We've been working hard on making 9.2 the best version of Untangle yet.
I wanted to create this thread to tell you about some of the high-level changes being made in 9.2, as well as some of the gotchas to look out for, and some of the stuff going on behind the scenes.
Here are some of the high-level changes to be aware of when moving to 9.2:
- Application Control
Application Control is a new app that is an awesome tool to help identify and control traffic, protocols, and applications running on your network.
Application Control will be a part of the premium package, so we're thrilled to announce that after 9.2 all of our current
Premium Package subscribers will get Application Control at no additional cost. Thank you for supporting Untangle!
Be aware that Application Control does scan and classify all traffic, so it uses a lot of CPU. If your server is already overworked as it is, I would no add this into the mix until you have everything stable on 9.2
- IPsec VPN
We're happy to announce that we're adding this app to the Standard Package. All standard package subscribers will have access to IPsec in 9.2 at no additional cost.
Again, thanks to our standard package subscribers for support Untangle.
- Protocol Control
It has now been renamed to Application Control Lite. There are no other changes.
In 9.2 we did a real world performance analysis that focused on large sites, mostly schools, with large servers (4 or more cores, 4 or more gigs RAM).
There are many improvements in 9.2 and testing has shown that it performs far better in real-world data sets than 9.1 and prior.
Huge thanks to all those sites that participated in the performance analysis study!
We made a large set of changes which have help immensely.
We changed the memory and garbage collector parameteres.
We avoided and removed the use of certain expensive system calls.
We changed/optimized the DB event table processing.
We changed/optimized several of the expensive apps like Virus Blocker(s) and Web Cache
- Source Interface matchers
Source Interface matchers in port forwards, bypass rules, and packet filter rules (anything in config->networking basically) in 9.1 and prior do not function properly.
A matcher with External checked matches External, DMZ, Interface 5, Interface 7, etc.
A matcher with Internal checked matches Internal, Interface 4, Interface 6, etc.
A matcher with DMZ checked, matches Interface 6, Interface 14, etc. (but not DMZ)
A matcher with External and Internal checked matches DMZ (but not External or Internal)
This has been fixed in 9.2. Be aware that theoretically you could construct rules which should not function in 9.1 and prior but do, and they will function correctly (but not as you want) in 9.2 and after.
If you have custom port forwards, bypass rules, or packet filter rules that rely on source interface matchers I would examine them closely to make sure they are logically correct.
Also in 9.2 the checkboxes are now radio buttons so only one may be selected because matching multiple interfaces never worked and should not be allowed in these rules.
Despite working correctly in 9.2 it is still my advice to not use Source Interface matchers. Unless used correctly, they add little value but very real complications and confusion.
- WAN Failover
WAN Failover has a new implementation and new status screens, and many bugfixes.
- Event Logs
Event logs have a major cleanup. There is now a "Full Refresh" to force events to the DB, and all events should appear immediately after a full refresh. There is now an "export" ability to export to CSV files.
Event logs that did not function properly were fixed (Spam Blocker, WAN Failover, etc)
- Architectural changes
In line with our recent work, we continue to simply and consolidate the underlying implementation of Untangle and the apps.
We continue to move settings out of the postgres DB to files. This is both simpler and more efficient, but it also allows us to
work towards "Command Center" functionality where you can standard on app settings and push them around to different servers from a central location.
In 9.3 we will continue this work and explore similar efforts for the networking implementation for that eventual migration (and move to full support of IPv6).
Also, we'll be moving to extjs 4.0, which should pave the way for some nice new features in the UI as well.
- Rollout changes
We are going to be doing a different roll-out schedule this time. Usually we switch the default download approximately half way through the upgrades being available to everyone (which we do gradually). This time we will make the default download 9.2 much earlier and do a slower roll-out. This will give us more time to incorporate changes from the performance study being conducted described above into newer builds.
- Untangle NG Firewall
- Untangle IC Control
- Help Me Decide