What's new in GFI KerioControl
Version 9.4.5
Released: October 17, 2024
Improved:
- Added support for more Wi-Fi adapters (rtl88x2bu).
- Improved network performance when the GRO option is enabled in certain scenarios.
- Enhanced GFI AppManager integration. The Control GUI now displays more information about AppManager connections and allows user control over the Agent service.
- Application awareness updates now correctly categorize AI & ML traffic.
- Added support for creating IP address groups based on GeoIPs, enabling customized traffic management based on country.
- Added support for custom DNS servers for IKEv2 VPNs.
- Added support (via GFI AppManager) to import CSV files with IP addresses
Fixed:
- Restoring configuration from a backup would break AppManager connectivity forcing re-registration.
- Disconnected devices on IKEv2 VPNs were counted as being active incorrectly.
- Remote hosts over VPN were incorrectly counted against the local license limit incorrectly.
- The Linux VPN client failed to start connections correctly due to a MAC address conflict.
- Traffic rules on interfaces with complex names (e.g., including quotation marks) failed to apply.
- Clients on a guest network were not authenticated properly.
- The reverse proxy incorrectly attempted TLSv1 connections even when configured not to.
- Traffic routes were not correctly switched when using multiple internet links, causing extended packet loss after switching to a backup.
- Forbidden words failed to trigger a block correctly when using the "Safe Web" feature in some rare cases.
- Generated daily reports had an incorrect date when the configured time zone had a negative offset.
- Switching from a backup link to primary in failover mode could cause the appliance to hang indefinitely.
Downloads and Upgrades:
For product downloads and information about upgrading GFI KerioControl, visit the GFI Upgrade Center.
Access the Kerio Legacy Product and Documentation Archive
If you have additional queries about these changes, please do not hesitate to contact us or an authorized GFI Partner directly.
Version 9.4.4p1
Released: April 18, 2024
Fixed:
- Resolves an issue with HTTPS connections on port 443 in certain setups, particularly over VPNs or between different subnets.
Version 9.4.4
Released: February 22, 2024
New:
- IKEv2 support
Improved:
- Significant overall performance improvements
- More accurate AppManager connectivity display
- Appliances removed from AppManager stop processing AppManager-related data
Fixed:
- NG511 appliance performance degradation in HA mode
- Discrepancy between Interface Window and VPN Clients Window for users connected via VPN
- IPSec Tunnels are no longer disconnected when the configuration is updated
- SNMP is functional
- 2FA verification message incorrectly showing default "30 days" expiration value
- Custom logo not displayed on the login page
- Corrected Mexico local time
- Multiple memory leaks fixed
- No checksum errors recorded on winroute.cfg after performing IPS or KerioControl updates
- Errors encountered on some websites during categorization
- CIDR address formats within the shared definitions are properly handled when synchronized via AppManager
Version 9.4.3 Patch 4
Released: January 30, 2024
Fixed:
- GFI KerioControl detecting the same build as new one when checking for new updates
Version 9.4.3 Patch 3
Released: January 25, 2024
Improved:
- Updated GFI Agent for better AppManager performance and stability
Fixed:
- Shared definitions - IP Address groups are not synchronized to GFI KerioControl appliances
Version 9.4.3 Patch 2
Released: December 13, 2023
New:
- Added new GRO configuration options to the advanced configuration page of network interfaces
Improvement:
- UEFI Bios support can be activated through the UI
- New installations can choose to install the product with UEFI BIOS mode support on the install screen
Fix:
- The advanced configuration page of network interfaces is displayed properly
- The appliance not rebooting properly on the second reboot after UEFI BIOS support was activated
Version 9.4.3 Patch 1
Released: October 26, 2023
Fix:
- Upgrade failing to 9.4.3 version
- Appliance not booting after shutdown
- Fixed SNORT problem with periodically consuming a high amount of CPU
- Product UI shows an incorrect AppManager status
- MyKerio is no longer enabled automatically
Version 9.4.3
Released: October 9, 2023
New:
- GFI AppManager support
- UEFI Support
- VPN Client for MacOS supports modern MacOS versions using system extensions
- VPN Client for MacOS is now supported on Intel, M1 and M2 silicon
Fix:
- Checksum error messages
- Default IKE protocol versions for IPSec VPN tunnel changed from IKEv1 to IKE
- OS information found under Web Admin > Status > VPN Clients is not accurate
- Slow loading of some websites on 9.4.2 patch 1 with QUIC
- WiFi not working on NG100W and NG300W boxes in some cases after the upgrade to 9.4.2p1
- 9.4.2p1 RADIUS authentication doesn't allow selecting a certificate and provides an 'ubuntu' cert instead
- NG510/NG511 device display is blank after upgrade to 9.4.2p1
- After 9.4.2 upgrade, Hyper-V Appliance showing interface details as "Legacy Network Adapter"
- Time mismatch for UTC+13 TimeZone
- Wrong Czech translations of some pages
- Fix for Brasilian Time Zone (UTC -03:00 Brasilia) due to incorrect DST recognition
- DoS Attack Vulnerability generated by Protocol renegotiation on ports 4081 and 4090 (VPN)
- Fixes for potential memory leaks
Version 9.4.2 Patch 1
Released: October 17, 2022
Fixes:
- The virtual network adapters become unavailable (on VMware deployments only)
- Missing VMware images
Version 9.4.2
Released: October 11, 2022
New:
- Kernel upgrade
- 2FA token expiration configuration for VPN
- HTTP/S redirection in reverse proxy
Fixes:
- Issues with Mac upload speed degradation
- Updated IPSec VPN
- Updated IPsec SNAT
- WiFi authentication errors with Radius
Version 9.3.6.1
Released: May 31, 2021
Product Changes:
-
M1 MAC VPN client support
-
Interface mapping of NG511 Fixed
-
macOS VPN client updated to fix a script that was preventing installation on Big Sur
-
Update Windows VPN Client to make it compatible with Windows 20H2
-
New configuration ""L2TPUpScriptWaitSeconds"" and "L2TPUpScriptConnectTryCount"" introduced to recover stuck LT2P connections
-
New configuration ""DisableUniqueIDs"" introduced to prevent IPSec VPN disconnects
-
New traffic patterns added to properly block Teamviewer connections
-
Introduce new configuration ""InternetLinkAutoGatewayInterfaceList"" to stop probing interfaces which doesn't have a gateway
-
Fix HA interface name validation failure happens when one of HA machine has legacy interface names
-
OpenSSL library is upgraded from 1.0.2j to 1.1.1d
-
HSTS (Strict-Transport-Security) Header added
-
Upgrade and Factory-reset scripts are failing because of signature image issue
-
Links on the IP Blacklist screen were either wrong or timing out. Now all links corrected
-
Info message displayed after distrusting a certificate updated for VPN connections
-
Fix crash in HA Slave machine happens when slave account host activity
-
TLS triple handshake vulnerability fixed by updating /etc/sshd_config configuration file
Patch resolution details:
-
Using Active Directory authentication (only). It causes authentication with Active Directory to fail making AD user connections not possible.
-
HSTS causes 2FA fail on Kerio VPN
Version 9.3.5
Released: August 27, 2020
Fixes:
-
The custom logo does not appear on login or deny pages
-
Wrong Country code for Serbia
-
Active Connections - Destination Country missing table information
-
Active Connections - Source Country missing table information
-
Content filter rules not blocking Teamviewer
-
Page refresh/close display an error dialog on Google Chrome
-
Unable to complete PPPoE discovery (NBN connection)
-
VPN Driver does not install on Windows 10 Update 2004
-
KerioControl Slave unit fails to dial PPPoE
-
Localization string "Alert-HA" not found in any language
-
Statistics report errors in HA-Slave control
-
Unable to differentiate email report if from Master or Slave
-
Fixes for NG110, NG310, NG510/511 compatibility issues
Version 9.3.4
Released: February 13, 2020
New:
Support for a wide range of USB WIFI Adapters - Drivers:
-
rtl818x_pci.ko
-
rtl8187.ko
-
btcoexist.ko
-
rtl8188ee.ko
-
rtl8192c-common.ko
-
rtl8192ce.ko
-
rtl8192cu.ko
-
rtl8192de.ko
-
rtl8192se.ko
-
rtl8723be.ko
-
rtl8723-common.ko
-
rtl8821ae.ko
-
rtl_pci.ko
-
rtl_usb.ko
-
rtlwifi.ko
-
rt2400pci.ko
-
rt2500pci.ko
-
rt2500usb.ko
-
rt2800lib.ko
-
rt2800mmio.ko
-
rt2800pci.ko
-
rt2800usb.ko
-
rt2x00lib.ko
-
rt2x00mmio.ko
-
rt2x00pci.ko
-
rt2x00usb.ko
-
rt61pci.ko
-
rt73usb.ko
Fixes:
-
Last few entries of Active Connections list not displayed correctly in Firefox
-
Active connections table do not show the column entries when the order is changed
Version 9.3.3
Released: December, 27 2019
New:
-
HyperScan engine in SNORT for increased performance
-
VPN Tunnel supports SHA2 in Phase2
Fixes:
-
Cannot add multiple VPNs into traffic rules
Version 9.3.2
Released: November, 21 2019
New:
-
VPN Client Support for macOS Catalina
-
VPN Client compatibility with Microsoft Windows 10 (1903)
Fixes:
-
PPPoE Interface not saved on Edit
-
SACK Vulnerability patches to Kernel
-
Problem with port forwarding by source IP with DHCP
-
ScreenConnect application keeps disconnecting
-
DHCP allocated incorrect number shown on UI
-
"Single Internet Link" forwards all traffic to a dead-end if 1 WAN link present
-
Web filter not blocking streaming websites
-
Microsoft Discovery Service not finding devices over VPN
-
Source NAT preselects first entry in list repeatedly
-
User not able to configure tcp_min_snd_mss
-
HA - Active Slave does not apply MAC filter rules properly
-
HA - Sync not working correctly due to incorrect archive filesize
-
VPN Client not opening browser when 2FA configured (Linux)
Version 9.3.1
Released: September, 17 2019
Fixes:
-
HA Disconnect Kerio VPN on passive slave
-
HA VLANs removed on sync from Master to Slave
-
HA Bandwidth management link speed is not persistent on slave
-
HA Fails to Start
-
HA Several improvement and network compatibility fixes
-
Some Web pages are not blocked and can be accessed via Bing search
-
3rd party IPsec VPN tunnel not being established due to unknown crypto suites
-
Update to driver for PCI Network Card Intel X710-T4
-
IPSec VPN tunnel failed to reconnect after an interruption on the remote side since 9.3.0
-
Kerio Interfaces staying "no connectivity" even when there is a connection
-
An unauthorized user can access the internet with the help of authorized users
-
Malicious URL to KerioControl login page can be used to inject code in session
Version 9.3
Released: April, 9 2019
New:
-
High Availability - Active/Passive - Enable a secondary (Slave) identical KerioControl to take over when the primary (Master) device is offline
-
IKEv2 Support (enable via console)
Fixes:
-
Primary IP for WAN interface changes after reboot
-
Last few entries of DHCP reservation list not displayed correctly in Firefox
-
Address group still visible after being deleted
-
IPSEC Tunnel drops in certain circumstances
-
Configuration restore wizard IP addresses not populating
-
Teamviewer application not blocked by Content Filter
-
SafeSearch blocks Yandex
Version 9.2.9
Released: January, 31 2019
New:
-
Memory Swap support
Fixes:
-
Kerio VPN - Disabled insecure and vulnerable protocol Blowfish
-
Change snort nice value to -4 to improve traffic
-
IRQ improvements for snort process to improve traffic
-
HW NG500 crash
Note: Older Kerio VPN Clients are not able to connect using this build. To allow please follow the following steps.
Open ssh connection or from console
Go to /opt/kerio/winroute folder
Run ./tinydbclient "Update VPN set AllowBlowfishCipher=1"
Version 9.2.8
Released: November 27, 2018
New:
-
Limit Bandwidth Per Host
-
Optimize Application Awareness memory footprint
-
Reconfigure Kerio AV to optimize memory usage
-
Kerio VPN new encryption protocol AES
-
Kerio VPN Client supports the new protocol
-
Force hostname for VPN clients
Fixes:
-
Accessing User and Groups crashes WebAdmin on IE11
-
User Statistics not getting updated
-
Installation of VPN Client fails on Ubuntu 18.04 LTS 64-bit Desktop version
-
No traffic over VPN after enabling 2FA on iPhone running iOS 11.4.1
-
Kerio VPN 2-Step Verification Unable to resolve hostname
-
Filtering Web Content by word occurrence returns broken HTML
-
User details not getting updated in Active hosts
Note: KerioControl VPN Client does not work with previous versions of KerioControl (version 9.2.7 and earlier)
Version 9.2.7
Released: September 4, 2018
New:
-
2-Step verification UI improvements
-
DHCP leases column added in DHCP
-
DST notification added to time zone settings page
-
IPv6 anti-spoofing functionality added
-
Linux VPN client now supports systemd
-
Unify approach to entering URL in rules
-
Upgraded Firefox install CA walkthrough screenshots
Fixes:
-
Categories are not getting merged one when testing the miscategorized URLs in Content filter
-
Changing description for multiple users changes only those who have separate configuration
-
Crash with error handling during domain joining/leaving
-
Disable view user statistic when multiple users are selected
-
Entries with multiple members in Service list not getting searched
-
HTTP Cache dump should works without selected cache any message type
-
Interface group ordering disabled
-
IPSec connection is dropped every 3 hours
-
IPsec: Some fields are cleared when Cipher configuration dialog is closed
-
P2P suspicious connection detection
-
Preventing license usage when there is spoofing IPv6 connection
-
Show details while joining AD fails because of time skew
-
Technical support button on dashboard redirects to GFI support now
-
Tunnel reset when cipher config dialog is closed
-
User right column sort by rendered value
-
SafeSearch blocking Google Cloud Messaging
-
View Guest users in KerioControl Statistics opens stats of "Not logged in" user
Version 9.2.6
Released: May 16, 2018
KerioControl 9.2.6 includes security enhancements to allow encryption of personal and sensitive data collected and stored by the product.
New:
-
Added support for Encrypting personal/sensitive data stored on the disk
Fix:
-
Crash in some occasions due to empty HTTP header name
Version 9.2.5
Released: March 22, 2018
KerioControl 9.2.5 provides security improvements with an upgrade to the IPSEC VPN encryption key and complete removal of PHP code in the server code base. This release also includes over 20 customer reported fixes.
New:
-
Removal of PHP server-side scripting from Web Interface
-
Upgrade of strongSwan 5.5.1
-
Improved starting/stopping of VPN Client on Debian 8
-
VPN Client now supports macOS High Sierra
Fixes:
-
Translation issues
-
User preferences automatic language set to detected language
-
Installation of VPN Client fails on Windows 7, 8
-
The WiFi driver has been updated for better compatibility and stability
-
Dashboard Traffic Chart Tile does not show relevant units
-
Changing description for multiple users changes only those who have separate configuration
-
Empty exclusions for connection limit corrupts config
-
View Guest users in KerioControl Statistics opens stats of "Not logged in" user
-
WebAdmin error during configuration import
-
Install CA screenshots are from old FireFox
-
Menu bar icon not optimized for Mac with retina
-
Remote Services: Data are not reloaded when changes are discarded on screen reload
-
Bandwidth management traffic dialog: wrong info text
-
Crash in ThreadCpuTime, when gdata.start_error = 1
-
Assert in DhcpLeaseTab::save()
-
W10 Edge cannot login and access web interface if IPv6 is enabled
-
Missing limiter of AV check failed alert
-
Russian Business Network blacklist is missing in IPS update
-
Remove unsecure DES-CBC3-SHA from cipherlist
-
Wi-Fi should be WiFi (legal requirement)
-
Kerio VPN tunnels are using local networks defined in IPsec section (as Remote networks)
-
Exported cfg. backup is corrupted
-
Sending notifications from KerioControl - InCorrect Format of notification
-
On Groups page, "Rights" column is not sorted in correct order
9.2.5 Patch 1
-
Crash every hour when sending email for invalid user after antivirus scanning
9.2.5 Patch 2
-
NTLM Authentication issue
-
2 Step Authentication issue
-
Recompilation of WIFI driver with different flags for more compatibility
9.2.5 Patch 3
-
Crash when SNAT missing target interface
9.2.5 Patch 4
-
Crash when multiple pages denied occur while first deny is delayed
-
Crash when internal page requests using same "lang" parameter
-
UPnP not listening on all interfaces
9.2.5 Patch 5
-
2 Step Verification for user does not show QR Code
Version 9.2.4
Released: October 26, 2017
KerioControl 9.2.4 provides a WiFi security update to the WPA2 protocol for the NG100W and NG300W hardware appliances.
New:
-
Updated hostapd for enhanced WiFi security
Version 9.2.3
Released: August 21, 2017
KerioControl 9.2.3 brings fixes for customer reported issues including a Security Settings error and fixes a possible loop that resulted in the CPU locking.
New:
-
OpenSSL upgraded from 1.0.1u to 1.0.2j
-
Updated country list used in SSL Certificate definition
Fix:
-
CPU lock due to winroute loop
Version 9.2.2
KerioControl 9.2.2 brings you significant performance improvements in all KerioControl's security and inspection methods and filters. For example:
-
KerioControl now supports 64-bit hardware, which can improve performance by 15-20%
-
Large segment offload (LSO)
Kerio Antivirus
KerioControl 9.2.2 introduces Kerio Antivirus. Kerio Antivirus is powered by the Bitdefender antivirus engine and replaces the current Sophos Anti-Virus.
When upgrading to KerioControl 9.2.2 from earlier versions, Kerio Antivirus automatically replaces the Sophos Anti-Virus.
Read more in our Knowledge Base: Configuring antivirus protection.
KerioControl hardware devices support Wi-Fi
Kerio Technologies launches KerioControl NG100W and KerioControl NG300W hardware devices with embedded WiFi access point which provide connectivity for wireless devices such as cell phones, tablets, and laptops. The KerioControl WiFi module supports:
-
Dual-band antenna, which provides 2.4 or 5 GHz
-
Wireless standards 802.11a, b, g, n, and ac
-
Authentication: none, WPA, WPA2 (PSK or Enterprise)
-
Up to eight wireless networks (SSIDs)
Read more in our Knowledge Base:
Optimizing performance with LSO
KerioControl includes large segment offload, also referred to as generic segmentation offload. LSO allows the network interface controller to process the segmentation of a data transfer and significantly improves performance. However, these improvements are noticeable only during large data transfers, such as file downloads, or video streams.
The throughput gain depends on the particular deployment. For example, you can expect up to 400 Mbps on the KerioControl NG100 hardware appliance.
Read more in our Knowledge Base: Optimizing performance with large segment offload.
Blocking incoming connections from specified countries
KerioControl allows you to filter incoming traffic by country (GeoIP). KerioControl then blocks all IP addresses that belong to the countries specified in the filter.
Read more in our Knowledge Base: Blocking all incoming connections from specified countries.
IPsec VPN tunnel configuration update
KerioControl 9.2 adds a detailed configuration for IKE and ESP ciphers used in IPsec VPN tunnels. With this detailed configuration you can easily create IPsec VPN tunnels with third-party firewalls.
Read more in our Knowledge Base: Configuring IPsec VPN tunnel.
Changes in system requirements
Added support
-
KerioControl supports 64-bit hardware.
-
Hyper-V on Windows Server 2016.
Discontinued support
-
Backup to Samepage has been discontinued. Back up your KerioControl configuration to MyKerio instead. See Saving configuration to MyKerio.
-
Support for hardware with 32-bit CPUs will be removed in KerioControl 9.3. For details, see End of life of KerioControl Box 1110.
For more details, see KerioControl technical specifications.
Upgrading
-
KerioControl 9.2 and newer supports 64-bit hardware.
-
Upgrade from KerioControl 8.0 and newer.
KerioControl does not permit upgrades from versions older than 8.0.