New Features and Enhancements

FQDN address extraction from DNS packets

Adds support to directly extract FQDN addresses from DNS packets that pass through, making policy match more accurate.

Wildcard usage supported in FQDN objects

Supports usage of the wildcard character (*) to fuzzily match a range of FQDN objects.

Easy installation of SSL decryption certificate

Allows you to configure an end-user certificate notification that instructs end users to download and install the SSL decryption certificate provided by Cloud Edge to get rid of the certificate warning displayed every time they visit HTTPS websites.

See Certificate Management.

IoT devices excluded for SSL traffic decryption

Enables Cloud Edge to bypass the SSL traffic from IoT devices based on their categories since IoT devices always have difficulties to install the SSL decryption certificate of Cloud Edge.

Support for gateway memos

Allows partners to add and edit memo information to better manage Cloud Edge gateways.

Support for Cloud Edge G3 devices

New support added for third-generation devices

Support for Bulk Settings

Supports the following features to change settings through TMRM for specific partners:

• Enable or disable IPS Advanced Settings or specified IPS rules in a security profile
• Enable or disable HTTPS in a security profile
• Customize exception list of HTTPS in a security profile
• Change the assigned exception list for HTTPS in a security profile

Support for TDTS Application Group for SD-WAN

Supports defining customized application groups and using them in SD-WAN rules.

Application Identification Improvement

Updates application identification engine to support more applications.

During troubleshooting, security scan can be disabled due to the fact that it may interfere with troubleshooting. Disabling security scan makes traffic traverse the device without inspection.

Factory Reset Package Version Update

Enables/disables the schedule automatic factory reset package version update feature. The CE box will download a new version of factory reset package when it is enabled and has the related update rule configured in Cloud Edge Support Portal.

Under Administration > Scheduled Updates, users can perform updates not only for firmware, but also for factory reset version. See Scheduling Updates.

Support for Suspicious Objects

This feature is now supported on all Cloud Edge gateways.

The UI path is Policies > Suspicious Objects.

See Suspicious Objects.

Support for SD-WAN

Under Gateways > (Selected Gateway) > SD-WAN, you can do the following:

• Enable SD-WAN and bandwidth settings
• Set up and manage SD-WAN rules by adding/editing, duplicating, moving, enabling/disabling, and deleting them.
• Manage SLAs by adding/editing and deleting them.

Support for Multiple Registration of Cloud Edge Gateways

On the Gateways > Gateway Management page, an Import Gateways button is added, which allows you to import multiple gateways. For details, refer to Importing Multiple Gateways.

Support for RADIUS Authentication

Under Administration > USER AUTHENTICATION > RADIUS Settings, users can perform authentication through Captive Portal or VPN Portal using RADIUS. You can also add users and groups in the settings and then create user-specific or group-specific policies with Cloud Edge. For details, refer to the following:

• RADIUS Settings
• RADIUS Authentication
• Configuring RADIUS Settings
• Managing RADIUS Users/Groups
• RADIUS Users and Groups

Support for CLP Mode

UI naming change

The Administration > USER AUTHENTICATION > User Type Settings > has now changed to Administration > USER AUTHENTICATION > Authentication Settings > .

Accessing Cloud Edge On-Premises Console via domain name

Users can access Cloud Edge On-Premises Console by using the website https://setup.cloudedge for Cloud Edge 6.0SP3 or later.

For routing mode, any LAN, WLAN, VLAN and MGMT port can use the domain name to access Cloud Edge On-Premises Console.

For bridge mode, only the MGMT port can access Cloud Edge On-Premises Console.

If the user inputs http://setup.cloudedge, it will be redirected to https://setup.cloudedge.

Support for Distributed Enterprise, new search boxes and scroll bars.

On the Policies > Approved/Blocked Lists > Add > Add URLs > Selected Gateway Groups page.

New search boxes and scroll bars are added under the following widgets and screens:

• On the Gateways page.

• On the Policies > Deploy All page.

• On the Policies > INTERFACE OBJECTS > Interface Groups page.

• On the Policies > Policy Rules > Add > Gateway Groups > Selected Gateway Groups page.

• On the Policies > Approved/Blocked Lists > Add > Add URLs > Selected Gateway Groups page.

• On the Policies > Approved/Blocked Lists > Add > Add FQDNs/IP Addresses > Selected Gateway Groups page.

• On the Analysis & Reports > Reports > Add > Gateway Groups > Specify gateway groups page.

• On the Analysis & Reports > Reports > Summary Report > Add > Gateway Groups > Specify gateway groups page.

Device Categories Requiring Attention widget enhancements

User the newly added search box to search for a Cloud Edge device.

Click the More button to load and view more devices

Specific gateway selection for raw log query

On the following pages, if there are more than 20 gateways, you need to select a specific gateway name to query a raw log.

• On the Analysis & Reports > Log Analysis > Policy Enforcement page.

• On the Analysis & Reports > Log Analysis > Internet Security page.

UserID Sync changes

The following changes occur for the General Settings and LDAP settings under Gateway:

• The Gateways > (Selected Gateway) > END USER MANAGEMENT > General Settings page is removed. It is renamed as User Type Settings and is now placed under Administration > USER AUTHENTICATION.

• The Gateways > (Selected Gateway) > END USER MANAGEMENT > LDAP Settings page is removed. It is now placed under Administration > USER AUTHENTICATION.

• On the Administration > USER AUTHENTICATION > LDAP Settings page, after clicking Test LDAP Server Connection, you need to choose a gateway to sync or text.

Enhanced backups and restores

User Type Setting and LDAP setting is at the company level. These settings can now be backed up and restored.

Support for endpoint device and network topology awareness

In addition to scanning endpoint devices for vulnerabilities, you can discover, view, and manage endpoint devices using the Cloud Edge Cloud Console.

• A new Dashboard widget, Device Categories Requiring Attention under the Device Map & Security tab, shows the network topology as well as the amount of endpoint devices with vulnerabilities, Internet security, and policy enforcement

• A new screen, Gateways > (gateway) > Device Recognition > Endpoint Devices, shows a filterable list of endpoint devices, the severity of each endpoint device, and the amount of vulnerabilities on each endpoint device

• Device information and the following vulnerability information about each device are shown by drilling down from the Device Categories Requiring Attention widget or the Endpoint Devices screen:

  • CVE IDs

  • Weak passwords

  • Open ports

• A new screen, Gateways > (gateway) > Device Recognition > General Settings, provides the option for manually initiated or scheduled vulnerability scans, as well as an option to set the recognition mode

• The Polices > Policy Rules screen provides the option to deploy a policy to an endpoint device based on the device category

Support for HTTP/2 and QUIC protocol scanning

• The Policies > Policy Rules screen provides new options for HTTP/2 and QUIC under Content Types

• The Policies > Content Type Objects > Application Groups > Add/Edit Application Group screen provides new options for HTTP/2 and QUIC

• The Gateways > (gateway) > Bandwidth Control > Manage Bandwidth Control Rules screen provides new options for HTTP/2 and QUIC under Traffic Type

• When configured, the following widgets show HTTP/2 and QUIC traffic:

  • Top Blocked Applications

  • Top Allowed Applications

  • Top Applications by Bandwidth

• When configured, the following reports show HTTP/2 and QUIC traffic:

• • Top N Applications Blocked

  • Top N Applications by Bandwidth

• When configured, the Analysis & Reports > Log Analysis > Application Bandwidth and Analysis & Reports > Log Analysis > Policy Enforcement screens show HTTP/2 and QUIC traffic

Features previously only supported on Cloud Edge 50G2 gateways are now supported on all Cloud Edge gateways

• Support for Smart Bypass and Trust Certificate options in HTTPS security policy

• Support for Predictive Machine Learning in Anti-Malware security policy

• Support for Gateway HA groups

Support for Suspicious Objects

• A new screen, Policies > Suspicious Objects, provides an option to retrieve the Suspicious Objects list through Trend Micro Remote Manager from Worry-Free Business Security - Services

• When the option on the Policies > Suspicious Objects screen is enabled:

  • The Policies > Suspicious Objects screen shows the Suspicious Object List

  • The Top Threat Detections widget shows the Suspicious Objects category

• In the Suspicious Object List, you can modify the Block Action that was retrieved from Worry-Free Business Security - Services

• The Polices > User Notifications screen provides a new option for Suspicious Objects Violation under Notification Events

• The Analysis & Reports > Log Analysis > Internet Security screen has an option for Suspicious Objects under Message Type

• Raw log queries on the Analysis & Reports > Log Analysis > Internet Security screen shows the following details:

  • Columns containing the URL, server IP, and domain of the blocked suspicious object

  • A Detail column containing the URL, IP address, or domain that matched the suspicious object

• Under Internet Security reports on the Analysis & Reports > Reports > Report Information screen, the following new reports are available:

  • Top N Users Detected by Suspicious Objects

  • Top N Groups Detected by Suspicious Objects

Support for automatic rollback of an update when issues are encountered during a product update

Cloud Edge automatically rolls back product updates when encountering issues during the update process

Support for Smart Bypass and Trust Certificate Options in HTTPS Security Policy

When configuring HTTPS security policies, you can enable or disable Smart Bypass and Trust Certificate options.

• Smart Bypass: If enabled and the gateway is unable to decrypt SSL traffic on the first visit, on subsequent visits, the gateway will bypass decryption.

• Trust Certificate: If enabled, the Cloud Edge gateway automatically trusts server certificates that are not from a trusted certificate authority when connecting to secured websites.

Support for Predictive Machine Learning in Anti-Malware Security Policy

Starting with Cloud Edge 6.0 SP1, when configuring Anti-Malware security profiles, you can enable Predictive Machine Learning, which provides advanced scanning for web traffic.

• A new message type, Web Predictive Machine Learning, is provided to track detections by the Predictive Machine Learning scan.

  This message type is displayed in the Top Threat Detections widget in the Dashboard.

• A new user notification, Web Predictive Machine Learning, is provided to send to users when malware is detected by the Predictive Machine Learning scan.

• Two new reports are provided:

  • Top N User Detected by Web Predictive Machine Learning

  • Top N Group Detected by Web Predictive Machine Learning

• The new message type in the security log will be included as a statistic in the following reports:

  • Malware Spyware Detection Trend

  • Top N Users Detected by Malware

  • Top N Groups Detected by Malware

  • Top N Infected Malware File Detections

  • Infected Malware File Detections by Date

• The Predictive Machine Learning detection message type security log will be a statistic in the Malware Detection Web item for the summary report.

Enhancements to Account Security

The following enhancements have been made to account security:

• Account lock feature enhancement

  Currently, if a user tries to log in with the incorrect password three successive times within an hour, the user must enter Captcha code to ensure that a real person is attempting to log in.

  With the account lock feature enhancement, if a user tries to log in with the incorrect password ten successive times within four hours, the account will be locked for four hours. If the count of failed log-in attempts does not reach ten after four hours from the first failed attempt, the count will be reset to zero. Also, the count will be reset to zero with a successful log in.

• Enhanced password change security

  Under the Accounts Management screen, you cannot edit the account of the logged in user. You must go to the Change User Profile screen to edit the logged in user's profile. In this screen, you must supply the current password before you can change the password.

• Enhanced password policy

  The password must be at least 8 characters and must contain at least one uppercase letter, one lowercase letter, and one number, and can optionally contain special characters.

Support for Gateway HA Groups

You can configure two registered gateways as an HA Group to provide high availability access. If one gateway is down, then the other gateway will take over and ensure that the network traffic is not down. An HA Group can increase network traffic efficiency in addition to providing redundancy when a fatal error is encountered.

High Availability Status Widget

Adds the new widget High Availability Status to monitor status of HA Groups.