Software
1 Feature Description
1.1 NGFW_NTOS1.0R13
|
Feature |
Description |
|
Wireless |
Built-in 4G module (RG-CF10S-LTE) Pluggable 4G module (RG-CF30XS) |
|
Web-based management |
IPv4 and IPv6 login management HTTP/1.1 HTTPS Hierarchical and decentralized account management |
|
Service interfaces |
Bridge interface Physical interface Switching interface Sub-interface Aggregate interface Tunnel interfaces: VTI, GRE interface, and ERSPAN interface Cellular interface |
|
DNS snooping |
Static domain name allowlist Encrypted DNS traffic blocking DNS Safe Search, supporting services such as Google, Bing, and YouTube. |
|
Report |
Security report and traffic report (RG-CF30XS) Traffic reports can be generated and pushed by email. The reports show statistics collection on applications, links, users, traffic from source IP addresses, online users, and number of user sessions. |
|
Email notification service |
Email notification service (RG-CF30XS) |
|
SSH |
SSH over IPv6 SSHv2.0 |
|
AI-based threat detection |
IPv4 traffic detection IPv6 traffic detection SSH brute-force detection RDP brute-force detection Port scan detection Recording security logs AI-based threat detection engine library upgrade Pre-defined AI threat detection template Custom AI threat detection template Association with a blocklist for blocking AI-based threat detection allowlist |
|
FPGA card |
Service offloading |
|
Intelligent monitoring |
Temperature monitoring Port status monitoring Fan and expansion card monitoring (RG-CF30XS) |
|
System management |
CPU usage monitoring Memory usage monitoring Reset button |
|
Optical transceiver management |
Optical transceiver management Optical transceiver monitoring 10GE optical transceiver auto-negotiation (RG-CF30XS) |
|
Storage management |
eMMC management and USB management Hard disk management (RG-CF30XS) Built-in eMMC log storage (RG-CF10S, RG-CF10S-LTE, and RG-CF30XS) |
|
Version upgrade |
Online upgrade Version rollback Local upgrade Upgrade with high reliability |
|
Firmware upgrade |
FPGA firmware upgrade |
|
Patch upgrade |
Component patch installation Function patch installation Function patch rollback Configuring the patch loading time Online upgrade |
|
Cloud service |
Sending logs to the cloud Online feature library upgrade Cloud (interworking with the security cloud) Cloud (interworking with Ruijie Cloud) |
|
License management |
Local license activation Online license activation License expiration alert |
|
Diagnosis center |
Device self-check Hardware self-check Packet tracing SSL VPN troubleshooting IPsec troubleshooting Diagnosing port mapping issues |
|
One-click collection |
Collection rule library upgrade Collection and download on eWeb Collection and download on eWeb Remote collection and download |
|
Reliability |
HA |
|
PPPoE |
PPPoE client Multi-PPPoE PPPoE server |
|
LLDP |
N/A |
|
IPv6 |
N/A |
|
NAT |
NAT NAT46 NAT64 NAT66 |
|
Port mapping |
One-to-one mapping between LAN and WAN addresses Configuring mapping based on interfaces |
|
ALG |
FTP, TFTP, DNS over UDP, SIP over TCP, SIP over UDP PPTP |
|
ARP |
Static ARP Trusted ARP Dynamic ARP |
|
VPDN |
PPTP L2TP |
|
VPN |
IPsec VPN: ○ IKEv1, IKEv2, and IPsec ○ L2TP Over IPsec ○ GRE Over IPsec ○ Active/standby failover and automatic failback for multiple branch links ○ Branch connections to multiple headquarters for headquarters backup and failover. GRE: ○ GRE (IPv4 over IPv4) ○ GRE (IPv6 over IPv4) SSL VPN |
|
Object |
IPv4 address object IPv4 address group object IPv6 address object IPv6 address group object MAC address object MAC address group object Domain name object Region object Service object Security zone object Time object File type group |
|
Security policy |
Associated address objects and address object groups Associated service objects and service object groups Associated application objects Associated region objects Associated security zone objects Associated interface types Associated interfaces Associated users Associated user labels Configuring policies based on time Policy simulation space Policy optimization Policy lifecycle Renaming a policy or policy group |
|
Local attack defense |
Access control Local attack defense policy |
|
DDoS |
IP address scanning attack defense Port scanning attack defense SYN flood attack defense UDP flood attack defense ICMP flood attack defense ICMPv6 flood attack defense TearDrop attack defense Controlling IP packets with the source route option Controlling IP packets with the record route option Smurf attack defense ICMP redirection attack defense ICMP unreachable attack defense LAND attack defense WinNuke attack defense Fraggle attack defense Defense against large-sized ICMP data attacks Filtering IPv6 packets with extension headers |
|
Limiting the number of sessions |
Uplink packet rate limiting New session rate limiting Configuring policies for limiting the number of sessions |
|
Blocklist and allowlist |
IPv4 blocklist IPv4 allowlist IPv6 blocklist IPv6 allowlist MAC address blocklist User blocklist Blocking notification based on the MAC address or user blocklist |
|
IP-MAC binding filtering |
IP-MAC binding filtering |
|
ARP guard |
Proxy ARP ARP spoofing defense ARP rate limiting |
|
Session log |
Session log (RG-CF30XS ) |
|
File extraction |
File extraction File type identification File hash (MD5/SHA1) |
|
Traffic control |
Customizing traffic control policies |
|
Traffic analysis |
Displaying real-time traffic rate Traffic snapshot Displaying device traffic information Real-time session |
|
Proxy SSL |
Configuring allowlists for applications or domain names Configuring proxy flows based on URL categories Hardware acceleration SSL proxy policy |
|
Application recognition |
DPI DFI IPv6 DPI IPv6 DFI License control |
|
URL filtering |
IPv6 HTTP URL blocking IPv6 URL category library IPv4 URL category library IPv4 HTTP URL blocking HTTPS URL blocking IPv4 blocking message record IPv6 blocking message record Sending the URLs accessed by users not in the local library to the cloud for analysis Global URL blocklist Safe Search for search engines such as Google, Bing, Yandex, Yahoo, and YouTube. |
|
Content filtering |
HTTP web page content filtering IPv4 keyword filtering IPv6 keyword filtering IPv4 keyword alarm IPv6 keyword alarm IPv4 blocking message record IPv6 blocking message record |
|
File filtering |
HTTP, HTTPS, and FTP file filtering |
|
Automatic session suppression |
Session limit policy Session alarm |
|
IPS |
IPv4 traffic detection IPv6 traffic detection TLS-encrypted traffic detection Recording security logs Signature library upgrade Pre-defined IPS template Custom IPS template Configuring IPS exception rules Enabling or disabling pre-defined rules Configuring brute force cracking rule parameters Association with a blocklist for blocking License control Displaying pre-defined rule information IPS allowlist Custom rule |
|
Web security |
Rule engine detection Semantic engine detection Exception rules Enabling or disabling rules of the rule engine Detection of blocking rules and association with the blocklist Signature library upgrade of the rule engine Signature library upgrade of the semantic engine Recording security logs Custom template Pre-defined template License control |
|
Threat Intelligence (TI) |
Detection of IPv4 addresses and domain names Custom inbound intelligence IPv6 domain name detection Custom intelligence configuration and detection Exception intelligence configuration Kaspersky intelligence source authorization and signature library upgrade Displaying security logs after threats are detected Displaying threat intelligence statistics (summary) Google intelligence source authorization and signature library upgrade Enabling multi-source intelligence detection Security zone-based configuration Configuring handling actions for traffic that matches intelligence records Multi-source detection Configuring the multi-source detection sequence Displaying the intelligence summary based on intelligence sources |
|
Antivirus |
Custom hash exception Blocklist hash Quick scan mode Selecting the scanning type Customizing the types of files to be scanned IPv4 traffic detection IPv6 traffic detection Recording security logs Quick scan signature library upgrade (RG-CF10S and RG-CF10S-LTE) Pre-defined antivirus template Custom antivirus template Security detection for traffic of multiple protocols Application exception License control Deep scan and deep scan signature library upgrade (RG-CF30XS) |
|
RM (information pushing) |
IPv4 traffic detection Antivirus URL filtering Refreshing the cache Maximum volume of outgoing packets Custom images Custom traffic pushing, including the title and content |
|
User organization |
Configuring authentication domains Configuring user groups Configuring users Configuring user passwords Configuring the password strength Mobile number binding Account expiration settings Importing users in batches Importing users in batches Unidirectional IP-MAC binding Bidirectional IP-MAC binding Bidirectionally bound user identification Automatic MAC binding Association with user labels Associating users with user packages Displaying online users Configuring the idle timeout for an idle terminal |
|
Web-based authentication |
WiFiDog v1.0 authentication solution WiFiDog v2.0 authentication solution MAB (Layer 2 network) Dual-stack authentication: IPv4 authentication and IPv6 bypass HTTP and HTTPS traffic redirection Portal bypass detection Configuring an authentication policy Authentication-free source IP address Authentication-free source MAC address Authentication-free destination IP address Authentication-free domain name RNSP SMS authentication |
|
Routing |
l Intelligent routing: ○ Policy-based routing (PBR) ○ App-based routing ○ User-based routing ○ URL routing ○ ISP route l Dynamic routing ○ OSPFv2 ○ OSPFv3 l Static routing l Routing policy |
|
Load balancing |
Egress load balancing Egress line attribute identification Egress line application scheduling |
|
Link detection |
Track RNS |
|
CLI |
Status display on the CLI |
|
USB |
Configuration export using a USB flash drive |
|
Interconnection with the log server |
Syslog (RFC3164) Syslog (RFC5424) Syslog in both Chinese and English |
|
Log collection |
Log collection |
|
DNS |
DNS client |
|
DDNS |
DDNSv6 |
|
DHCP server |
DHCP address pool alarming (syslog) ICMP-based address conflict detection Option 138 Option 43 Option 44 Option 15 Static binding of assigned IP addresses IP address exclusion from terminal address assignment Service alarm notification DHCP assignment logs Local storage of DHCP assignment logs Displaying IP allocation logs on eWeb DHCPv6 DHCPv4 |
|
DHCP client |
DHCP client DHCPv6 client |
|
DHCP Snooping |
MAC identification through DHCP packets |
|
DHCP Relay |
DHCP Relay |
|
NTP |
NTP client NTPv6 client |
|
SNMP |
SNMPv1, SNMPv2c, SNMPv3 SNMP over IPv6 |
|
SNMP client |
Terminal MAC identification through SNMP Terminal location identification through SNMP |
|
RADIUS |
Configuring the RADIUS server (IPv4) Active and standby servers |
|
LDAP |
AD domain and LDAP server with IPv4 deployment |
|
Traffic learning |
Traffic learning Export of traffic learning logs |
|
SD-WAN |
SD-WAN networking on Ruijie Cloud |
|
Hardware adaptation |
Hardware adaptation for the following two hard disk models: l RG-NSEC-SSD-480G-B-M l RG-NSEC-HDD-1T-B |
|
Behavior analysis |
Display only for authorized customers. |
|
Network diagnosis |
IPv4 and IPv6 differentiation on the packet obtaining page Packet obtaining on physical interfaces and sub-interfaces Packet obtaining on LAN and WAN ports simultaneously |
2 Resolved Issues
2.1 NGFW_NTOS1.0R13
|
Bug ID |
Description |
|
1589768 |
In LAN scenarios, bandwidth configuration has no practical effect, while the web interface still provides bandwidth configuration options for LAN ports. |
|
1587905 |
In the factory default state, port 0 (preconfigured with a DHCP server) cannot be switched to transparent mode during quick onboarding configuration. |
|
1585607 |
An IP address must be configured for a bridge interface to which an interface in transparent mode is automatically added in the quick onboarding wizard. The logic for verifying IP address conflicts is incorrect. |
|
1589031 |
When the allowlist or blocklist entries contain spaces in their descriptions, the exported CSV file cannot be imported into the device. |
|
1588145 |
In an SSL VPN scenario, when the client submits an empty hardware signature, the device incorrectly creates an empty entry that cannot be deleted. |
|
1586026 |
When a physical interface is not in routing mode, the system incorrectly reports an alarm message indicating that the interface outside the trust zone can access the device through the web. |
|
1582267 |
Due to inconsistent time between the PC and the device, no session data is displayed when a user clicks to view sessions in a security policy. |
|
1576703 |
In a multi-peer IPsec VPN scenario, after peer switching, the previous negotiation state is not cleared in time, resulting in the coexistence of two negotiation states. |
|
1590666 |
Hourly attack trend statistics updates are abnormal when the statistics collection period is set to one day. |
|
1593065 |
Due to optimization of the flow platform process in other modules without considering the impact on GRE tunnels, packet flow direction verification errors occurred in GRE over IPsec scenarios. After Keepalive was enabled on the GRE interface, the interface status changed to Down. |
