DFL-M510 Firmware Release Note Firmware: 1.31.00 Pattern: 3.24 Hardware: A1/A2/A3G Date: Jan. 22, 2007 Problems Resolved: 1.If users manually update the pattern, the DFL-M510 cannot correctly perform Auto Download mechanism. The device will always show the message “Your DFL-M510 is using the latest pattern version”, despite there is a fresher version on NetDefend Center. Enhancements: None Well-known bugs: None ============================================================ Firmware: 1.30.00 Pattern: 3.23 Hardware: A1/A2/A3G Date: Oct. 18, 2006 Problems Resolved: None Enhancements: 1.Support for multi-language user interface, including English, Traditional Chinese and Simplified Chinese. 2.Support for dual mode host learning feature, including MAC-Based Management and IP-Based Management. With IP-Based Management, DFL-M510 now can recognize the hosts behind a router or Layer3 switch. 3.Enhance DFL-M510 log format, and support for exporting log information to an external Syslog server. 4.Support for multiple log types and severity levels for log notification. 5.Support for traffic shaping for Internet Applications according to the signature support, such as BitTorrent, eMule and FlashGet, etc. Well-known bugs: None ============================================================ Firmware: 1.23.00 Pattern: 3.19 Hardware: A1/A2/A3G Date: Jun 21, 2006 Problems Resolved: 1.If the user-defined group is created, the UI will be halt when the user is trying to export host table. 2.The user-defined rule fails to match. 3.Template configurations do not apply to the new signatures of upgraded policy. This forces the user to reconfigure the templates whenever they update the policy. 4.Daylight saving is still working for current device time, even when the current device date and time is not in the daylight saving time’s range. 5.The existed name can be set for new group. 6.To change the stealth mode with the console command, the status of link mode has to be re-typed even a user does not want to change the link mode status. 7.If the managed host reaches 150, and a user adds one host from UI. This new host should be identified with the color green; however, in kernel 1.22.00, it is colored with a blue one. 8.The buffer overflow exists in the field of UI/System/Network/Network Setting/Admin Email/Password. 9.DDoS item exists in the console command, but DFL-M510 does not support this function. 10.The bug exists while operating Up/Down button of UI/Hosts/Groups/Setup Groups/Group Setting page; the UI does not set the top boundary for group priority exchange. 11.After running the setup wizard, the modification of policy will influence on all groups; it will only influence the groups assigned to the wizard template originally. 12.The IP and port change from the configuration restore will initialize the reboot of device. 13.Remove the WIN_MX application from the policy. This service was stopped already. 14.Default template and schedule can be deleted. 15.After resetting the device from the LCM panel, the web management of the device can not be connected to because the access port is set as 0 instead of port 80. 16.When the traffic volume is high, the data on coordinate axis of report may be crammed together. 17.Rule actions of specific applications for a host and a subnet in a higher priority group may be confused by the users when the default group’s actions for the same applications are set as BLOCK. 18.The group name can be modified as another existed name. 19.The template name can be modified as another existed name. 20.The account name can be modified as another existed name. Enhancements: 1.Enable Pattern Auto-download from D-Link NetDefend Center 2.Add new system log for the change of HTTP management port 3.Enhance the protection of device and packet flow from HGod Syn attack 4.Add new behavior called Skype Login (strict mode). When a PC starts up and the Skype start trying to connect to the network (people usually consider it as login of Skype) rather than login to Skype server, it will trigger this behavior. 5.New wording in UI to prompt the user the time of policy download Well-known bugs: 1.The schedule name can be modified as another existed name. 2.If the management port of the imported configuration is different from the original of device, the device can not be accessed through UI till the reboot. 3.The quota limit and session limit for subnet do not work. ============================================================ Firmware: 1.22.00 Pattern: 3.18 Hardware: A1 Date: Sep 23, 2005 Problems Resolved: 1.If the user-defined group is created, the UI will be halt when the user is trying to export host table. 2.The user-defined rule fails to match. 3.Template configurations do not apply to the new signatures of upgraded policy. This forces the user to re-configure the templates whenever they update the policy. 4.Daylight saving is still working for current device time, even when the current device date and time is not in the daylight saving time’s range. 5.The existed name can be set for new group. 6.To change the stealth mode with the console command, the status of link mode has to be re-typed even a user does not want to change the link mode status. 7.If the managed host reaches 150, and a user adds one host from UI. This new host should be identified with the color green; however, in kernel 1.22.00, it is colored with a blue one. 8.The buffer overflow exists in the field of UI/System/Network/Network Setting/Admin Email/Password. 9.DDoS item exists in the console command, but DFL-M510 does not support this function. 10.The bug exists while operating Up/Down button of UI/Hosts/Groups/Setup Groups/Group Setting page; the UI does not set the top boundary for group priority exchange. Enhancements: 1.Add new system log for the change of HTTP management port 2.Enhance the protection of device and packet flow from HGod Syn attack 3.Add new behavior called Skype Login (strict mode). When a PC starts up and the Skype start trying to connect to the network (people usually consider it as login of Skype) rather than login to Skype server, it will trigger this behavior. Well-known bugs: 1.The group name can be modified as another existed name. 2.The schedule name can be modified as another existed name. 3.The template name can be modified as another existed name. 4.The account name can be modified as another existed name. 5.If the management port of the imported configuration is different from the original of device, the device can not be accessed through UI till the reboot. 6.When the traffic volume is high, the data on coordinate axis of report may be crammed together. ============================================================ Firmware: 1.21.00 Pattern: 3.17 Hardware: A1 Date: Aug 31, 2005 Problems Resolved: 1.System time: Setup time zone as Taipei and fine system time of the LCM and Web GUI is not the same. 2.Swap host to standby mode: If two hosts (A and B) have the same IP Address, then setup host B move to standby mode. Find out the host A will be changed it’s MAC address to host B. 3.Group Quota: Can’t modify quota until uncheck and check the quota option, not user friendly. 4.Group Session: Can’t modify quota and check the session option, not user friendly. 5.The FTP throughput in PASV mode. 6.Can’t block FTP when user using none port 21. 7.Fixed error JRE link address 8.URL filter and web keyword only supported port 80 9.If daylight saving time is over and find system will not be modified 10.Report: Out of range day should be disable 11.When change Get community and Read community to different configuration, device will send the Authentication File message. 12.Click the help button in Policy/Keyword Filter/Edit can’t connect Help Page 13.Using IExplorer to generate the SQL Slammer package to attack DFL-M510 from WAN port, but LAN will lose some packets. 14.When using DDoS to attack DFL-M510, DFL-M510 will not send the realtime information. 15.Pattern doesn’t go back to the latest updated version when user reset to default 16.False positives between Windows Media Player and RealPlayer, i.e., before pattern 3.17, if a user plays multimedia with Media Player, sometimes RealPlayer signatures are triggered, and vice versa. 17.ezPeer 2.0 connection can not be detected. 18.The group name can be modified as another existed name. 19.The schedule name can be modified as another existed name. 20.The template name can be modified as another existed name. 21.The account name can be modified as another existed name. 22.If the management port of the imported configuration is different from the original of device, the device can not be accessed through UI till the reboot. 23.When the traffic volume is high, the data on coordinate axis of report may be crammed together. Enhancements: 1.Enhance the performance when IP MAC Table is over one hundred 2.Support FlashGet (via HTTP) and GoogleTalk applications. 3.Add “Web MSN” and “SIMP” (encryption transmission) behavior items under MSN application. 4.Add “Web Yahoo” behavior item under Yahoo application. 5.Add “Web ICQ” behavior item under ICQ/AIM/iChat 6.Add signatures detecting ActiveX control. 7.The support of MSN/Yahoo IM connection via an internal Proxy server that connects to the LAN port of M510. 8.The user can retrieve system debug information from UI. 9.The user can change management port of web; it is fixed at TCP port 80 before. 10.The UI is accessed through Java Web Start. 11.The policy update also upgrades the default policy in the backup sectors (only used after resetting the device). Note: Due to Kernel architecture changed, please upgrade firmware 1.21 from firmware 1.20. If you upgrade firmware 1.21 from the firmware below 1.20, you might see some HARMLESS error message and please following instructions to upgrade. 1.Upgrade to firmware 1.21 from Web UI. 2.After rebooting, console would show some error messages, just ignore it. 3.Upgrade to pattern 3.17 from Web UI. 4.Device reboot and Web UI hang, just close the Web UI. 5.After device reboot, you could login the device normally. 6.Because signatures for Gmail detect URL only, blocking the use of Gmail will also block the use of GoogleTalk login. Well-known bugs: 1.If the user-defined group is created, the UI will be halt when the user is trying to export host table. 2.The user-defined rule fails to match. 3.The same group names can be set. 4.Template configurations do not apply to the new signatures of upgraded policy. This forces the user to re-configure the templates whenever they update the policy. 5.Daylight saving is still working for current device time, even when the current device date and time is not in the daylight saving time’s range. 6.When the managed host reaches 150, the user adds one host from UI. This new host should be identified with the color green; however, in kernel 1.22.00, it is colored with a blue one now. 7.To change the stealth mode with the console command, the status of link mode has to be re-typed even a user does not want to change the link mode status. 8.The buffer overflow exists in the field of UI/System/Network/Network Setting/Admin Email/Password. 9.DDoS item exists in the console command, but DFL-M510 does not support this function. 10.The bug exists while operating Up/Down button of UI/Hosts/Groups/Setup Groups/Group Setting page; the UI does not set the Top/Bottom boundary for Up/Down button. ============================================================ Firmware: 1.20.00 Pattern: 3.14 Hardware: A1 Date: July 20, 2005 Problems Resolved: 1.Help button can’t use. When user click Help button, the On-line help can’t display 2.When user try to delete template will find dialog for waiting device’s response will not be closed. 3.When user try to delete template will find dialog for waiting device’s response will not be closed. (CPU loading 98% ~ 100%) 4.Host bypass is not working correctly. Some hosts will not be blocked by M510. 5.Trap function for SNMP doesn’t work. 6.The current device date and time is not in the daylight saving time’s range, but the daylight is working. 7.Hosts will not assign to the wizard template when user try to import host data. 8.Traffic could not be passed through the DFl-M510 for about 1~3 minutes. 9.Policy version will be showed 0.0 on the LCM when user reset device to factory default. 10.Device up time on the LCM is 20 seconds fast than Web GUI. 11.Pattern version display error: The correct version is 3.08, but display is 3.8 in policy status. Enhancements: 1.Improve TCP and UDP throughput. Please refer to the testing report. Well known bugs: 1.Sometimes the day light saving time is not correct. 2.When user change Time zone, the date of LCM will has error. 3.When user using FTP to download data but not using normal port (port 21), DFL-M510 can detect it but can’t block it. ============================================================ Firmware: 1.10.07 Pattern: 3.13 Hardware: A1 Date: July 12, 2005 Problems Resolved: 1.When user changes the link status configuration, the function can’t work. For example the default setting is “Auto”, and we connect to 10/100Mbps switch. The link speed is 100Mbps. When we change to 10 Mbps, the connection speed still is 100Mbps. Please see the Fig.1 Fig.1 2.System only learns the MAC and IP address packet not learn each packet. It will improve device’s stability when device detect the same MAC address difference IP address packet. 3.Web download can’t block *.rpm file 4.When user try to delete template will find the dialog box can’t close. 5.When client use HTTPS to connect to web site, the “Real Time Application” can’t display. 6.DFL-M510 will block some packet which from the PCs in Host bypass list. Fig.2 7.If your environment has VLAN, it will display each host’s VLAN ID in Hosts/Group page. Please see the Fig.3. This version fixes this issue. Fig.3 8.When DFL-M510 detects Illegal Agent, “Real Time Application” can’t display. Fig.4 9.Because ASF and WAV file can be open by RealOne, MS Media player …etc. If we block the Realone, MS Media player, it also block ASF and WAV file. Fig.5 10.Report Bug: Please see the Fig.6. There are five categories, but there are six categories in the chart. The new firmware will fix it, please see the Fig.7. Fig.6 Fig.7 11.When system enter Garbage Collection, device would hang 30 second sometimes. 12. On-line Help is not ready. Enhancements: 1.Web UI Performance 2.SNMP Function include Trap, Get, Set Trap: Reboot Get: 1. System Description: D-Link Security Solution:DFL-M510 Information Security Gateway 2. System Object ID: 1.3.6.1.4.1.171.10.74.1.3 3. System Up Time 4. System Contact: DFL-M510_support@dlink.com.tw 5. System Name: DFL-M510 6. System Location 7. System Services: Set: 1. System Contact 2. System Name 3. System Location 3.Support new version of TM and Kuro which can block it. > what is new version? TM: TM2005Beta1 Kuro: 6.0 4.Improve Login time: When user login, device will not check policy again. 5.System only learns the MAC and IP address packet not learn each packet. It will improve device’s stability when device detect the same MAC address difference IP address packet. 6.When device detect the VPN packet, device will forward it. 7.For new MSN version, old pattern can’t block transfer file. When you block MSN file transfer function, user also can transfer file. 8.This version, we use P2P protocol to manage P2P download. In this architecture, no matter what version of client use, DFL-M510 can manage it Well known bugs: 1.SNMP Trap function: When connection link up / down, device can’t send the trap. 2.Pattern version display error: The correct version is 3.08, but display is 3.8 in policy status. Please see the Fig.8. Fig.8 3.On-Line Help: Because the file doesn’t finish.