It is now possible to use IPv6 addresses in stateful firewall rules.
Start and end times are displayed in the table of active DHCP leases.
Editing a rule of stateful firewall is now compact when in SM display mode.
Setting IP to a bridge interface fixed.
Displaying proxy profile name in stateful firewall rule fixed.
Reconfiguring a bridge interface to another physical interface fixed.
Displaying IPv6 addresses in cluster fixed.
Removing virtual interfaces fixed.
Displaying inactive DHCP leases as active ones fixed.
New things in Kernun Adaptive Firewall 1.6.5-h2
Fixed upload of configuration backup, cluster configuration, keytab.
New things in Kernun Adaptive Firewall 1.6.5-h1
Fixed addresses from DHCP in stateful firewall.
New things in Kernun Adaptive Firewall 1.6.5
It is now possible to set an IP address on a bridge interface.
It is now possible to set servers in stateful firewall rules by hostnames.
Warning display during upgrade improved.
Upgrades are now shown in a list of configuration revisions.
A state of admin interface database replication is now shown when in cluster.
Web certificate usage in proxy fixed.
Fixed user log out after hiding an interface.
Matching transparent proxy profiles rules when a server is set by an IP address fixed.
Moving stateful firewall rules fixed.
Creating proxy profile rules fixed.
After changing OpenVPN server certificates, the OpenVPN server is now restarted.
New things in Kernun Adaptive Firewall 1.6.4
It is now possible to force a master takeover from the backup node of the cluster.
A status icon is now displayed for each state of a cluster.
IDS engine system upgraded to a new version.
Pasting values into network interface address editors improved.
Search in tables improved.
Added generation of custom key-certificate pair for proxy.
Improved replication of the administration interface database in the cluster.
The shared address of the cluster's external interface must now not be in the scope of the DHCP server.
Fixed detection of addresses belonging to the Kernun device in the Adaptive Firewall database.
Fixed IDS start after changing interfaces on which the IDS listens.
Fixed restart of system components in cluster.
Fixed IPSec tunnel information display.
New things in Kernun Adaptive Firewall 1.6.3
Authentication can now be initialized even in cluster mode.
New system of setting SSH server sockets added.
It is now possible to create an IPSec tunnel between networks, none of which belong to the Kernun device.
Display of example editor values in help improved.
Antivirus severity settings improved.
Predefined values for port editor added.
Help for using * in proxy profile rules added.
Automatic update of IPS fixed.
The admin interface is not disconnected when connecting via a non-standard port.
Stateful firewall rule _ACCEPT_ADMIN_SSH deleted.
Proxy sockets now have to have at least one address and one port. Socket that do not meet this condition will be deleted during the update.
New things in Kernun Adaptive Firewall 1.6.2
Providing WPAD file can now be disabled.
It is now possible to configure a DHCP server in cluster.
Selection of displayed columns in every table is now a part of user settings. The selection will be therefore persisted for the user even after logging out.
The configuration error messages now also show the cluster node affected by the error.
There is a regular update of the certification authorities bundle, which is needed for proper web browsing through the proxy.
Update preparation has been heavily optimized. Preparing the update is now much faster after downloading the upgrade file.
Proxy log level settings was improved.
Displaying addresses in a tooltip of a variable was improved in cluster.
Pagination in the list of configuration revisions fixed.
Forgetting changes after adding a proxy profile rule fixed.
Fixed white chart color in protection chart reports.
Fixed showing element paths in configuration errors.
Settings of the lease time in DHCP server fixed.
Usage of user defined variables in user lists of adaptive firewall fixed.
Deleting configuration network interface fixed.
Callhome component, which is used for remote help by a Kernun technician, fixed.
Deleting selected time range from database fixed.
Settings of the IPS variables fixed.
Displaying the hardware serial number fixed.
Numbers with decimal point can now only be used in QoS. If they are used anywhere else, preparing upgrade will fail.
In cluster it is now forbidden to have a shared address on cluster communication interface. If such address exists, it will be deleted during upgrade.
New things in Kernun Adaptive Firewall 1.6.1
When in cluster, it is now possible to run various system services on a node-specific addres. Until now it was only possible on the shared address.
_KERNUN_SERVICES rule was upgraded, so that TNS servers can not be blocked by any security component.
Display of proxy profile rules improved. The table can now be set to compact mode in which more rules can be shown at once.
Settings of the proxy profile rule parameter improved.
Help for recovery mode added.
When editting a list item, the position of the item is now persistent.
It is now possible to set proxy logging level in the admin interafce.
Time for key renegotiation can now be set in openVPN server's two-factor authentication.
A serial number of the hardware is now displayed in the admin interface.
Running Adaptive firewall on bridge interface fixed.
Action with system components fixed.
Logging can be changed in Kernun stateful firewall rules.
Display of ICMP service in service list fixed.
If there is a list of networks set as subnet of IPSec, only the first one will be persisted during the upgrade. If the first element of list is a link to named list, the upgrade will fail.
New things in Kernun Adaptive Firewall 1.6
OpenVPN servers support two-factor user authentication using Google Authenticator.
Creating a cluster is easier. At the same time, it is possible to add a device that contains uploaded files to the cluster.
In the admin interface, you can find out the categories in which the website is included in the Clear Web database.
You can upload your own certificate to the admin interface.
The expiration of all certificates is monitored. If a certificate is about to expire, a warning is displayed in the admin interface.
In the OpenVPN routing table of users and clients, the keyword vpn_gateway is used if the gateway is not filled.
File verification results are cached during verification. Verification is thus significantly faster.
Multiple networks are now supported in Site-to-site OpenVPN users.
The status of individual instances of IPSec tunnels is displayed.
There has been a fundamental improvement in the display of tooltips in the admin interface.
The number of DH groups in IPSec has been increased.
The IPS/IDS module has been updated to a newer version.
There are now examples of valid values for individual items in the admin interface help.
The default setting of the SNMP service has been improved.
Stateful firewall supports display in compact mode. In this mode, more rules are displayed at once.
The possibility to set an alternative FQDN for authentication to the domain controller in case of deployment of the Kernun device in the cluster has been added.
The list of options in selects for choosing values can be closed with the ESC key.
Added display of Cluter communication problems.
Fixed deletion of the variable when entering the address in the input.
When a master in a cluster is handed over, the shared addresses on all interfaces are handed over.
Disabling IPv6 support also disables IPv6 resolving.
Fixed displaying security database updates.
Inserting an invalid value into a port entry in a Honeypot no longer deletes the original content.
Fixed display of link to deleted OpenVPN in status firewall.
Name conflict validation for named values and named lists added. Before upgrading, you need to check if there is such a conflict. If there is, the upgrade will fail.
During upgrade to this version, administration interface HTTPS certificate will be regenerated. That will cause administration interface to not come up automatically after upgrade. Also after page refresh, browser will warn about untrusted certificate.
Having proxy profile rule with action "Bypass needed" is now invalid if profile does not have TLS inspection enabled, or if the rule is not located in rules performing TLS inspection. Such rules will have action set to "Accept" during upgrade to this version.
Process of cluster creation was changed. Nodes in cluster which was created before this version will not be able to communicate with each other after upgrade to this version. Due to that, after upgrade to this version one of the nodes will need to be re-added to the cluster.
In cluster, if network interface has shared address, it now also has to have own address within same network for every cluster node. If you have cluster, make sure before upgrade that every network interface fulfills this, because if such interface exists, upgrade will fail.
New things in Kernun Adaptive Firewall 1.5-h2
Fixed error when using Stateful firewall rule which used at least two protocols without port and at least one of them was TCP or UDP.
New things in Kernun Adaptive Firewall 1.5-h1
It is possible to use star notation in domain names when used in named lists.
Fixed incorrect upgrade of OpenVPN interface links in stateful firewall.
New things in Kernun Adaptive Firewall 1.5
OpenVPN supports site-to-site connections.
OpenVPN supports automatic upgrade of CRL from URL.
Types of used ciphers can be set in OpenVPN now.
A list of trusted addresses can be set in adaptive firewall. These addresses will be excluded from the active thread database.
The user will be strongly warned if their configuration activation would overwrite changes made by another user.
OpenVPN can listen on any port now.
Displaying the row name column is prioritized in tables.
Individual instances of OpenVPN are distinguished in system services.
The list of configuration changes ans errors now includes the option to click through individual proxy profiles.
The detection of Clear Web categories in the proxy has been optimized.
DHCP server modified so that it is not possible to dynamically assign a statically reserved address.
It is now possible to change the physical device in the network interface table.
A search bar added in the DHCP reservations table.
Showing the list of configuration changes from previous configuration activations improved.
Pasting an address into editor now adds the address at the end of the list instead of replacing the original content.
Configuration of TLS inpsection of the traffic fixed.
Key hashing in phase 2 in IPSec settings fixed.
Displaying configuration changes of Clear Web categories fixed.
Incorrect change of SNMP addresses during configuration activation fixed.
Domain controllers specified by IP address will be removed. If no domain controllers remain, proxy authentication will be disabled.
Names in tables are now limited to 32 characters. Longer names will be shortened.
If there is invalid CRL URL in OpenVPN, CRL will be disabled for given OpenVPN.
New things in Kernun Adaptive Firewall 1.4-h1
All default Kernun rules of stateful firewall will be checked. If some rule is not found, it will be created during the upgrade. Settings of existing rules that are OK will remain unchanged.
New things in Kernun Adaptive Firewall 1.4
It is possible to download (password protected) configuration backup.
It is possible to restore a previously downloaded configuration backup.
The logged in user is now notified if another simultaneously logged in user activates the configuration. In such case, the user has an option to drop all current changes and use the latest configuration version, or to activate the configuration and thus override changes made by the second user.
Larger configurations are now supported.
Reverting a configuration change in the configuration changes list now requires confirmation.
A path to a changed configuration item is displayed in the configuration changes list.
It is possible to run a Honeypot on an interface with a DHCP client.
A conflict between SSH server ports and ports for a cluster SSH communication is now prevented.
Kernun can now be used as an OpenVPN client even when in cluster.
Named lists can now be copied and pasted across the admin interface.
Help for the Monitoring section added.
It is now possible to turn on a functionality where proxy traffic that is known to be blocked, is not inspected. This results in reduced hardware requirements at the cost of presenting the user with a browser error page instead of a proxy server error page.
A button for adding a header in Stateful firewall fixed.
Proxy authentication initialization in cluster fixed.
It is now possible to create multiple OpenVPN servers during one configuration activation.
An error message when deleting a used named list fixed.
Reset to factory defaults button in Stateful firewall fixed.
OpenVPN certificates validation fixed.
Displaying clients currently connected to OpenVPN servers fixed.
In proxy reports, complete URIs are no longer displayed.
Displaying changes in previous configuration activations fixed.
Searching rules in Stateful firewall fixed.
Displaying which node of a cluster is currently a master fixed.
New things in Kernun Adaptive Firewall 1.3-h2
Fixed unable to start redirect of DNS queries.
New things in Kernun Adaptive Firewall 1.3-h1
Fixed tooltips not displaying.
New things in Kernun Adaptive Firewall 1.3
IPsec component added.
If any address of the Kernun device appears in the adaptive firewall database, it is not blocked.
A routing table can be created for DHCP subnets. These routes are pushed to DHCP clients.
It is possible to ask the adaptive firewall databse, whether a specific address is blocked or not.
Adaptive fireall rules and IPS rules are not downloaded, if there was not an update at the server.
Honeypot data are parsed into the log database.
QoS data are parsed into the log database.
Time filter in the Monitoring section fixed.
Session key in SNMP is not required now.
If the adaptive firewall is off, rules are not updated.
If IPS is off, rules are not updated.
Drag & drop in proxy profile rules fixed.
New things in Kernun Adaptive Firewall 1.2-h1
Fixed that outdated changelog was displayed.
New things in Kernun Adaptive Firewall 1.2
A list of current configuration changes added. Each change can be reversed.
Adaptive firewall reports added to monitoring section.
Negations can be used with lists of addresses in stateful firewall.
Display of configuration errors improved.
When upgrading, a signature of the downloaded file with new version is checked.
Rules of stateful firewall no longer have direction.
Graphical improvements to the detailed editing of the stateful firewall rule.
Sending feedback works.
The correct rule of stateful firewall is applied when retransmitting the first packet of a connection.
Proxy profile rules without conditions are now invalid because they apply to all traffic. These rules are disabled during the system upgrade.
If a proxy profile had the rule requiring user authentication at proxy at the last place, the rule is moved to the first place during the system upgrade and authentication is disabled in that profile.
New things in Kernun Adaptive Firewall 1.1.3
The maximum age of data in the database can be configured.
When reinitializing the database, it is possible not to parse old data into the database.
Network interfaces are configured even when not connected.
The format of the Kernun configuration file improved.
Help display improved.
Kernun device now supports uploading a licence file from a computer with Windows operating system.
ICAP is not used for communication with the antivirus engine.
Kernun graphical interface optimized.
Added display of more information when an infected file is found.
Action Reject removed from stateful firewall.
Incorrect display of default gateway fixed.
Functionality of adaptive firewall on bridge interface improved.
Action Reject removed from stateful firewall. Every rule with this action will be replaced by a rule with action Drop.
New things in Kernun Adaptive Firewall 1.1.2-h2
Fixed a bug when displaying the default gateway.
New things in Kernun Adaptive Firewall 1.1.2-h1
Fixed bug when named list was used.
New things in Kernun Adaptive Firewall 1.1.2
QoS can be configured on Kernun Adaptive Firewall.
Proxy traffic can be checked by an antivirus.
A honeypot component added.
Bridge interfaces can be configured.
Active DHCP leases are shown in the DHCP server scene.
Stateful firewall rule's direction can be modified.
Administration interface is more responsive now.
Current state of VPN is shown in the OpenVPN server.
Database of operational records can be disabled.
DNSSEC validation can be enabled with DNS server.
Outgoing address can be set for proxy profiles.
Hardware requirements of the log database are lower.
IPS/IDS variables can be set.
New things in Kernun Adaptive Firewall 1.1.1
Kernun Adaptive Firewall now supports IPv6.
Adaptive firewall and IPS/IDS are split into two components.
Kernun Adaptive Firewall now supports multihoming.
Data aggregation in database is faster now.
Database replication performed during a system upgrade works better now.
Nobind option is used in OpenVPN.
Clients of the DHCP server can be seen in the user interface.
A part of an IP address can also be pasted into editors now.
Kernun Adaptive Firewall contains the whois utility now.
It is possible to define addresses on which the SNMP service listens on.
Reports work better now.
Interface configuration is now resistant against disconnecting and connecting a cable.
All instances of OpenVPN have to be turned off before upgrading to this version.
New things in Kernun Adaptive Firewall 1.1
Kernun Adaptive Firewall can be configured as a cluster.
Added OpenVPN service in RAS and Client configurations.
Added TLS inspection functionality.
Added an option of proxy authentication.
Services now have their own configuration of addresses to listen on. Thanks to that, fewer stateful firewall rules are needed.
Responses of OCSP server are now cached.
Admin interfaces include predefined variables containing often used combinations of interfaces addresses. These variables are offered when filling in configuration items where network addresses or interface addresses are used.
SNMP now works on TCP and UDP protocol.
Custom rule of stateful firewall can have action Web.
Antispoofing expandable menu is now always shown correctly.
Menu items are always correctly shown.
Enabling local DNS server now causes no verification error.
Functionality of the Forget changes button fixed.
Configuration activation now shows correct error if it fails.
Caching groups of authenticated user fixed.
The option of changing categories in profile with action According to category fixed.
Stateful firewall rules with web action now have to have source address specified. If there is a rule without source address specified, upgrade will automatically assign all internal networks.
If "All internal/external networks/addresses" or networks/addresses of specific network interface is selected in proxy server settings and any of respective network interfaces has DHCP client enabled, the upgrade will fail.
New things in Kernun Adaptive Firewall 1.0.5
Local resolver has been separated from DNS server service, DNS server can now be turned off.
Added stateful firewall rule '_REDIRECT_DNS' for ensuring SafeSearch when KAF is not used as a DNS server.
Improved stability of system services related to operational records.
Changed color of some captions to improve their readability.
Default rule of proxy profile can now not be disabled, because it led to an undefined behavior when no rule was applied.
Configuration verification now catches when VLAN interface is used elsewhere in configuration, and the VLAN interface is disabled.
In specific cases, during configuration of DHCP server, incorrect default value of DNS servers could have been displayed. The displayed default value of DNS servers is now always correct.
Fixed error "Error while connecting to server" which occurred when the configuration was too large.
Fixed that the configuration activation performed some more operations than the preceding configuration activation, which led to from visible slowdown to freezing of the machine after hundreds of configuration activations.
Fixed that you could not add VLAN interface to the end of the table.
If SafeSearch is not enabled and WAN network interface does not have a DHCP client, DNS server will be disabled during upgrade.
Resolving will be set to local DNS server, if DNS server will not be disabled during upgrade.
New things in Kernun Adaptive Firewall 1.0.4-h1
Fixed possiblity of stateful firewall rule reactivation during upgrade from version lower than 1.0.3.
New things in Kernun Adaptive Firewall 1.0.4
Added charts displaying information about traffic on each network interface.
Completely reworked DHCP server configuration. Now it is possible to configure multiple DHCP servers on different network interfaces. It is also possible to define multiple address pools within DHCP server.
Added DHCP relay configuration.
Added possibility to add notes that will be shown right before and after upgrade.
Added option to toggle chart display between linear and logarithmic, if it is possible to display chart as logarithmic.
Disk charts were reworked to show information for each disk individually.
All interfaces are now added to configuration during installation.
Configuration activation can no longer interrupt established connections.
If system upgrade fails, the system now returns faster to the state it was in before upgrade.
Many minor visual and texts changes.
Top bar of web interface now displays hostname of device.
Removed a kernel module that was causing source address translation of SNMP traffic to not work.
Fixed factory reset of stateful firewall.
Fixed harddisk chart when device has more than one disk.
Fixed an error when user that has no permission to edit configuration logs in for the first time within one session.
Fixed minor visual glitches on login page and on page after upgrade commit.
Fixed rare uncancellable error when working with configuration.
Fixed rare "socket hang up" error during restart of adaptive firewall.
Fixed display of error pages.
Fixed processing of HTTP response body, which in specific cases broke established connection.
Routing table entries whose gateway does not belong to an interface with a static address will be deactivated.
New things in Kernun Adaptive Firewall 1.0.3-h1
Fixed upgrade from deployment mode "proxy".
New things in Kernun Adaptive Firewall 1.0.3
Named network objects.
Added allowed and blocked connections by Adaptive firewall to "Network events" report.
In stateful firewall you can now select addresses of interface or addresses of all interfaces of specific type.
Configuration of network and proxy profiles has been redesigned.
Configuration activation speed optimizations.
Deactivated stateful firewall rules are now more distinguished.
Improved display of items in allow list and block list when there is bigger quantity.
Added processing of nonstandard HTTP requests by Avast.
Merging stateful firewall rules _REDIRECT_HTTP_INTERNAL with _REDIRECT_HTTP_EXTERNAL and _REDIRECT_HTTPS_INTERNAL with _REDIRECT_HTTPS_EXTERNAL.
Fixed frequently stuck lock.
Fixed rules update getting stuck.
Configuration activation and rules update no longer break connections.
Fixed rare case of missing information about disk.
Routes now have to have destination and gateway set. Routes not satisfying this condition are deactivated.
New things in Kernun Adaptive Firewall 1.0.2
Option to not require system upgrade confirmation.
Static DHCP leases.
Upgrade is automatically confirmed after logging into the administration interface.
Better time and date select.
When there is an error in configuration, more verbose description is displayed.
Added warning when another user activates configuration.
Searching is now case and diacritic insensitive.
Minor speed up of configuration activation.
Upper limit for upgrade confirmation increased from 15 to 20 minutes.
Time limit for upgrade confirmation now starts by administration interface initialization, not system boot.
When writing name where space is not allowed, space is automatically changed to underscore.