded files have been improved to avoid any file overwriting.
The system patching has been improved to load patches directly from official CacheGuard servers.
A download progress bar has been added to backup management and patching pages in the Web GUI.
The installation program has been enhanced to detect USB Ethernet adapters.
All major basic modules have been upgraded to their latest versions.
The access command documentation has been fixed (removal of rweb access).
Some network activity reporting has been added to the system.
A dashboard has been added to the Web GUI.
The udpeer and tcpeer ports have been respectively renamed to icppeer and httppeer.
The SFTP is now supported to load/save files.
Some default port numbers have been changed.
Some minor errors have been fixed in the documentation.
Some minor bugs have been fixed.

Version NG-1.1.5 (3 December 2015)

The value of the "X-Forwarded-Proto" header which is added to requests sent to backend Web servers (in reverse mode) has been fixed as follows: the value "http" or "https" is set depending on whether the client used HTTP or HTTPS to connect to cloaked Web servers.
The system command has been enhanced to display the CPU architecture (32 or 64 bits).
The patching system has been fixed in order to avoid the applying of the same patch more than once.
The patching system has been fixed in order to create new empty directories.
The guard management module has been fixed to update guard rules when a guard policy is deleted.
The bug in the HA module that blocks the AH protocol used to authenticate HA nodes has been fixed.
The firewall module has been fixed to not block IGMP snooping when the HA mode is activated.
The bug that makes erroneous ARP announcements in HA mode has been fixed.
Internal firewall rules have been reinforced.
The logging of denied IP packets has been enhanced to report information about the rejection reason.
The antivirus basic module has been upgraded to its latest version.
The firewall basic module has been upgraded to its latest version.
Some minor enhancements have been done.
Some minor bugs have been fixed.

Version NG-1.1.4 (10 October 2015)

The bug introduced in version 1.1.3 that prevented to automatically update guard categories has been fixed.
The security of the VRRP has been enhanced.

Version NG-1.1.3 (5 October 2015)

The reverse Web mode has been enhanced to allow the specification of a port number and QoS for backend Web servers. After having applied a patch the default port and QoS will respectively be 80 and 100. Therefore the syntax of the rweb command has been modified for the usage form rweb host.
The usage form access rweb of the access command has been suppressed.
The reverse Web load balancing has has been enhanced to allow the specification of a session cookie generated by Web applications running on backend Web servers. Therefore the syntax of the rweb command has been modified for the usage form rweb balancer.
The bug making the guarding policy inconsistent when one of its guard filters has been deleted has been fixed.
The bug making the configuration of patched system inconsistent after a factory reset has been fixed.
The HA basic module has been upgraded to its latest version.
The authentication module has been expanded with a test option.
Some minor bugs have been fixed.

Version NG-1.1.2 (2 September 2015)

The CacheGuard OS License Agreement has been upgraded to version 2.1
IPV6 has been disabled in the Linux kernel.
The issue to access via the HTTPS proxy to the https://outlook.office365.com website (and similar websites that preferably use IPV6 IP addresses) has been resolved.
The LDAP authentication module has been optimised so all communications with LDAP servers are forced to use IPV4 only.
The authentication module has been enhanced to allow LDAP binding during the basic authentication phase instead of comparing the entered password to a predefined password attribute.
The authentication module has been fixed to allow distinguished names containing white spaces. In the case where the OS is upgraded using a patch the authentication LDAP request should be redefined (see the authenticate ldap request command).
Some minor bugs have been fixed.

Version NG-1.1.1 (1 August 2015)

The firewall has been fixed to properly manage other protocols than TCP and UDP.
The IPv6 has been added to the list of supported protocols by the firewall.
The TLS component management module has been optimised in order to avoid restarting some services when it's useless.
The bug making a custom WAF rule inconsistent when it contains a star has been fixed.
Some minor bugs have been fixed in the Web GUI.

Version NG-1.1.0 (13 July 2015)

Note: Please note that to upgrade from version NG-1.0.15 to version NG-1.1.0 you should first apply a patch to upgrade to the version NG-1.0.16. Therefore you would be able to upgrade from version NG-1.0.16 to version NG-1.1.0. Patche files are available at www.cacheguard.net/cacheguard-patch.html.
The installation program has been fixed to report warnings in respect to setup configurations.
The reverse mode has been enhanced for HTTPS websites to add an "X-Forwarded-Proto http" header to HTTP requests sent to backend Web servers (useful for some known applications)
The apply command manual has been completed to give additional information in respect to errors reported during the process of checking the RAM capacity.
A RAM upgrade is now automatically applied after a reboot.
The system command has been enhanced to check for new updates.
The bug in the conf command which caused the saving of wrong values for the QoS attached to "tweb internal" queue been fixed.
All commands that use a network name parameter (such as access or rweb) have been enhanced to check if the given name is a FDN (Full Distinguished Name).
The syntax of WAF rules defined in a flat file has been changed. The keyword regexp has been replaced by uri and body. A new feature has been added to WAF rules to allow filtering based on source IP addresses. The keyword ip holds this position.
The DHCP server has been modified to configure DHCP clients with a Web proxy based on the proxy PAC file (ha.pac) delivered by the system.
A new feature has been added to the WAF to allow you to bypass false positive matches.
OWASP rule set for the WAF has been upgraded to its latest version.
The CacheGuard logo has been modified.
Some minor bugs have been fixed.

Version NG-1.0.16 (13 July 2015)

Note: Please note that no OS has been released for this version but only patch files. Patch files are available at www.cacheguard.net/cacheguard-patch.html.
The patching program has been fixed in order to properly patch the configuration DB.

Version NG-1.0.15 (9 May 2015)

The SNI (Server Name indication) support has been added to generated SSL certificates. Therefore more of the same IP address can be shared by multiple HTTPS websites.
The TLS/SSL support has been hardened to ensure a higher security level.
Some minor bugs have been fixed.

Version NG-1.0.14 (28 January 2015)

The bug that causes incorrect dimensioning of the antivirus capacity has been fixed. To fix this issue you should reinstall the appliance as there is no available patch to address this issue (unless you have a support contract).
Some minor bugs have been fixed.

Version NG-1.0.13 (22 January 2015)

The high availability management module has been enhanced to not change the state (failover or active) of a system in HA mode after an apply operation.
The installation program has been enhanced to report paying configurations.
The conf command has been fixed to properly manage the transparent port configuration (port thttp).
Some minor bugs have been fixed.

Version NG-1.0.12 (29 December 2014)

The bug making the guards auto update to crash in case of a communication problem with a file server has been fixed.
The antivirus basic module has been upgraded to its latest version.
The automatic logout problem in Web GUI has been fixed.
Some minor bugs have been fixed.

Version NG-1.0.11 (24 November 2014)

The bug introduced in version 1.0.10 that prevented having more than one reverse website associated to the same IP address has been fixed.
The bug introduced in version 1.0.10 that prevented activation of the web server when the reverse website list contains HTTPS websites has been fixed.
Generic WAF rules associated to a reverse website are reset when a reverse website is deleted.
The rweb mode has been enhanced to redirect HTTP to HTTPS for HTTPS reverse websites (if the IP address associated to HTTPS website is used for an HTTP website).
The bug that makes the reverse website list unsorted after deleting and adding a new website has been fixed.

Version NG-1.0.10 (17 November 2014)

The reverse website module has been enhanced to deny attempts to access to website names that are not explicitly defined in the system.
The configuration saving module has been fixed to properly save all generic WAF rules.
The bug preventing the main proxy to start when the transparent mode is deactivated has been fixed.
SSH keys management has been improved.
Some minor display issues have been fixed in the Web GUI.

Version NG-1.0.9 (31 October 2014)

The apply operation has been improved to ensure that in a High Availability configuration, master IP addresses are owned by an appliance once all functional services have been started on that appliance.
The Web GUI has been fixed to properly insert, add and remove elements in lists in the same submitted operation (for firewall rules for instance).
The Web GUI has been fixed to allow you to enter a six digit value for the maximum cached object size (cache-maxobject.apl page).
The bug that prevents activation of the firewall in the following two conditions has been fixed: a non empty auxiliary firewall rule set and the auxiliary network interface not bound to a physical NIC.
The bug producing an "illegal instruction" error in some virtualization systems has been fixed.
The console port attached to a serial port is no longer activated if the target machine doesn't have a serial port during the installation.
The Web proxy accessibility has been modified to allow web traffic incoming from all network interface devices but the external interface.
The transparent feature has been changed to transparently catch Web traffic incoming from all network interface devices but the external interface. In previous versions, only Web traffic incoming from the internal interface (web interface in vlan mode) were caught.
The configuration saving process has been fixed to properly save new guard auto update configurations.
The traffic shaper module has been improved to allow Web traffic shaping exchanged with the auxiliary network interface.
Web GUI pages to save or load the configuration have been regrouped in the same page and improved to allow saving/uploading the configuration to/from the local machine.
The bug in the gui/transparent.apl page that blocks post and reload content operations has been fixed.
The Web GUI for the page gui/qos-shape-gateway.apl has been enhanced with tabs.
In the Web GUI, font sizes have been reduced and all icons in the top bar have been grouped to the left.
The caching system has been enhanced to allow the caching of objects greater than the configured max object size for a limited part of the persistent cache.
The syntax of the cache command has been changed to configure a lower and upper size limit for cached objects.
A new MIB definition has been released for the SNMP agent to include the size of the reserved area on the persistent cache for very big objects.
The bug that prevents installation of the OS on a Microsoft (TM) Hyper-V VM has been fixed.
The bug that drops default traffic in case of an empty shaping rule set for routed traffic has been fixed.
The QoS rule compilation for reverse websites has been optimised.
The bash shellshock vulnerability has been fixed.
Some other minor bugs have been fixed.

Version NG-1.0.8 (24 September 2014)

The Web Auditing GUI has been fixed to properly display post arguments without evaluating html tags.
The cache size and memory usage tuning has been reviewed according to recent statistics.
The installation program has been enhanced to allow the deactivation of some features that require lots of storage space on disk. This allows you to install the system on machines with low storage capacity.
The bug related to the premature display of the termination message of some system operations has been fixed.

Version NG-1.0.7 (11 September 2014)

The Web GUI has been improved to allow the displaying of long list in different pages.
The bug that prevents applying custom WAF rules has been fixed.
The configuration saving has been modified to save restricted administrator users. The saving is limited to login names only (passwords and configurations related to each restricted administrator are not saved).
In order to ensure command syntax coherency the keyword raz has been replaced by clear in the waf rweb custom command usage form.
Some other minor improvements have been added to the system to manage the configuration.
Some other minor bugs have been fixed.

Version NG-1.0.6 (1 September 2014)

The High Availability module has been improved to ensure that master IP addresses are owned by an appliance once all functional services have been started on that appliance.
The email syntax checking has been fixed to allow the usage of dash in an email address.
The reporting of the antivirus last update date has been fixed to display the actual date.
The configuration settings present in the form of a list have been modified in two ways: lists are kept sorted if the order of elements in the list is not significant. TLS objects and guard categories are some examples of those lists. For ordered lists like firewall rules and shaping rules for routed traffic, the keyword insert: has been added to the related management commands to allow the insertion of and element before another one. This avoids to have to save, edit and load the configuration settings.
The Web GUI has been improved to allow the insertion of elements in lists subject to insertion. The look and feel of pages managing those list has also been improved.
The firewall command has been change to allow the definition of rules with any as the output network interface.
In order to avoid a false positive rule matching by the configured WAF for the Web GUI, tftp has been renamed to ftp_trivial in the firewall command.

Version NG-1.0.5 (7 August 2014)

A major bug preventing the main proxy to start in some circumstances has been fixed. These circumstances were as follows: transparent mode is off, the transparent list contains at list one network and at least one share or HA peer is configured.
Backup and restore operations have been fixed to restore properly restricted administrators.
The patching operation has been optimised but remains manual until a possible next version.
A new command named ha (High Availability) has been added to the system. Combined with the argument master, this command allows you to make an attempt to reactivate a master appliance which has been marked faulty without needing to reboot the appliance.
The Web GUI has been improved to log administrators logins.
The panel board menu has been improved to allow access to menu items without sub menus.

Version NG-1.0.4 (29 July 2014)

A critical bug regarding the activation of VLANs and bonding interfaces making the appliance inconsistent and out of service has been fixed (bug introduced in error in the precedent version).
The timezone setting during the installation has been taken again into account (bug introduced in error in the precedent version).
The firewall configuration has been modified to give higher priority to NAT rules than the SNAT (Source NAT) mode.
The IP routing configuration has been fixed so route to a single host can operate properly.
The installation program has been enhanced to set a default value for the WAF limit files which is less than or equal to the maximum size for uploaded file given during the installation.
The Web GUI bug that prevents activation of administration services has been fixed.
IP routing has been fixed to allow routing via a gateway connected to the auxiliary interface.
The bug that prevents having an IP route without having a default route has been fixed.
The textual configuration displaying has been enhanced.
The auto logout for the Web GUI has been fixed.

Version NG-1.0.3 (21 July 2014)

The Web GUI bug that prevents changing the Web GUI password with a password containing the characters '$' or '!' has been fixed.
The verification of input values for online commands and the Web GUI has been enhanced.
The firewall module has been fixed to allow traffic with any as the protocol.
The Web authentication module has been fixed to allow authentication for reverse websites.
The Web GUI has been improved to avoid false positive matches by generic WAF rules.
The FTP proxy over HTTP has been fixed to display properly directory contents.
The bug that prevents having more than one HTTP reverse websites configured with the same IP address has been fixed.
Some other minor bugs have been fixed.

Version NG-1.0.2 (14 July 2014)

The bug that prevents HTTPS reverse websites deleting has been fixed.
The apply operation integrity check has been fixed to prevent error messages when the VLAN mode is activated.
When a reverse website present in several forms (HTTP, HTTPS, with multiple IP addresses) is deleted, all its configurations (backend Web servers, load balancing, standby mode...) are preserved until the deletion of its last occurrence.
The total arguments length limit for the Web GUI has been fixed so the firewall can be configured properly using the Web GUI.

Version NG-1.0.1 (12 July 2014)

A minor bug related to the synflood tuning has been fixed
A minor bug related to the URL blacklist message page has been fixed.

Version NG-1.0.0 (CacheGuard OS Version 6) (30 June 2014)

The QoS management has been enhanced and the syntax of the qos command has also been changed. Now the keyword bandwidth should be specified to define bandwidth limits and the borrowing of the excess bandwidth can be activated or deactivated using the keyword borrow. Also the traffic shaping could be specified as a percentage or as a fixed value in Kbps. Other traffic than the traffic destined to the appliance itself (the gateway) could also be shaped in this version.
Keywords "intern" and "extern" have been respectively renamed to internal and external.
The CacheGuard License Agreement has been upgraded to version 2.0. In this version all CacheGuard Software components are subject to the GNU General Public License v3 while the aggregation of those components and other Open Source Software (as OSI definition) forming the "CacheGuard OS" is licensed under the "CacheGuard OS License Agreement version 2.0".
An SNMP agent and trap sender has been added to the system to monitor the appliance. Please use the admin snmp command to configure the SNMP monitoring.
Keywords related to SSL/TLS have been changed in the admin and authenticate commands for coherency purposes.
A new feature has been added to the system so the system can be backed up and restored (see the system backup command)
A contact email address may be specified with the register command.
The Linux kernel has been upgraded to a latest stable version.
The access list management for file and monitoring servers has been improved to allow the adding of host names in addition to host IPs.
The ntp server management has been improved to allow the adding of ntp server names in addition to ntp server IPs.
The keyword https in the admin command has been renamed to tls as the generated certificate is used by both the Web GUI and the SNMP agent.
A new logical network interface named auxiliary has been added to the system. You can use it for your specific needs (for instance to implement a DMZ or a Back Office zone).
The syntax of the firewall command has been changed.
Software RAID support has been added to the system.
The OS is now available in two versions: 32 bits and 64 bits.
New filter types based on time, authentication and IP ranges have been added to URL guarding module. Therefore the syntax of the command has been completely reviewed. Please refer to the guard command documentation for further information.
In the authenticate command, the argument "attribute" has been renamed to request.
Transparent traffic is clearly distinguished from forwarding traffic. A dedicated port is used for the transparent mode and a new command named transparent can manage the transparency for selected networks. Also the QoS module manages forwarding and transparent traffic separately.
The syntax of the rweb command has been changed so the management of SAN and wildcard certificates became easier.
The load balancing policy may be configured for reverse websites. This new feature includes the possibility to have sticky connections.
The installation program has been improved.
In order to ensure command syntax coherency the "access" and "virus" logs have been renamed respectively to to web and the antivirus.
The logging module has been enhanced to allow the logging of denied packets by the IP firewall.
In logging mode (mode log is activated) each log type (firewall, web, rweb, guard, virus, waf) can selectively be activated or deactivated.
Many minor bugs have been fixed.

Version 5.7.7 (4 July 2013)

The system command has been improved to display the subscription end date.
A new feature has been added to the health panel to report the status of the antivirus and URL guard updates.
The Web GUI look and feel has been enhanced.
Some minor bugs have been fixed.

Version 5.7.6 (28 February 2012)

A new subscription verification module has been added to the system.

Version 5.7.5 (20 October 2011)

Some minor bugs have been fixed in the Web GUI.
The log rotation system has been fixed to properly rotate the WAF log.

Version 5.7.4 (12 October 2011)

The OS has been improved to support a better crash recovery.

Version 5.7.3 (15 August 2011)

Installation in test mode has been improved to allow choosing the OS to load at bootup.
The mgt (for management) vlan has been renamed to mon (for monitoring).
The keyword mgt (for management) in the access command has been renamed to mon (for monitoring).

Version 5.7.2 (11 July 2011)

The command "factoryreset" has been removed and replaced by the argument factoryreset added to the conf command.
Reporting capabilities has been added to the proxy cache module (see the cache report command).
Reporting and health checking capabilities has been added to the system (see the system report command).

Version 5.7.1 (20 June 2011)

The proxy cache module has been upgraded to its latest version.
The bug that prevents downloading small video files while the cache and antivirus mode are both enabled has been fixed.
The command "filter" was renamed to waf (for Web Application Firewall).
In the mode command, the keyword "filter" was renamed to waf.
In the command "log", the keyword "filter" was renamed to waf.
In the antivirus command, the keyword "clear" was renamed to create.

Version 5.6.10 (27 May 2011)

The antivirus no longer checks images and textual contents.

Version 5.6.9 (20 May 2011)

The minor bug related to the PUA mode activation has been fixed in the Web GUI.
All diagrams in the documentation has been enhanced with new icons.

Version 5.6.8 (16 May 2011)

The persistent caching module has been enhanced for better disk caching performance.
The antivirus module has been upgraded to its latest version to fix several internal bugs.
The antivirus no longer checks video contents.
The syntax of the antivirus maxobject command has been changed.
Now files larger than the limit configured with the antivirus maxobject command won't be scanned by the antivirus.
A new command named setup has been added to the system. This command is automatically executed when you first connect to the system.

Version 5.6.7 (25 April 2011)

The Web GUI look and feel has been enhanced.
The Web auditing GUI has been fixed to display properly all virus and guard logs.
Now the antivirus update report command also displays the last automatic AV update.

Version 5.6.6 (20 April 2011)

The minor bug related to the trial version initial date has been fixed.

Version 5.6.5 (14 April 2011)

Now the proxy is allowed to connect to ports between 1024 and 49151.
The bug that prevents clients connecting to the internal DNS when the appliance doesn't use itself as a DNS has been fixed.

Version 5.6.4 (4 April 2011)

The CacheGuard Logo has been changed.
The licensing key system has been revised.
The Web GUI look has been revised.

Version 5.6.3 (2 February 2011)

The integrated AntiMalware software has been upgraded to its highest version.
The Web Audit module has been improved to show denied URLs and attempts to access Malware.
Accessing Web sites that use NTLM / SSPI authentication works now with latest IIS Web servers when the compress or filter mode are activated.

Version 5.6.2 (28 January 2011)

Setting auto update for blacklists has been fixed in the Web GUI.
The whole documentation has been reviewed.
Some other minor bugs have been fixed.

Version 5.6.1 (17 June 2010)

The installation program has been enhanced to allow the booting and installing of the OS from a USB memory stick.
The Linux kernel has been upgraded to the version 2.6.34 and all required drivers have been integrated to support the latest hardware.
Some minor bugs have been fixed in the Web GUI.
The default serial speed has been changed to 115200.
Some optimisation has been made to reduce the CDROM image size.

Version 5.6.0 (18 March 2010)

An AntiMalware (Virus, Trojan, Worm) has been added to the appliance.

Version 5.5.5 (28 February 2010)

The Web GUI has been enhanced to allow direct accesses to menu boards from the main bar menu.

Version 5.5.4 (16 February 2010)

The tuner module has been enhanced to manage parallel Web requests more adequately.
The guarding module has been enhanced to allow or deny the usage of direct IP addresses instead of domain names.
The Web Audit module has been fixed to print messages properly.
An anti-malware has been added to the appliance in beta test mode.
The backup retention policy for logs has been changed so the system backs up logs for a period of 30 days.
A new feature has been added to the system so unwanted Web access and rejected requests to protected Web servers are all logged in separated files.

Version 5.5.3 (15 December 2009)

The Web GUI has been fixed to properly refresh logs when an explicit refresh is invoked.
A new option has been added to the Web GUI to clear the persistent Web cache.

Version 5.5.2 (30 November 2009)

The Web GUI has been fixed to properly display the top main menu in ie8.

Version 5.5.1 (16 November 2009)

The guarding feature has been reinforced so that Web users are no longer allowed to directly use IP addresses instead of domain names to bypass URL filters.
In the Web GUI, clear passwords has been removed from displayed reports.
The Web GUI has been enhanced to support IE8.

Version 5.5.0 (13 October 2009)

The user command has been removed and replaced by the argument user added to the admin command.
A new command named cache has been added to the system. This command allows management of some cache parameters.
The forceloadurl command has been removed and replaced by the argument loadurl added to the new cache command.
The argument "denyurl" has been added to the filter command. This argument allows you to set a specific URL to redirect to when an HTTP request is blocked.
The filter and compress modules have been improved to support accessing Web sites that use NTLM / SSPI authentication (even if NTLM/SSPI is not compliant with HTTP).
The URL blacklist auto updating module has been enhanced to properly download all remaining files since the last update process.
The file transfer module has been improved to manage errors during file transfer.
The Web GUI has been modernized and improved.
The User's Guide has been enhanced.
USB keyboards are now supported.
Some internal minor bugs have been fixed.

Version 5.4.2 (15 March 2009)

An option to manage SSL CA chain has been added to the rweb command.

Version 5.4.1 (22 February 2009)

The syntax of the guard command has been changed and new guard management features have been added to the appliance. An option allows you to update an existing blacklist category from a diff file. A second option allows you to automatically update a blacklist category since the last update/create date until today. It is also possible to program automatic blacklist category updates. Also the blacklist category save option has been removed.

Version 5.4.0 (2 January 2009)

An LDAP authentication mode has been added to the appliance.
The bug that prevented connection to internal NTP servers has been fixed.

Version 5.3.7 (25 Nov 2008)

Now the multi CPU mode is activated during the installation if there is more than one installed CPU.
A Huge Memory management mode (RAM > 4GB) is now available on the standard CDROM and can be chosen during the installation.

Version 5.3.6 (20 Nov 2008)

The crash management module has been enhanced.
The bug in the Health Checking module that inadvertently restarted services has been fixed.
Now the rweb mode is turned off by default.
An option to cancel the running apply operation has been added.
The patching module has been completely reviewed.
The Web auditing GUI has been enhanced.
Generic content filtering rules have been updated.
The reverse web auditing GUI properly displays all warning messages.
The reverse web mode works properly even if there is only one declared HTTP Web site name.
The reverse web mode works properly even if there is no DNS declared.

Version 5.3.5 (16 Sept 2008)

Some internal minor bugs have been fixed.
The CacheGuard License has been upgraded to the version 1.2. Now you can edit and modify the proprietary part of CacheGuard for your exclusive personal use. You still may not, except as permitted by applicable law, loan or create derivative works from the proprietary part of CacheGuard (see the new license).

Version 5.3.4 (28 Aug 2008)

A CSS (Cascading Style Sheets) was added to the Web GUI.
SSL v2 is no longer supported when the appliance acts as a reverse Web proxy (only SSL v3 and TLS v1.0 are supported now).

Version 5.3.3 (29 May 2008)

In the Web GUI, the logout screen properly displays all images.

Version 5.3.2 (8 May 2008)

The connection to the Web auditing GUI works properly when the Guarding mode is deactivated (concerns only appliances installed for less than 20 users).

Version 5.3.1 (20 March 2008)

The HTTP Transparent and HTTP Compress combination mode problem that produces some inconsistent HTTP requests has been fixed.
Synflood rules are less aggressive so overloaded Web browsing works properly without faulty rejects.
Textual output has been formatted to comply vt100 terminals.
The power-off button on SPC appliances works now and shuts down the system properly.
The LCD display on SPC appliances works properly.
The conf diff command has been optimised.
A "Show Configuration" option has been added to the Web GUI.

Version 5.3.0 (14 March 2008)

The furtive error while adding a list item in the Web GUI has been corrected.
Connections to next peers work properly.
Object sharing between cache peers has been optimised.
All source codes are rebuilt using gcc v4.1.2.
All basic packages have been upgraded.
The halt command can power off the system even if the administrator is remotely logged in.
The support of old Pentium Pro CPU has been added to the Linux kernel.

Version 5.2.8 (23 December 2007)

The memory usage has been optimised.

Version 5.2.7 (1 December 2007)

The number of parallel connections from peers is not restricted. Peers are considered as trusted parties that do not generate flooding traffic.
The free trial version for more than 10 users has been limited to 15 days. When the trial period is about to end, the apply command no longer applies a new configuration unless a valid license key is installed.

Version 5.2.6 (24 November 2007)

In Anonymous mode, the "WWW-Authenticate" header is no longer hidden.

Version 5.2.5 (5 November 2007)

A Synflood guarding has been added for traffic labeled other.
The number of parallel connections per client IP address has been restricted, which allows this release to stop flooding.
Bug fix: The log rotation process has been fixed to save logs with the correct date and time.
Bug fix: The IP address configuration has been fixed when the HA mode is deactivated.
This is the first stable version.

Version 5.2.4b (1 November 2007)

The Synflood guarding module has been enhanced for Web traffic.
The Linux kernel has been upgraded to 2.6.23.1.

Version 5.2.3b (26 October 2007)

Multiple reversed HTTP Web sites may be associated to the same public IP address.
The brute force attack guarding module has been enhanced for Web traffic.

Version 5.2.2b (21 October 2007)

The Web GUI audit module is activated even if the filter and rweb modes are not activated.
In the rweb command, when adding a reversed Web site name, a mandatory IP address must be given for a HTTP Web site as well as for a HTTPS Web site.
The QoS policy for a reversed Web site has been changed to be based on its public IP address.
Some minor bugs have been fixed in the QoS module.

Version 5.2.1b (12 October 2007)

The Web GUI has been optimised.
Bug fix: The configuration loading works properly even if the file to load does not exist.
The reverse Web auditing documentation has been enhanced.
Passwords having a length of 9 or greater are supported.
FTP and TFTP protocols are supported by the Firewall.
In High Availability mode all services are activated properly after configuration changes.

Version 5.2.0b (5 October 2007)

X-Forwarded-Host, X-Forwarded-Server are removed from HTTP headers requests - X-Forwarded-For is also removed if no Next Peer is declared when the anonymous mode is activated.
Port numbers for Next Peers can range from 0 to 65535 (see the peer command).
An audit mode is integrated with the content filtering module. Auditing allows the inspection of HTTP request content and facilitates the filtering rule design process (see admin, filter and port commands).
A "Logout" link has been added to the Web GUI.
Deleting an administrator user works properly.

Version 5.1.2b (1 October 2007)

The Via header is removed from all requests even if the anonymous mode is not activated.
In the command port, the keyword "webadmin" was renamed to wadmin.
In the command password, the keyword "webadmin" was renamed to wadmin.
In the rweb and transaction commands, the keyword "print" has been renamed to show.
Bug fix: The ftp passive mode can now be activated properly.
The administration access topology can now be configured with the admin command.

Version 5.1.1b (22 September 2007)

Bug fix: the website deleting with the rweb command works properly and all related custom filters are removed.
Bug fix: custom filter rules are properly applied to the running configuration and appropriate services restart.

Version 5.1.0b (20 September 2007)

TRACK and TRACE methods are denied for the embedded Web server and all hosted Web servers even if the filtering mode is not activated.
Content filtering is only applicable in reverse Web sites and does not affect the forwarding proxy.
Custom content filtering based on regular expressions is operational.
The syntax of the guard command has been changed.
The conf command is optimised to run faster.

Version 5.0.0b (9 September 2007)

The content filtering mode (filter mode) for reversed Web sites is operational. When the filter and rweb mode are activated, requests on protected Web sites are filtered for generic attacks (xss, sql injection...), protocol violations and other anomalies.
The content filtering is hardened for the Web GUI.
The configuration is properly saved for backend servers associated to a Web site.
Guard categories are created even if the guard mode is deactivated.
Guard black and white lists are loaded properly (the given file name must not include ".domains", nor ".expressions" nor ".urls" nor the ".gz" extensions).
Setting VRRP in the Web GUI works correctly (a wrong content filtering rule was previously set in error).

Version 4.1.6b (2 September 2007)

By default Route Tracing (traceroute) is allowed from the internal zone to the external zone.
Bug fix: The Web GUI for the firewall configuration (Menu items "Security/External Firewall" and "Security/Internal Firewall") was fixed to work properly for long content.
The content filtering for the Web GUI is more permissive for punctuation characters.
Some other minor bugs were corrected.

Version 4.1.5b (28 August 2007)

The licensing is also based on the number of Web Sites to reverse.
The "Hard Factory Reset" procedure resets properly the "admin", "superadmin" and the root passwords.
Images in the User's Guide available from the Web GUI are shown properly.

Version 4.1.4b (22 August 2007)

The network installation and its documentation are improved (Mainly: the TFTP IP Address is guessed and if the installation fails, the installation environment is properly reset to give the ability to relaunch the installation).

Version 4.1.3b (17 August 2007)

Bug fix: The port forwarding integrity is properly checked during the apply operation (Cannot NAT the destination IP to the appliance itself).
Bug fix: When adding firewall rules using Web GUI, an empty entry does not add an "any to any" rule. To specify an "any to any" rule the keyword any must be specified for the Source IP, the Destination IP or the Ports field.
Bug fix: The QoS/Incoming Flows menu item works properly in the Web GUI (Bug due to contenting filtering in the Web GUI).
Bug fix: Web Site adding works properly in the Web GUI (Bug due to contenting filtering in the Web GUI).

Version 4.1.2b (13 August 2007)

Bug fix: Network traffic other than Proxy traffic (HTTP, HTTPS and FTP) are shaped properly without abnormal slowdown.

Version 4.1.1b (10 July 2007)

The Appliance could be installed properly using a PXE network device. The TFTP server IP address is configurable during installation.

Version 4.1.0b (9 July 2007)

The Web GUI security has been improved.
Bug fix: Native IP addresses could be setup properly in the Web GUI.
The rweb VLAN is configurable using the Web GUI.
The reverse mode is configurable using the Web GUI.
The keyword "confcert" was renamed to genssl (related commands: rweb and admin).
When an HTTPS reverse Web site is deleted, the associated host list is erased only if no other external IP address is associated with this HTTPS Web site.

Version 4.0.0b (24 June 2007)

A reverse mode is at last available in this version. This mode allows you to implement the appliance as a reverse proxy in front of Web servers to secure, accelerate and shape Web traffic. (see the mode and rweb commands).
SSH key loading works properly.
SATA storage controller are supported again in this version (support was accidentally removed from the previous version).
The keyword "gencert" is renamed confcert in the admin command.

Version 3.5.0b (4 June 2007)

The QoS bandwidth shaping works properly for all types of traffic.
The syntax of the qos command has changed.
The QoS management can be deactivated using the mode command.
The "fw" command has been renamed to firewall.
This is an intermediate version before a main one supporting the reverse mode.
The reverse mode is named rweb and some related commands are already integrated in the present version (but the rweb mode is not yet operational):

The reverse mode could be activated using the command: mode rweb on.
The forward mode could be deactivated using the command: mode web off.
A new vlan named rweb is available for Web servers.
A Filtering mode is integrated to inspect inside Web requests (see the mode filter command ).
Allowed Web servers can be restricted to those declared with the access rweb... command.

Version 3.4.0b (2 May 2007)

The certificate generation procedure for the Web GUI supports white spaces in entries.
The alter image mode is no longer supported - The core proxy module has changed.
Time & Date can be setup properly by using the Web GUI.
The log rotation procedure properly deletes logs older than 10 days (or with a serial number greater than 10).

Version 3.3.2b (12 April 2007)

The documentation of the mode command has been fixed (gateway has been renamed to router).
The Web GUI is enhanced for the General Feature and Network related modes.
The Web GUI can show the last apply report even if the configuration is locked.

Version 3.3.1b (10 April 2007)

In the mode command, gateway has been renamed to router.
The integrated DHCP server may be activated via the CLI or Web GUI.
The integrated DHCP server supports a failover mode.
Network PCMCIA cards are detected.

Version 3.3.0b (28 Mar 2007)

System and access logs are rotated together even if the access log is empty.
A VRRP IP address can be associated to the external network interface (Useful for incoming connections via the external network interface, crossing the embedded firewall and destined to internal networks).
The access to the embedded DNS is allowed.
In HA mode, the vrrp multicast is allowed for all IP in the local network (and not only for declared HA peers).
In HA mode, if the health checker cannot properly restart all vital service, a fail over is forced. The forced fail over is logged in the daemon.log log file.
When defining administrator access with the access command, an optional netmask could be specified.
Bug fix: The configuration difference is correctly displayed in the Web GUI.
The Web GUI is available via the embedded Proxy only when the VLAN mode is deactivated.

Version 3.2.7b (21 Mar 2007)

Now, the Health Checker is correctly launched and checks all activated services.
The Web GUI is available via the embedded Proxy.
Minor enhancements and optimisation.

Version 3.2.6b (14 Mar 2007)

Bug fix: Now, the tftp command is found during the installation phase.

Version 3.2.5b (10 Mar 2007)

When loading/saving guard categories, the category type may be optionally specified.
Security was fixed so that, in VLAN mode, the embedded Firewall allows or denies only traffic to or from the web VLAN.
The syntax of the access and fw commands has been changed. The access type other in the access command has been replaced by the fw command followed by the keyword intern. In the fw command, the source IP address and optionally the network mask is specified.
Other minor bug corrections.

Version 3.2.4b (21 February 2007)

An optional port number may be defined when adding a Next Peer.
Support has been added for the SCSI Message Fusion Driver (required for VMware certified version: LSI Logic).

Version 3.2.3b (13 February 2007)

Support for TFTP to exchange Files with the appliance. To do that, the syntax of the following commands is changed: access, vlan, conf, system, log, guard.
The completion for the dns command supports the keyword localhost.
To respect the command syntax homogeneity, the keyword "snmp" is renamed to mgt for the following commands: access, vlan. The mgt keyword specifies "snmp" and other possible management protocols later (The snmp agent is still not integrated in this version).
The configuration cannot be applied if the internal and external IP addresses belong to overlapped networks (The text of the error number 203 is also modified).
The ip command checks if the given IP address is a valid host IP address (The network and broadcast IP address cannot be given now).
Bug fix: Swapping between the VLAN mode and Native Mode (mode vlan on/off) restarts adequate services to bind to appropriate network interfaces.
Bug fix: The system patching (Menu item "File/System Patches") works correctly in the Web GUI now (the "Do Operation" produce the awaited result).
Other minor bug corrections.

Version 3.2.2b (2 February 2007)

A shortcut "Apply" button was added to the Web GUI's main menu.
The keyboard selection during installation was enhanced.
The access command documentation was enhanced.
The README.txt file in the VMware virtual machine version package was enhanced.

Version 3.2.1b (23 Jan 2007)

The apply command can be applied after a "factoryreset" without adding a DNS server.
The Web GUI is now compliant with IE7 and FireFox 2.0.

Version 3.2.0b (17 Jan 2007)

Initial public announcement