Version v25.10
Version v25.10 adds: autodetection for general protection, OpenAPI specification and a new MAIL countermeasure.
Enhanced functionality of VAL, DNS and ATLS countermeasures, HCA and PCAP functions, and also Logan, WebC, Collector, TACACS.
UX improvements have been made.
Changes in v25.10
Detect. Autodetection has been added to general protection IPv4 and IPv6.
Now, general protection countermeasures can also be managed by the autodetection mechanism. Autodetection in general protection works similarly to autodetection in policies. The following predicates are available:
- By system traffic, for
ext— external network andint— internal network, the following are monitored:- incoming traffic;
- outgoing traffic;
- dropped traffic.
- By general protection traffic, the following are monitored:
- incoming traffic;
- outgoing traffic;
- dropped traffic.
- By ports of the first instance (ID 1). Incoming traffic is monitored.
- By drops from other countermeasures.
For more details, refer to the built‑in automatic detection documentation.
Policy. The handling of comments for policies has been changed.
Now, on the policy list page, the comment for a protection policy is displayed below the row, similar to routing rules. Clicking the icon in the page header reveals comments in all policies where they are defined.
A comment filter has also been added. As you type, all comments matching the filter are automatically revealed.
Policy. Incidents joining interval has been removed.
The «Incidents joining interval» parameter has been removed from protection policy settings. Now, incident closure is influenced only by the number of analyzed intervals in the autodetection settings.
If you need to set a separate value for the number of analyzed intervals for incident registration, use the following thresholds:
Incidents.Timing.HistorySize;Incidents.Timing.SeverityLimit.
PCAP. Packet capture in general protection has been reworked.
Packet capture for general IPv4 and IPv6 protection has been reworked. Now, capture can be performed on two tabs.
On the «General Protection» tab, traffic processed by the system is captured— that is, IPv4/IPv6 protocol traffic entering general protection.
On the «All Traffic» tab, all traffic entering the system is captured, including unprocessed L3 protocol traffic.
HPD. The ability to mark traffic from IP addresses without considering its rate has been added.
Now, HPD rules do not require thresholds to be specified. In this case, traffic matching the rule will be marked by the detector regardless of its rate.
HPD. The ability to control logging of HPD triggers in the event log has been added.
A new setting, «Record triggering to the event log», has been added. If the flag is enabled, HPD triggering are logged in the event log; otherwise, no entries are added to the event log.
MAIL. MAIL countermeasure has been added to IPv4 protection policies.
This countermeasure checks the content of TCP segments arriving at specified ports for compliance with RFC requirements for the SMTP protocol.
VAL. An option to drop invalid NTP packets has been added.
The countermeasure verifies the validity of NTP packets where the source or destination ports match the specified ones.
ATLS. A graph of segmented «ClientHello» messages has been added.
Now, the countermeasure counts packets containing incomplete «ClientHello» messages and displays them as the «Segmented ClientHello» curve on the «TLS» tab.
DNS. The accounting of requests for which the countermeasure responds with NXDOMAIN has been changed.
Previously, packets for which the countermeasure responded with NXDOMAIN and dropped were counted on the general drop graph. Now, dropped packets are counted on the «DNS Allowlist Drop» graph, and responses are counted on «DNS Back».
HCA. Filtering by JA3/JA4 fingerprints has been added.
Optional checking against trusted and suspected JA3/JA4 fingerprint lists has been added to the countermeasure. If a fingerprint is in the trusted list, the client with that fingerprint is authenticated; others must pass the challenge. If a fingerprint is in the suspected list, the client with that fingerprint must pass the challenge; others are authenticated.
Which list to work with is selected via radio buttons.
HCA. Filtering by SNI has been added.
Optional checking by Server Name Indication (SNI) has been added to the countermeasure. When a filter is set, only traffic from sessions with a «ClientHello» containing a matching SNI is translated to WebC. Clients sending a «ClientHello» without an SNI or not in the list are authenticated.
LOGAN. Support for status value ranges in capture and streaming filters has been added.
Now, status code ranges can be specified in Logan’s capture and streaming filters.
WebC. The ability to specify multiple management addresses for a single challenge server has been added.
A scenario where multiple challenge servers are behind a load balancer is now supported. You can now specify multiple management addresses in the challenge server settings to configure each of them.
Collector. Traffic graphs for the exporter interface based on SNMP data have been added.
Now, when you hover over an interface row in the «Flow Exporter» panel, a graph icon appears. Clicking the icon opens the interface graph.
API. REST API description in the form of an OpenAPI specification has been added.
The OpenAPI specification is available via a link in the built‑in documentation. The REST API description in the form of an HTML page has been retained.
TACACS+. The operation logic in the «Authentication and Authorization» mode has been changed.
If user authentication and authorization are performed via TACACS+, an account will be created in MITIGATOR upon the first successful authorization. During subsequent authentications, a check is performed to ensure compliance with the credentials both in MITIGATOR and on the TACACS+ server. Authentication is only completed if both checks are successfully passed.
BGP. The name of the environment variable for ignoring the packet processor state during BGP advertisement has been changed.
The environment variable has been renamed:
- previously:
BACKEND_BGP_CLICK_STATE; - now:
BACKEND_BGP_DATAPLANE_STATE.
Overview. Widgets for traffic on exporter interfaces based on SNMP data have been added.
A widget titled «Interface Traffic» has been added. The selected interface is remembered by the widget.
Flow Analysis. Saving filters in Flow Analysis presets has been added.
Now, when saving a preset for a section in Flow Analysis, the values in the section’s filter are also saved.
UX. Indication of HPD and CMON status in supported countermeasures has been added.
Now, in countermeasures supporting the «Connection Monitoring» and «Host Protection Detector» features, the status of these features is displayed. If a feature is enabled in the policy, a blue stripe is shown on its badge in the countermeasure cards and headers, similar to the indication of countermeasure operation on the protection policy list page.
UX. Tooltips for icons on the policy list page have been added.
Now, when hovering over icons in the header of the policy list page, a tooltip appears indicating which data uses to calculated statistics.
