N2OS-ReleaseNotes-22 0 0

| Table of Contents | ii
Table of Contents
N2OS 22.0.0..............................................................................................5
Highlights....................................................................................................................................... 5
Base OS........................................................................................................................................ 5
Integrations.................................................................................................................................... 5
CMC and AAA...............................................................................................................................5
Contents and detection................................................................................................................. 6
Resolved issues............................................................................................................................ 6
Security fixes................................................................................................................................. 6
Update Path Recommendation..................................................................................................... 7
N2OS 21.9.0..............................................................................................8
Highlights....................................................................................................................................... 8
Base OS........................................................................................................................................ 8
Protocols........................................................................................................................................ 8
Integrations.................................................................................................................................... 8
CMC and AAA...............................................................................................................................9
Contents and detection................................................................................................................. 9
Resolved issues............................................................................................................................ 9
Security fixes................................................................................................................................. 9
Update Path Recommendation................................................................................................... 10
N2OS 21.8.0............................................................................................11
Highlights..................................................................................................................................... 11
Base OS...................................................................................................................................... 11
Protocols...................................................................................................................................... 11
Integrations.................................................................................................................................. 12
CMC and AAA.............................................................................................................................12
Contents and detection............................................................................................................... 12
Resolved issues.......................................................................................................................... 12
Security fixes............................................................................................................................... 13
N2OS 21.7.0............................................................................................15
Highlights..................................................................................................................................... 15
Protocols...................................................................................................................................... 15
Integrations.................................................................................................................................. 15
CMC and AAA.............................................................................................................................15
Resolved issues.......................................................................................................................... 16
Security fixes............................................................................................................................... 16
N2OS 21.6.0............................................................................................18
Highlights..................................................................................................................................... 18
Base OS...................................................................................................................................... 18
Protocols...................................................................................................................................... 18
Resolved issues.......................................................................................................................... 18
| Table of Contents | iii
N2OS 21.5.0............................................................................................20
Highlights..................................................................................................................................... 20
Protocols...................................................................................................................................... 20
Resolved issues.......................................................................................................................... 20
N2OS 21.4.0............................................................................................22
Highlights..................................................................................................................................... 22
Base OS...................................................................................................................................... 22
Protocols...................................................................................................................................... 23
CMC and AAA.............................................................................................................................23
Resolved issues.......................................................................................................................... 23
Security fixes............................................................................................................................... 23
Upgrade Path Recommendation................................................................................................. 24
N2OS 21.3.0............................................................................................25
Highlights..................................................................................................................................... 25
Base OS...................................................................................................................................... 25
Protocols...................................................................................................................................... 25
CMC and AAA.............................................................................................................................25
Resolved issues.......................................................................................................................... 26
Security fixes............................................................................................................................... 26
Upgrade remarks.........................................................................................................................26
N2OS 21.2.0............................................................................................27
Highlights..................................................................................................................................... 27
Base OS...................................................................................................................................... 27
Protocols...................................................................................................................................... 27
CMC and AAA.............................................................................................................................27
Resolved issues.......................................................................................................................... 28
Security fixes............................................................................................................................... 28
Upgrade remarks.........................................................................................................................28
N2OS 21.1.2............................................................................................30
Base OS...................................................................................................................................... 30
Resolved issues.......................................................................................................................... 30
Security fixes............................................................................................................................... 30
Upgrade remarks.........................................................................................................................30
N2OS 21.1.1............................................................................................31
Resolved issues.......................................................................................................................... 31
Upgrade remarks.........................................................................................................................31
N2OS 21.1.0............................................................................................32
Highlights..................................................................................................................................... 32
Protocols...................................................................................................................................... 32
CMC and AAA.............................................................................................................................32
Base OS...................................................................................................................................... 33
Resolved issues.......................................................................................................................... 33
Security fixes............................................................................................................................... 34
Upgrade remarks.........................................................................................................................34
N2OS 21.0.1............................................................................................35
Base OS...................................................................................................................................... 35
Resolved issues.......................................................................................................................... 35
Upgrade remarks.........................................................................................................................35
N2OS 21.0.0............................................................................................36
Highlights..................................................................................................................................... 36
Protocols...................................................................................................................................... 36
CMC and AAA.............................................................................................................................37
Base OS...................................................................................................................................... 37
Resolved issues.......................................................................................................................... 38
Security fixes............................................................................................................................... 38
Upgrade remarks.........................................................................................................................39
N2OS 20.0.7.7.........................................................................................40
CMC and AAA.............................................................................................................................40
Base OS...................................................................................................................................... 40
Resolved issues.......................................................................................................................... 40
Security fixes............................................................................................................................... 40
Upgrade remarks.........................................................................................................................40
| N2OS 22.0.0 | 5
N2OS 22.0.0
Highlights
• Improved the alert and trace retention mechanisms by adding advanced retention options.
• Smart Polling now detects Log4J on Windows and Unix machines.
• Port scan incidents can now be configured in terms of the minimum alerts to be triggered and the
maximum time interval for the detection.
• Support for Mitsubishi Q Series, iQ-R Series, GOT1000 Series, GOT2000 Series in Smart Polling
• Guardian can now import SNMP MIBs through the GUI.
• Adding Content Pack functionality. The user can now export a single file containing groups of
Reports and Queries, and then import it on another machine, resulting in the same items appearing
in the target system.
• Added the advertised header length and the actual length to the UDP low layer validation alert.
• Improved Guardian's reliability when generating traces for alerts triggered by packet rules.
• Restructured the UX/UI of the administration pages, as well as updating the tab navigation inside all
the pages of the web application.
• Fixed minor consistency issues in the ordering of the Links and Sessions table columns.
• Improved the S7 Smart Polling strategy.
• The N2OS SDK User Manual now correctly lists the value field of node_points table as
deprecated; instead of this deprecated field, please use the content field.
Base OS
• Improved the audit log by adding Zone Configuration activities.
• The remote collector may now run within a Docker instance on the ARM64 architecture. This
allows for greater flexibility in deployments and unique orchestration for users deploying the remote
collector. To utilize this platform, there is a new entry in the support portal called "Remote Collector
Container for ARM64". For building details, licensing, pairing with Guardian, and insights into the full
utilization of the remote collector on docker, please see the N2OS User Manual for full details.
• Improved syntax checking for the CLI. The new CLI command `find_cmd` lets users search the list
of available commands.
• Added is_from_public and is_to_public fields to Session.
Integrations
• Improved the in-product documentation for the ServiceNow data integration.
• Added `traces` and `continuous traces` retention sections in GUI.
• Improved the serialization of information concerning sessions being killed by firewall integrations.
• The N2OS User Manual now calls out the features that require Guardian to be in protecting/strict
mode.
CMC and AAA

• Improved nodes merging. For each node, the CMC provides a list of appliances from which it
receives the node data.
• Improved RBAC granularity: added new options to view and make changes in the Threat
Intelligence section; also added an option to view in the Audit section.
• Added a new RBAC permission that restricts API queries to specific tables. RBAC for the "Query
and Export" permission has been extended to consider "View" permissions. Previously, if the
| N2OS 22.0.0 | 6
"Query and Export" permission was enabled, users could query any API endpoint. Now, users can
only query API endpoints they have permission to "View". This applies to the following: Assets,
Vulnerabilities, Trace requests, Link events, Captured urls, Alerts, Process, Appliances, Threat
Intelligence, Sessions, Reports, and Health information This new permission is granted retroactively
to users who previously had access via the broader permission. If the user had "Query and
export" permission before, the new permission and the rest of the "View" permissions are enabled
automatically. This ensures backwards compatibility without enabling providing access to data that
was previously unavailable.
• CMCs and Guardians now properly handle the Retry-After response received from Vantage. As a
result of such responses, the synchronization process is paused until Vantage becomes available
once again.
• The N2OS User Manual now provides configuration instructions for HA.
Contents and detection

• N2OS now supports defragmented payloads for HTTP packet rules.
• N2OS now supports passive detection of Schneider/APC PDUs.
• Smart Polling now supports Schneider PDU active detection.
• Improved the VA vulnerabilities recalculation performance.
• Improved packet rules documentation by expanding upon the syntax and semantics of packet rules.
Please see the N2OS User Manual.
Resolved issues
• N2OS-8026 - Fixed an issue that prevented Guardian from deleting the CPEs of deleted nodes.
• N2OS-11071 - Fixed a regression in the SNMPV3 SP strategy where password fields were grayed
out.
• N2OS-10871 - Smart Polling is no longer installed in connected appliances if their Relative Version
Locked option is enabled.
• N2OS-10977 - Fixed an issue that prevented execution of the n2os-diskfull-emergency script.
• N2OS-10976 - Fixed an issue that caused the health logs to be exported as empty Excel or CSV
file.
• N2OS-11012 - Fixed an issue that could cause time synchronization issues on appliances running
on Hyper-V.
• N2OS-11014 - Fixed an issue that prevented scheduled local backups from being created.
• N2OS-11142 - Fixed an issue that prevented the download of locally stored backups.
• N2OS-11082 - Fixed an issue that prevented the download of the support archive in the container
edition.
• N2OS-10958 - Fixed an issue in which graph icons could sometimes appear with an anomalous
border.
• N2OS-10082 - Fix and issue that caused an empty path request to raise a false positive alert for
EthernetIP.
• N2OS-10980 - Fixed an incorrect query example in the N2OS User Manual. The arrays example
now correctly includes expand parents.
Security fixes
• During login, if matching against the gid number does not produce any result, LDAP login is now
performed case insensitive.
• Fixed a security issue concerning the asset project upload function (CVE-2022-0551).
• Fixed a security issue concerning the upload logo function in reports (CVE-2022-0550).
• Updated the version of FreeBSD to resolve CVE-2021-29632.
| N2OS 22.0.0 | 7
Update Path Recommendation

If you are on a release older than 19.0.11 (version support has ended)
• 19.x > 20.0.0 > 20.0.7.7 > 21.9.0 > 22.0.0
• Note: please see update remarks of 20.0.0 (listed below for convenience).
If you are on a 20.x release older than 20.0.7.7:

• 20.x > 20.0.7.7 > 21.9.0 > 22.0.0
If you are on a 21.x:

• 21.x > 21.9.0 > 22.0.0
20.0.0 update remarks

• If upgrading from a version < 18.5.9 see update remarks of 19.0.0.
• Version 20.0.0 introduces SSH key based authentication and blocks SSH password login for the
root user. SSH password login is allowed only when using the admin user. If you are upgrading
from version 18.5.9 to version 20.0.0, or if you don't use the admin user yet, you'll need to add
a SSH key using the WebGUI in order to be able to login. Refer to the user manual for more
information about how to configure SSH keys.
• Ensure enough space is available in /data before update execution. As a rule of thumb check that
the appliance has at least 15% of free disk space or at least 5GB free. To perform an exact check
use the n2os-db-stats command to gather the database size and check that the free space on
disk is bigger that the sum of all the tables. The update process can take a long time, depending on
the amount of data and the complexity of the system, but it generally takes less than a few minutes.
• To update a Docker container edition a manual database dump is mandatory:
docker exec -d <CID> \

bash -c "pg_dump scadaguardian -U n2os-dbms | gzip -9 > /data/
dump-updatev"
Where <CID> is the container id of your current running container. After dump execution stop old
container and start the new one.
• To restore a backup made from a version < 19.0.5, perform restore process in a version < 20.0.0,
then execute update.
| N2OS 21.9.0 | 8
N2OS 21.9.0
Highlights
• Guardian now shows detailed information in alerts that result from failed assertions.
• Guardian now provides a health section dedicated to Smart Polling that lets you inspect the state of
the threads used to poll the nodes.
• Smart Polling now offers a "one-shot execution" option, which lets users manually trigger the
execution of a plan.
• Added day_hour and day_hour_utc functions to queries.
• The System > Data menu has been extended and refreshed.
• Smart Polling now displays the execution history for plans. To view the information extracted for
each node in the scope of specific executions, expand plan's history.
• Fixed icon visibility issues in the graph.
• Smart Polling now lets users download a trace containing the traffic of the connection check.
• Improved the efficiency and reliability of inter-process communication for Remote Collectors.
• Documented the column_colored_by_label option for the select command in queries. Please see
the N2OS User Manual for details.
Base OS
• Improved the resiliency of database migrations in order to automatically recover after errors related
to previous partial migrations.
• Improved asset synchronization performance for large scenarios.
• Guardian now performs bulk actions on nodes and links (such as deletion or learning)
asynchronously, thus allowing the user to perform other actions while the bulk action is in progress.
• The Remote Collector container version can now be installed on Cisco Catalyst 9300 systems. For
details, see the N2OS User Manual.
• The N2OS User Manual now describes HTTPS protocol compatibility.
Protocols
• Guardian now supports the ONVIF (Open Network Video Interface Forum) protocol.
• Guardian now alerts about TCP packets with incorrect option lengths.
• You can now disable file extraction for the SMB protocol. For details, see the N2OS User Manual.
• Improved support for Modbus traffic on ports other than TCP/502. Use the standard
probe protocol modbus ports tcp/xxxx
command (where xxxx is your port number) to enable the detection of Modbus on a custom port.
• Guardian no longer uses disabled protocols when tagging sessions.
Integrations
• Added support for Cisco ISE as a Data Integration option, which lets users of the pxGrid WS
STOMP API create assets in ISE that are based on N2OS nodes with confirmed MAC addresses.
• Improved Data Integration to support retrieving data from Microsoft Endpoint Configuration
Manager.
| N2OS 21.9.0 | 9
CMC and AAA

• Improved CMC Synchronization settings to allow for selective synchronization.
• Improved the description of ssh_key_update interval configuration in N2OS User Manual.

• Guardian now generates CPEs for the VxWorks operating system based on data transmitted
through the FTP protocol.
• Improved support for MITRE ATT&CK techniques references from STIX indicators.
• The N2OS User Manual now documents the CVE resolution options. For details see the
Vulnerabilities section of the manual.
Resolved issues
• N2OS-10792 - Fixed an issue related to the migration of zone names that contain spaces.
• N2OS-10799 - Fixed an issue that prevented assets deletion when using the bulk learning delete
feature in a Guardian.
• N2OS-10859 - Fixed an issue in zone filters page. N2OS now shows zones correctly even when the
logged-in user belongs to a group having one of the default zones as filter.
• N2OS-10034 - Fixed an issue that could occur with filters on asset bulk actions.
• N2OS-10673 - Fixed an issue with dates in custom queries used in Microsoft Excel and CSV
reports.
• N2OS-10539 - Fixed an issue in queries against the appliances table. Previously, such queries
could return appliances that had been removed from the CMC when the appliances were managed
by other appliances.
• N2OS-10804 - Improved IDS resilience so that it can start despite issues with files in the /data/
cfg/connections folder.
• N2OS-10940 - Fixed an issue that caused false positive Network Malformed Detection alerts when
they were raised by UDP traffic validation.
• N2OS-10771 - Fixed an issue that caused false positive SIGN:OUTBOUND-CONNECTIONS alerts
in Guardian.
• N2OS-10492 - Added from_zone and to_zone, which were previously missing from sessions
after n2osids restart.
• N2OS-10927 - Fixed a rendering issue that could occur in two report widgets when they were
imported from a previous version.
• N2OS-10959 - Fixed an issue that prevented the Alert graph from rendering under some
circumstances.
• N2OS-10765 - Fixed an issue that caused alerts to display a Guardian's previous name after the
Guardian had been renamed.
• N2OS-10743 - Made detection of Parallel Redundancy Protocol (PRP) more robust.
Security fixes
• The Remote Collector data channel now uses only FIPS-compliant algorithms
• Updated a dependency to address CVE-2021-43809.
• Updated the version of Postgresql database server to resolve CVE-2021-3677, CVE-2021-23214,
and CVE-2021-23222.
• Updated the version of NGINX web server to resolve CVE-2021-23017.
• Updated Ruby to resolve CVE-2021-41817 and CVE-2021-41819.
| N2OS 21.9.0 | 10

• 18.x > 18.5.9 > 19.0.10 > 20.0.0 > 20.0.7.7 > 21.x
If you are on a 19.x release:

• 19.x > 20.0.0 > 20.0.7.7 > 21.x

• 20.x > 20.0.7.7 > 21.x

• 21.x > 21.9.0


dump-updatev"
| N2OS 21.8.0 | 11
N2OS 21.8.0
Highlights
• Smart Polling now supports the Siemens S7 protocol.
• Smart Polling can now poll GE Fanuc, Cognex, and Siemens Siprotec devices that offer an HTTP or
HTTPS service.
• Added a queryable field "is_ai_enriched" to the asset table; use it to see which the assets have
been enriched by Asset Intelligence.
• Asset types can now be imported into a CMC and propagated to its appliances. You can configure
a policy that determines whether the asset types that are displayed are defined locally on the
appliance or on the CMC.
• You can now customize a report's query sources with more restrictive filters.
• Added a "description" column with more details about each data source in the result of the query
command "help".
• Updated the Asset Intelligence enrichment widget to improve its accuracy. The three states are
now: not active, asset not matched, and enriched asset.
• CMC now reports the correct state of traces, giving more accurate indications about deletion or
potential problems.
• In Appliances page, for Remote Collectors, improved "last received packet" error handling instead
of showing "Certificate Exchange Status error" for just communication errors.
• Failing assertions involving the node_points query source now include the related node id.
• Added path information to alert details in cases of multiple unsuccessful login and access denied.
• Smart Polling can now obtain more accurate data about installed hotfixes from Windows XP
machines.
• Added in the User Manual explanations on how to query complex table fields.
• The user manual's "Queries" chapter now describes the -> operator, which changes a column's
name in the query results.
Base OS
• You can now upload Asset Intelligence contents manually. To download the contents, visit the
Support Portal.
• Nozomi Networks Guardian now supports deployment on AWS environment and can process traffic
coming from Remote Collectors.
• Optimized the time machine Resource usage over time by Introducing a self-kill timeout for
snapshots that are not accessed for longer than two minutes.
• Improved IDS handling of nodes with confirmed MAC address via ARP by merging them into the
same asset.
• You can now paste content into the Web CLI (note: this feature is browser-dependent, at the
moment, only Chrome supports it). The CLI help command was also improved.
• The backup file name now contains the N2OS version that generated it.
• Fixed an issue that prevented OS info from being propagated from nodes to assets when the asset
contained multiple nodes.
• The user manual now describes (where applicable) n2os configurations as CLI configurations
instead of as manual edits of the configuration file.
Protocols
• Improved support for Emerson Ovation protocols.
| N2OS 21.8.0 | 12
• Guardian can now extract asset information about Cognex DataMan scanners from the HTTP
protocol.
• You can now configure the extraction of variables for individual zones.
• Improved the detection of the GE EGD protocol.
• Improved the accuracy of statistics about malformed traffic.
Integrations
• Added a new Data Integration that enables exporting traces to an External Storage.
• We have created a new Palo Alto Networks integration specifically for PAN-OS v10.0+.
CMC and AAA

• The system can now correctly handle the authentication of LDAP users by considering the groups
the user belongs to, rather than assuming that the group is part of the Distinguished Name
representing the username. To benefit from this change for a given user you need to re-import
the group associated with that LDAP user (Administration / Users / Groups / Import
from LDAP server) and the LDAP server needs to support the gidnumber information.
• The system can now handle Active Directory users belonging to multiple AD groups. Since the
association between users and their groups is performed during the login, to see the newly
downloaded groups for a given user, you have to logout and login again.
• Refined the pace at which appliances ask for updates from upstream (CMC or Vantage) in order to
reduce unnecessary server side load.

• Added CPEs support for more Schneider Electric Bacnet devices.
• Added "Product lifecycle status" information to assets.
• Guardian now detects the vendor and produces CPEs for more BACnet devices.
• Improved the precision of matching for Asset Intelligence content on Guardian.
• Added more detailed documentation about Asset Intelligence. Please see Chapter 10 "Asset
Intelligence" in the User Manual.
Resolved issues
• N2OS-10362 - Reduced the memory used for the installation of the Threat Intelligence contents.
• N2OS-10678 - Fixed an issue in the Remote Collector container version that caused n2os-tui to
insert an incorrect sync token.
• N2OS-10753 - Fixed an issue that affected the zone deletion propagation upstream.
• N2OS-10680 - Fixed a validation issue regarding the port range in alert configuration with pre-
populated fields.
• N2OS-10528 - Fixed 2 issues on Data Integration section
• an issue with the DNS data integration that could generate too many reverse DNS requests.
To fix this, the retention time associated with already sent items now considers the use of
pagination, which is implemented in the DNS data integration.
• an issue that caused already sent items not being deleted from the database in cases of long
running data integration tasks, which in turn caused the data_integration_endpoint_statuses
table to grow.
• N2OS-10643 - Fixed an issue that caused a CMC that was no longer available to still be displayed
with Green health status on the HA CMC; now, such CMCs are listed as Unreachable.
• N2OS-10785 - Improved the validation of matching segments when creating a zone configuration.
• N2OS-10566 - Fixed an issue that caused some incidents to reappear in Guardian after a data
reset.
| N2OS 21.8.0 | 13
• N2OS-10599 - Obsolete variables values are now shown as an empty field instead of nan.
• N2OS-10614 - Fixed an issue that set an ancient hostname after the n2os-fullfactoryreset instead of
using the default "nozomi-n2os.local".
• N2OS-10681 - Fixed an issue that caused false positive SIGN:WEAK-PASSWORD alerts from the
MySQL protocol.
• N2OS-10297 - Fixed an issue that caused Guardian to repeatedly produce "VI:NEW-PROTOCOL"
and "VI:NEW-PROTOCOL-CONFIRMED" alerts.
• N2OS-10520 - Fixed an issue in Smart Polling that caused the SSH strategy to create an incorrect
node label when a command error occurs.
• N2OS-10565 - Fixed an issue that caused Guardian to show incorrect node data about CPU, RAM,
disk, and antivirus state coming from Smart Polling.
Security fixes
• Updated json-schema dependecy to resolve CVE-2021-3918.
• Updated FreeBSD base system to version 12.2-p11.

• 18.x > 18.5.9 > 19.0.10 > 20.0.0 > 20.0.7.7 > 21.x

• 19.x > 20.0.0 > 20.0.7.7 > 21.x

• 20.x > 20.0.7.7 > 21.x

• 21.x > 21.8.0


dump-updatev"
| N2OS 21.8.0 | 14
| N2OS 21.7.0 | 15
N2OS 21.7.0
Highlights
• Added the ability to provide a label for each network interface. The label is shown instead of the
interface name in every section of user interface.
• Guardian now supports the ability to configure alerts with IPv6 addresses.
• Alerts can now be muted based on the destination port ranges of the victims.
• The trace engine is now able to produce traces for alerts with an empty BPF filter. The trace
contains at least the packet that triggered the alert.
• The Smart Polling Polled Nodes page now shows new node points only if their value changes, so
that only useful information remains on the page. In addition, the Polled Nodes page now allows
the user to filter by node ID and provides a paginated display, improving the responsiveness of the
page.
• Improved graph drawing with two main features:
• Reduced oscillations while the graph converges to a stable position.
• Links are drawn as smooth curves instead of as broken lines.
• Removed Microsoft Internet Explorer 11 from the supported browsers; the complete list of
supported web browsers can be found in the user manual.
• The smb client has been rolled back to the previous version v0.33 for the sake of compatibility.
• Added clarification about SMB backup compatibility limitations.
• The SIGN:NETWORK-SCAN alerts can now be tuned to disable port scan detection for given port
ranges.
Protocols
• Improved file extraction capabilities in the SMB protocol.
• Improved MQTT support:
• Publisher, Subscriber, and Broker roles are detected (node properties).
• All message types are mapped to function codes.
• The published data is available as variable data.
• Improved the asset inventory functionality of the GE SRTP protocol.
• Flooding alerts are now raised for duplicated packets.
Integrations
• By default only Open API methods that change appliance data log on audit files. Now it is
possible to configure read operations to produce audit logs as well via the following cli command:
conf.user configure open_api audit get enabled true.
• The Stormshield SNS firewall integration now supports certificate-based authentication.
• The TrendMicro firewall integration name changed from "TXOne EdgeIPS" to "TXOne OT Defense
Console".
• The Syslog (CEF) integration now supports TLS encryption.
CMC and AAA

• Zones can now be configured and controlled by the CMC and can be propagated down to the
Guardian deployment. Zone conflicts can be resolved through an execution policy that is specified
in the CMC.
| N2OS 21.7.0 | 16
• Now all roles described in the SAML response are used and mapped to the defined user groups on
Guardian/CMC side.

• Improved CPEs generation for devices that use the Modbus protocol.
• Improved generation of CPE for Siemens S7 devices.
Resolved issues
• N2OS-5362: Fixed an issue in Smart Polling that caused non-ASCII characters to be rendered
incorrectly for node points generated by WMI.
• N2OS-7714: Fixed an issue that prevented users from saving an assertion in a different group than
one the selected on the page.
• N2OS-9512: Fixed an issue that prevented some alerts from showing the zone of the related nodes.
• N2OS-9542: Fixed an issue that prevented the Time Machine Diff table from filtering "false" values.
• N2OS-10114: Restructured errors/logs of Scheduled Backups feature.
• N2OS-10277: Smart Polling now overwrites the operating system information for Linux systems if its
data is more accurate than passive detection.
• N2OS-10292: Fixed an intermittent issue that caused a process to hang during chart building for
reports.
• N2OS-10295: Fixed an issue that caused a CMC to transform into Guardian after a full factory
reset.
• N2OS-10411: Fixed a UI defect that caused a visibility issue in incident details that occurred after
opening a nested alert detail.
• N2OS-10453: Fixed an issue that prevented users from modifying the Note field of alert rules.
• N2OS-10481: Improved "migration issues" banner resilience to malformed logs.
• N2OS-10600: Fixed an issue that prevented the synchronization of some information between a
CMC to the HA CMC.
Security fixes
• Updated a dependency of the Report engine in order to resolve CVE-2021-3820.

• 18.x > 18.5.9 > 19.0.10 > 20.0.0 > 20.0.7.7 > 21.x

• 19.x > 20.0.0 > 20.0.7.7 > 21.x

• 20.x > 20.0.7.7 > 21.x

• 21.x > 21.7.0

| N2OS 21.7.0 | 17

dump-updatev"
| N2OS 21.6.0 | 18
N2OS 21.6.0
Highlights
• Improved Guardian's detection of Windows Server 2019.
• Throughput information for each connected remote collector is now available from the Guardian's
appliance tab.
• Guardian now detects SIMATIC program uploads and downloads.
• Health status is now set to Poor when an RC has not transmitted packets for 24 hours.
• The Health menu in the CMC now contains the network element limits, as is also shown in
Guardian. The menu is also available when focusing on a single appliance in Multi-context mode.
Base OS
• Improved handling of attempts to update between incompatible N2OS versions:
• Prevent update if the n2os version is older than the one that is running. This applies to every
type of version: major, minor, and patch; e.g. trying to install 20.0.7.7 on a running 21.6.0, or
21.5.0 on 21.6.0, or 21.6.9 on 21.6.10
• Prevent update if the n2os version is more than one major version different than the one that is
running; e.g. trying to install 21.0.0 on a running 19.0.12.
Protocols
• Improved support for for S7+ variables.
• Improved support for the melsoft protocol.
Resolved issues
• N2OS-8212: Fixed an issue in appliances with Smart Polling that prevented the user from choosing
whether an alert generated by a failing assertion was an operational alert or a security one.
• N2OS-9761: You can now set several formatting options for the labels deduced from live traffic.
Refer to the user manual "Configuring nodes" section for details.
• N2OS-10244: Fixed an issue that caused CVEs to be assigned incorrectly to nodes.
• N2OS-10298: Fixed an issue that prevented CVEs, installed software, and alerts from being
properly listed on all-in-one CMCs.
• N2OS-10302: Improved detection of ROC/ROC+ packets.
• N2OS-10303: Improved the resilience of the internal processes when Guardians have Remote
Collectors connected.
• N2OS-10393: Fixed an issue related to setting decimal values in the traffic shaping directive.

• 18.x > 18.5.9 > 19.0.10 > 20.0.0 > 20.0.7.7 > 21.x

• 19.x > 20.0.0 > 20.0.7.7 > 21.x
| N2OS 21.6.0 | 19

• 20.x > 20.0.7.7 > 21.x

• 21.x > 21.6.0


dump-updatev"
| N2OS 21.5.0 | 20
N2OS 21.5.0
Highlights
• Added support for importing Siemens PLC .AML project files.
• Smart Polling now supports RedHat systems via SSH.
• Smart Polling now retrieves partitions and network interfaces more reliably.
• Smart Polling now supports polling SSH servers with unsecure algorithms upon configuration. By
default, unsecure algorithms are rejected.
Protocols
• Added compute_crc16 and compute_crc32 functions to the protocol SDK, refer to the User Manual
for further details.
Resolved issues
• N2OS-10262: Fixed an issue in Smart Polling that prevented the Modicon poll strategy from
successfully polling a Modicon device.
• N2OS-10275: Fixed an issue in which the window used to save an assertion could show duplicate
alert types.
• N2OS-10334: Fixed an issue that caused missing updates to the n2os.conf.user file.
• N2OS-10395: Fixed an issue that prevented Time Machine snapshots from being created.

• 18.x > 18.5.9 > 19.0.10 > 20.0.0 > 20.0.7.7 > 21.x

• 19.x > 20.0.0 > 20.0.7.7 > 21.x

• 20.x > 20.0.7.7 > 21.x

• 21.x > 21.5.0

| N2OS 21.5.0 | 21

dump-updatev"
| N2OS 21.4.0 | 22
N2OS 21.4.0
Highlights
• You can now configure the thresholds for SIGN:MULTIPLE-UNSUCCESSFUL-LOGIN, SIGN:DDOS
and SIGN:NETWORK-SCAN alerts.
• The audit log now contains an entry with the software versions before and after each update.
• Guardian now attaches additional information to certain alerts such as Multiple unsuccessful logins
and Multiple Access Denied events. This information can be downloaded as a separate file from the
Alert Details page.
• Guardian now distinguishes cases where a requested trace is missing because no packets matched
its filter within the time limit.
• The graph displayed in the alert modal now highlights the links that are in scope.
• If an alert is closed for a second time, you must specify a different reason than was selected the first
time; an alert can no longer be closed a second time with the same reason.
• Added a new "expand_recursive" query operator.
• Introduced new asset types and roles, while deprecating others. To ensure a smooth transition,
deprecated types that were in use are still kept in and are usable by the user.
• Remote Collectors now support the IP Denylist functionality.
• Smart Polling now accurately recognizes Microsoft Windows 2000 installations.
• You can now customize the log level for the Smart Polling service.
For example, in order to see only ERROR and FATAL messages, add
sp log_level ERROR
rule in /data/cfg/n2os.conf.user file and restart the process via "service n2ossp stop" (it will be
restarted automatically).
The possible values are: DEBUG, INFO, WARN, ERROR, FATAL; the default value is INFO.
Base OS
• Improved tracking of IPv4 DHCP devices that are roaming between subnets.
• Added a new optional garbage collector that removes inactive variables; it is disabled by default.
Refer to the "Configuring the Garbage Collector" section of the user manual for more information.
• Now in the event of a failed migration, the Health log captures the event and a yellow warning
banner is visible in the header.
• Added a setting that disables native asset types. Refer to the "Configuring Assets" section of the
User Manual for details.
• Improved the VA notification filter so that it can now filter on an empty field; for example, can use
va_notification matching type="" discard
rule to ignore the vulnerabilities of nodes with unknown type. Refer to the user manual for further
instructions.
• Added a new garbage collector that removes inactive nodes; it is disabled by default. Refer to the
"Configuring the Garbage Collector" section of the user manual for more information.
• Added a new garbage collector that removes inactive links; it is disabled by default. Refer to the
"Configuring the Garbage Collector" section of the user manual for more information.
• When using a VM version of Guardian, Network Elements limits are now tuned to be more inclusive
towards machines with less RAM than expected (a tolerance if 160 MB has been applied to the
RAM nominal values).
| N2OS 21.4.0 | 23
Protocols
• Guardian now supports the NMEA (National Marine Electronics Association) protocol. By default, it
is detected on ports TCP/10110 and UDP/10110.
• Introduced basic support for the Sinec H1 protocol over COTP LLC.
• Guardian can now extract asset information from FANUC Robots configuration pages.
• Guardian can now identify Cognex Dataman barcode readers.
• Guardian can now identify Keyence SR-2000 barcode readers.
• Extended the Protocols SDK to include node.set_label, consume_xor_data, consume_gzip_data,
and consume_zlib_data functions.
CMC and AAA

• Stale appliances' Health are now shown as "Unreachable" on the Appliances page of the connected
CMC; "Average" or "Poor" states remain as they are, being calculated on the CPU/RAM/Disk status.
• Grandchildren appliances are now no longer considered while evaluating the staleness of an
appliance.
• Introduced new alert rules execution policies to handle rules conflicts. A user can now specify the
desired policy to either have local rules to prevail, upstream rules to prevail, or manage them only
from upstream.

• Guardian now shows the created date for disabled Yara rules.
• Guardian now produces CPEs for Mitsubishi PLCs of series Q and R.
• Guardian no longer generates versionless CPEs that cause false positives.
• Guardian now correctly identifies o:siemens:ruggedcom_rox as Siemens RUGGEDCOM ROX.
Resolved issues
• N2OS-9796: Improved the clean up of ghost nodes through garbage collection when in adaptive
learning mode.
• N2OS-9853: Fixed an issue that prevented the Delete option from appearing for admin user groups
when the list of user groups was filtered.
• N2OS-10072: Fixed a visual defect that prevented the username from being displayed correctly in
the Last uploaded PCAPs table.
• N2OS-10206: Fixed an issue preventing traffic_shaping from properly applying the bandwidth rule
on Guardian.
• N2OS-10208: Fixed an issue that prevented deleted users from being cleaned up properly on
CMCs.
• N2OS-10247: Fixed an issue in queries that prevented users from accessing the fields of the
"device_modules" column of the "nodes" source.
• N2OS-10291: Improved function code reporting when handling Modbus exception responses.
• N2OS-10294: Fixed an issue that prevented deleted appliances in connected CMCs (e.g., deletion
of a RC on a Guardian) from being synced on the CMC. Note that data of the deleted appliance will
remain on the CMC, but the deleted appliance will no longer be shown in appliances page.
Security fixes
• Executing the n2os-tui command now requires root permissions.
• Updated formatting for HIDS audit logging to improve readablity.
• The console password is now required to be at least 12 chars long in all cases. No action is
required; the new restriction will be applied to the next password change.
| N2OS 21.4.0 | 24
• Update FreeBSD to resolve CVE-2018-6927, CVE-2021-29631, CVE-2021-29630,

CVE-2021-36159, CVE-2021-3711, CVE-2021-3712, CVE-2021-23840, and CVE-2021-23841.
Upgrade Path Recommendation

• 18.x > 18.5.9 > 19.0.10 > 20.0.0 > 20.0.7.7 > 21.x
• Note: please see upgrade remarks of 20.0.0 (listed below for convenience).

• 19.x > 20.0.0 > 20.0.7.7 > 21.x
• Note: please see upgrade remarks of 20.0.0 (listed below for convenience).

• 20.x > 20.0.7.7 > 21.x

• 21.x > 21.4.0
20.0.0 upgrade remarks

• If upgrading from a version < 18.5.9 see upgrade remarks of 19.0.0.
• Ensure enough space is available in /data before upgrade execution. As a rule of thumb check
that the appliance has at least 15% of free disk space or at least 5GB free. To perform an exact
check use the n2os-db-stats command to gather the database size and check that the free
space on disk is bigger that the sum of all the tables. The upgrade process can take a long time,
depending on the amount of data and the complexity of the system, but it generally takes less than
a few minutes.
• To upgrade a Docker container edition a manual database dump is mandatory:

dump-upgradev"
then execute upgrade.
| N2OS 21.3.0 | 25
N2OS 21.3.0
Highlights
• The Updates & Licenses page now displays a new Smart Polling item. If the base license is Full
Advanced, this new item shows an active Smart Polling license.
• Smart Polling can now poll SSH servers with legacy Diffie-Hellman Group1 SHA1 ciphers.
• Smart Polling now retrieves the CPU information of Windows machines through WMI and WinRM.
• Improved the consistency of the exclude? query keyword's behavior over different query sources
• Smart Polling can now retrieve the user that is currently using a Windows machine through WMI
and WinRM.
• Asset Intelligence: added "Enriched asset" state information to the in Asset Detail widget.
• Fixed an issue that prevented mute from being alerts based on the destination ports.
• Guardian can now extract the firmware version from SIPROTEC 4 devices.
• Added the ability to include in the Asset Report the list of installed software retrieved through Smart
Polling.
• Asset Intelligence: added "End of Support" and "End of Sale" fields to asset information.
• Improved behavior for an edge case with Melsoft protocol where SIGN:DEV_STATE-CHANGE alert
was repeatedly triggered.
• Improved resilience of remote collector to staleness.
• The CEF data integration now sends the name attribute of alerts in the flexString3 CEF field.
Base OS
• The adaptive learning mode has been updated: - removing VI:PROC:NEW-VALUE and
VI:PROC:NEW-VAR (now present only in Strict Mode) - introducing a new VI:GLOBAL:NEW-VAR-
PRODUCER alert whenever a node that has never produced variables in the global context starts
producing any.
• Improved the handling of links initially detected as `Other`, then elevated to known protocols.
• Added time machine snapshot size estimation before the diff process and related out of memory
warning.
• Network Elements limits have been slightly raised for a smoother transition. The quota of Variables
in the Network Elements pool is now limited to 60% by default and can be customized with the "vi
machine_limits_variables_quota " rule.
Protocols
• Fixed an issue that caused false positive alerts about Modbus malformed packets.
• Guardian now checks domains specified in HTTP, FTP, TFTP, SMB, and SSDP protocols against
malicious domains known to STIX. Previously, Guardian only checked against malicious URLs in
these protocols and against malicious domains in DNS protocols.
• Extended the support to the LS XGT protocol.
• Guardian can now distinguish between EtherNet/IP devices that are behind a gateway device.
• Guardian now raises alerts about cleartext passwords from the HTTP and FTP protocols.
• Ethernet-IP device types are now captured and mapped to N2OS asset types.
CMC and AAA

• Non-admin users can now save queries if enabled in the user group.
• Proxy settings are now available when setting up the connection to CMC / Vantage.
| N2OS 21.3.0 | 26

• Fixed an issue that caused Windows hotfixes to be shown multiple times.
• Improved Smart Polling capabilities for Huawei and Brocade switches.
Resolved issues
• N2OS-5092: Added further error handling and helpful messages in cases where a query could
return incorrect results.
• N2OS-8948: Fixed an issue that prevented the "Map not yet uploaded" message from appearing in
the modal window to position a Remote Collector.
• N2OS-9499: Fixed an issue that prevented users from deleting the PaloAlto v9 firewall configuration
in cases where the integration took a long time to contact the firewall. For example, this case can
occur if the configured endpoint is not reachable.
• N2OS-9875: The WMI and WinRM strategies of Smart Polling now support separating username
and domain using a backslash.
• N2OS-9904: Fixed an issue that prevented the CLI from applying va_notification commands.
• N2OS-9960: Fixed an issue with some CIS Control Reports tables that contained values with more
than three digits.
• N2OS-9982: Fixed an issue where "authentication only" users could access details using URLs.
• N2OS-9986: Reduce VulnassApplication memory consumption
• N2OS-9990: Packet rules now obey denylist rules.
• N2OS-9991: Added a migration for Custom JSON data integration configurations introduced before
version 20.0.4.
• N2OS-10045: Improved embedded Asset Intelligence contents to avoid some false positives alerts
for Rockwell hardware.
• N2OS-10088: Fixed an issue with the Cisco ASA firewall configuration UI dialog that prevented the
list of alert types for which configuring the session kill functionality from being displayed.
• N2OS-10105: Improved handling of End Option and Padding in DHCP payloads.
• N2OS-10111: Smart Polling step messages are now safely encoded in UTF-8 to prevent possible
encoding errors in certain scenarios. Improved Smart Polling SNMP network interface retrieval
robustness by performing additional validation.
• N2OS-10158: Fixed an issue related to the Go To Appliance feature of the CMC.
• N2OS-10198: Fixed a problem that caused the change password screen in the UI to become
unresponsive.
Security fixes
• Updated the version of PostgreSQL in order to resolve CVE-2021-32027, CVE-2021-32028, and
CVE-2021-32029.
• Upgraded a Ruby gem to resolve CVE-2021-32740.
• Updated Ruby to resolve CVE-2021-31810, CVE-2021-32066 and CVE-2021-31799.
Upgrade remarks
• Upgrading from a version older than 19.0.0 is not supported. When upgrading from a version older
than 20.0.7.7
1. Note: please see upgrade remarks of 20.0.0.
2. Then, to ensure the highest compatibility, you must upgrade the system first to 20.0.7.7 before
upgrading to 21.0.0.
| N2OS 21.2.0 | 27
N2OS 21.2.0
Highlights
• Smart Polling can now retrieve the list of software in a Windows machine using a safer and faster
approach.
• You can now organize report templates in folders.
• SIGN:OUTBOUND-CONNECTIONS checks are now performed only in protecting mode on learned
source nodes.
• Updated the Health menu's Services section to align with the new sizing method, which is based on
Network Elements.
• Introduced a new feature that allows Remote Collectors to be connected to Guardians in HA.
• Added a new multiplication operator (mult) to the query engine.
• Renamed the column title of the Report Vulnerability widget.
• Smart Polling can now poll Hirschmann switches using the SNMP protocol.
• Fixed an issue that prevented the n2osrs service from automatically restarting after the certificate
exchange process on a container RC.
Base OS
• You can now specify IPs to exclude from the firewall bandwidth limitation.
Protocols
• Guardian now tags the Bently Nevada protocol.
• A new variable named ptp_time now stores the timestamp taken from the PTP payload.
Additionally, two other variables have been added to support the PTP protocol: - The
ptp_time_skew variable is populated with the difference between the timestamp taken from the PTP
payload and the arrival time of the corresponding packet sampled by N2OS. - The ptp_interval_ratio
variable represents the ratio between the difference of two timestamps taken from the PTP
payloads of two subsequent packets and the corresponding arrival times sampled by N2OS.
• Guardian now performs more validation checks on DHCP and DHCPv6 protocols.
• Improved the protocol detection of UPnP as SSDP. Added Smart Polling support for UPnP.
• Removed IT vs OT protocol distinction (sometimes also named "network" / "scada") in various
widgets and charts. Rationale: these protocols can be found in IT, OT, and IoT environments.
• SIGN:MULTIPLE-UNSUCCESSFUL-LOGINS and SIGN:MULTIPLE-ACCESS-DENIED alerts now
show information on involved usernames for these protocols: FTP, HTTP, MySQL, RADIUS, and
SMB.
• Guardian now raises an alert when it detects malformed DNS packets with the wrong number of
questions or answers.
• Fixed an issue that caused false alerts of type `SIGN:MULTIPLE-UNSUCCESSFUL-LOGINS`
related to the SSH protocol.
• Guardian now extracts and analyzes files transferred in HTTP requests.
• ARP broadcast requests are now used by Guardian to confirm the nodes in the network and update
their private status.
CMC and AAA

• Added the ability for non-administrative users to add custom fields, run and configure smart polling,
and import configuration files.
• Introduced a new technique to select the assets to replicate.
| N2OS 21.2.0 | 28
• Non-administrative users can now manage learning from Alerts.

• Improved accuracy of the Windows software CPEs produced via WMI and WinRM Smart Polling
strategies.
• Guardian now generates more accurate CPEs for Rockwell devices.
Resolved issues
• N2OS-3811: Fixed a query engine issue that prevented error from being raised when querying on
fields that don't exist.
• N2OS-7464: Guardian no longer generates false MITM alerts related to virtual routers.
• N2OS-8950: Guardian no longer raises alerts when a debug session is started with the Proconos
protocol.
• N2OS-9322: Guardian now immediately updates the number of vulnerabilities when they are
manually mitigated or accepted.
• N2OS-9375: Added tooltip to clarify the User "Is Expired" option in Users details popup.
• N2OS-9450: Improved the responsiveness of the network interfaces bandwidth graph.
• N2OS-9617: Fixed an issue that prevented exports made by applying a filter from being populated
correctly.
• N2OS-9777: Guardian no longer generates COTP links if the server does not exist or does not
reply.
• N2OS-9820: Added support for new types of groups available via LDAP.
• N2OS-9826: Fixed an issue that prevented performance data from being shown in the asset details
popup.
• N2OS-9841: The list of patches in the Asset view now refreshes automatically when a vulnerability
is manually addressed.
• N2OS-9847: Fixed an issue that caused the Alert Action menu's "Show program diff" button to
become unresponsive.
• N2OS-9854: Fixed an issue that caused Smart Polling to show the wrong nodes under a plan's
summary.
• N2OS-9864: Fixed an issue in which levels could be placed in the wrong order in Purdue graphs.
• N2OS-9877: Fixed an issue that altered the BPF filter of a stopped continuous trace that the user
restarts.
• N2OS-9885: Fixed an issue that prevented the IP and MACs fields from being populated when
using `nodeid_factory include_capture`.
• N2OS-9921: Improved the handling of appliances transferring back to the primary CMC after a
failover event.
• N2OS-9923: Fixed an issue where multi-level Guardian and CMCs had a discrepancy between
asset counts.
• N2OS-9952: Improved the backup feature's resilience to errors.
Security fixes
• Added Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers.
Upgrade remarks
than 20.0.7.7
| N2OS 21.2.0 | 29
| N2OS 21.1.2 | 30
N2OS 21.1.2
Base OS
• Introduces changes required to support the new NG-500R appliance including support for
removable disk drives and appliances with multiple disk drives.
• Improved code to identify the newest NSG-M appliance version.
Resolved issues
• N2OS-9689: Fixed an issue that caused updating the software to fail.
• N2OS-9930: Fixed an issue that prevented the user ability to save a firewall integration from the
GUI.
Security fixes
• Fixed an issue impacting Firewall Integrations list.
Upgrade remarks
than 20.0.7.7
| N2OS 21.1.1 | 31
N2OS 21.1.1
Resolved issues
• N2OS-9873: CMC and Guardian now accept again license keys containing whitespaces.
• N2OS-9882: Fixed an issue that caused destination port and transport protocol information to be
missing from the Alert details popup window.
Upgrade remarks
than 20.0.7.7
2. Then, to ensure the highest compatibility, it is recommended to upgrade the system first to
20.0.7.7 before upgrading to 21.0.0.
| N2OS 21.1.0 | 32
N2OS 21.1.0
Highlights
• A new perspective has been added to color links based on the maximum risk of the alerts
associated to the link. You can also filter the graph to show only links and nodes with alerts. For
both perspective and filter, you can use all alert types or select a specific type; only open alerts are
considered.
• The group_by command for queries now supports multiple fields on any table.
• The main GUI settings are now persisted on a user basis after logout.
• Guardian now shows MITRE ATT&CK related data in the alert details.
• Likelihood level information for not confirmed Mac Address is now shown in the Asset Overview and
the Asset PDF.
• Smart Polling can now retrieve the subnet mask and gateway for network interfaces through the
WinRM and WMI strategies.
• Added a vulnerability overview reporting widget.
• Guardian now supports the MITRE ATT&CK Enterprise knowledge base.
• The query 'concat' operator now accepts numbers as parameters.
• The performance of remote collectors has been improved.
• Guardian now provides a query source that gives the current state of each Smart Polling node point.
• Guardian now generates CPEs for Fortinet devices. In addition, Smart Polling can now poll Fortinet
devices via SNMP.
• Users can now graph a single node from the query.
• Incidents now include the information about MITRE ATT&CK for ICS techniques used in the related
alerts.
• Smart Polling can now poll Huawei and Brocade switches via SNMP. For Huawei devices, the
system description is used to retrieve the relevant information. For Brocade, a specific polling can
be selected under "Data to be collected".
• When displaying alerts, Guardian now adds the asset and level properties from the MITRE ATT&CK
for ICS knowledge base.
• Smart Polling can now poll SEL devices that were not previously supported.
• The rules used by Guardian to associate MITRE ATT&CK techniques to alerts are now
customizable.
Protocols
• The process view now lets the user decide how to extract variables from the traffic on a per-protocol
basis.
• Added configuration that allows users to set a limit of how many attempts to make at identifying a
session protocol.
• Guardian now supports the Enedis B32 protocol.
• Guardian now detects vendor, product name, and function code in B&R automation protocol traffic.
• Guardian can now tag and extract asset information from the Hikvision SADP protocol; which allows
Guardian to discover this vendor's devices.
• Guardian now supports the Nanolock protocol.
CMC and AAA

• You can now request a trace download for an alert from the CMC; previously, such requests were
only supported by Guardian.
• From the CMC an administrator can now schedule updates for connected appliances.
| N2OS 21.1.0 | 33
• Added a permission for user groups. The determines whether non-administrative users are
permitted to manage the learning of nodes and links. Enable the permission to grant access.

• The Guardian generates CPEs for web servers used in embedded TCP stacks, which could be
affected by an AMNESIA33 vulnerability.
• Guardian now produces well-recognized CPEs for all Rockwell devices.
• The asset information is now enriched with meta fields that represent the granularity and the
confidence level of product_name, firmware_version, and vendor. This is also shown in the UI,
along with the existing source meta field.
Base OS
• Added an optional 'Nodes Ownership' field in the Zone Configuration menu. If configured, the value
you specify overwrites the visibility property of each node in the matching zone. Defined a new zone
serving as fallback for public nodes, called 'Internet' (complementary to the existing 'Undefined' for
Private nodes).
• We have added support for using 802.1x on the management interface.
• For new installations, IPv6 assets creation is enabled by default. Existing installations are not
affected.
Resolved issues
• N2OS-4028: Fixed an issue on exporting Favourite Variables.
• N2OS-4486: Improved detection of compressed http traffic.
• N2OS-4616: Improved resilience when filling in wrong configurations via shell.
• N2OS-5584: Fixed an issue with the ipgroup command affecting the license nodes count.
• N2OS-6231: Fixed an issue that caused 'Focus On' to be enabled when the selected appliance was
not a direct child.
• N2OS-7960: Fixed an issue in the CLI that hid existing characters when using the left arrow on a
written command.
• N2OS-8508: Fixed a Smart Polling issue related to correctly writing Mac Addresses of target
machines.
• N2OS-8861: Fixed an issue that caused the immediate removal of inactive public nodes.
• N2OS-9017: Fixed an issue in which a node deletion from the Security Control Panel causes
undesired additional node deletions.
• N2OS-9120: Fixed an issue that occurred when setting the scheduled time of the report when local
and server times differ.
• N2OS-9144: Variable names extracted from traffic that contain non-ascii chars are now sanitized.
• N2OS-9149: Fixed an issue in the visual query editor that caused an empty result when using OR
logical operators.
• N2OS-9152: Fixed an issue that prevented user objects from being properly deleted when the group
that contained them was deleted.
• N2OS-9314: Fixed an issue where the CMC all-in-one and Guardian Asset Node details did not
include additional properties.
• N2OS-9397: Alerts reports now display the timezone. This fixes an issue that caused incorrect
dates to appear in such reports.
• N2OS-9504: When a remote collector is viewed from a CMC, clicking the Renew button now
updates the certificate of the parent Guardian, rather than that of the CMC.
• N2OS-9539: Fixed an issue where Smart Polling configuration option disappeared while editing an
existing user group.
• N2OS-9552: Fixed an issue that prevented bulk learning of deletion of links and nodes to work
under high load.
| N2OS 21.1.0 | 34
• N2OS-9558: Fixed an issue that caused the play/pause button for Smart Polling plans to reload
unnecessarily.
• N2OS-9573: Guardian no longer suggests Windows-specific hotfixes for nodes whose operating
system is not Microsoft Windows.
• N2OS-9581: Fixed an issue that prevented changes to Smart Polling plans from taking effect
immediately.
• N2OS-9582: Fixed an issue that prevented the creation of a report on the CMC having the same
name of a report on a child Guardian.
• N2OS-9599: Fixed an issue that prevented multiple denylists to be enabled at the same time.
• N2OS-9618: Fixed n issue that caused a failure when downloading PDF reports.
• N2OS-9633: Fixed an issue that could cause the n2os_ids process to crash when reading a
corrupted stix_cache.bin file.
• N2OS-9638: Improved the responsiveness of the Smart Polling page.
• N2OS-9660: Fixed an issue in which the wrong number of alert rules was shown in the interface.
• N2OS-9661: Fixed an issue that caused icons to become very small when users zoomed in-out on
the graph view multiple times.
• N2OS-9676: Fixed an issue that prevented disconnected appliances from being marked as stale
when the CMC was run in High Availability mode.
• N2OS-9687: Fixed an issue concerning migration of built-in reports.
• N2OS-9698: Guardian no longer emits multiple `VI:NEW-PROTOCOL` and `VI:NEW-
PROTOCOL:CONFIRMED` alerts for the same link.
• N2OS-9716: Fixed an issue that caused an automatic logout; the issue often occurred to users
authenticated using AD, and only if a CMC running in High Availability mode was connected.
• N2OS-9742: UTF-8 sanitization is now applied to strings inferred from traffic before storing
information into the database.
• N2OS-9778: Fixed a problem that caused numeric queries on json fields to misbehave.
Security fixes
• Fixed a XSS vulnerability in the graph info pane.
• Updated the CodeMirror component to resolve security issues.
• Updated the version of HighChart library to 6.2.0.
• Updated the Lodash component to resolve security issues.
• Added SameSite None attribute to Web UI cookies for better browser compatibility.
• Updated Rails component to resolve CVE-2021-22902, CVE-2021-22903, CVE-2021-22885, and
CVE-2021-22904.
• Updated a third-party chart component in order to resolve CVE-2021-23337.
• Updated nokogiri library to resolve CVE-2019-20388, CVE-2020-24977, CVE-2021-3517,
CVE-2021-3518, CVE-2021-3537, CVE-2021-3541.
• FreeBSD kernel has been upgraded to resolve CVE-2021-29628.
Upgrade remarks
than 20.0.7.7
| N2OS 21.0.1 | 35
N2OS 21.0.1

• Improved node_cpes synchronization speed, the data migration can take up to a few minutes.
Base OS
• Improved Assets synchronization speed in scenarios with multi level CMC.
Resolved issues
• N2OS-9648: Guardian no longer generates Linux kernel CPEs without a version in order to prevent
false positive CVE matching.
• N2OS-9654: Fixed an issue that caused the outbound connections check to fail under certain
conditions.
• N2OS-9654: The outbound connections check now prevents a malicious node from generating
more destination nodes when the control time windows has expired.
• N2OS-9663: Fixed a migration issue that prevented the upgrade to the 21.0 version when
SmartPolling values containing quotes were present.
Upgrade remarks
• If upgrading from a version from 19.0.0 to 20.0.7.6
| N2OS 21.0.0 | 36
N2OS 21.0.0
Highlights
• Fixed an issue that prevented users from using hidden columns to filter the list of alerts.
• You can now bulk import and export alert rules; rules imported to a CMC are propagated to
connected Guardians.
• The user can now specify more alert closure options, including a comment. An audit log including all
the actions on alerts with requestors has been added.
• The user can now upload multiple PCAPs at the same time.
• Network interfaces can now be enabled and disabled from the UI.
• When you click the link between groups in a grouped graph, the info pane now displays the list of all
links between the two groups.
• the node_points table filled by Smart Polling has now an improved data structure allowing the user
to better query it. The new column 'content' has been introduced for the purpose. The old column
'value' has been deprecated but left in for backward compatibility.
• Added alert information in info panel when clicking on a cluster in the graph.
• You can now export reports in CSV, and XLSX, in addition to the already available PDF format.
• Improved the French translation of the web UI.
• You can now apply a smart polling plan to a node displayed in the Environment menu. The new
Smart Polling button is found to the left of each node.
• You can now configure retention for time machine snapshots through the Feature Control panel.
• You can now add new asset types by importing a CSV file through the UI.
• Greatly extended the amount of information collected by Smart Polling's SSH strategy.
• Reports' widget selection now features a widget preview to guide the user through.
• n2os is now available also in Spanish language.
• The user can now specify a destination folder also for local backups scheduled by the GUI.
• To improve the user experience when configuring the synchronization of connected appliances, we
added a button on the 'Synchronization settings' page to easily copy the Sync token and the Sync
ID. We anticipate that this will reduce errors in system configuration.
• The Network Interfaces view now indicates whether a denylist is defined for an interface.
• Improved the position of the logo watermark in a report.
• We have updated the user interface for configuring synchronization between appliances. The CMC
Connection section is now found under the Synchronization Settings section. Sync token and
Application ID are always visible in order to facilitate setup of both Upstream connection and HA
(when allowed).
• Addressed several user interface issues in Smart Polling.
Protocols
• Added failed login detection to RDP protocol analysis.
• Three-way TCP handshakes, which were previously identified as “other”, are now properly identified
as the correspondent native or custom protocol.
• Improved handling of IPv4 packets that have an option header size less than three.
• Improved handling of missing TCP headers.
• Now nodes at L2 and L3 belonging to the same asset are merged in the Asset View.
• Improved the TCP-SYN-FLOOD logics taking into account both attacker and target behaviours. The
user can now also configure trigger and exit logics in relation to it.
• Nozomi now supports the Health Level 7 (HL7) protocol. This implementation conforms to the HL7
v3 specification.
• Fixed an issue that caused a false positive regarding program downloads.
| N2OS 21.0.0 | 37
• Extended support for S7 protocol.

• Guardian now detects inconsistencies in IPv6 headers, including cases where the header or header
extension are inconsistent with the payload. In the case of ICMPv6 with type echo (ping) request
(128), it also detects headers that are less than eight bytes.
• Guardian now supports the TLS protocol.
• Guardian now supports the DTLS protocol.
• Guardian now supports the OPC HDA protocol.
• Guardian now supports the CANopen TCP protocol.
• Guardian now supports the Valmet DNA DCS protocol.
• Improved detection of the Siemens S7 protocol, including adding support for the project name field.
• Protocol Support: LS XGT protocol tagging. Ability to identify LS XGT protocol within the network.
• Guardian now supports TFTP (Trivial File Transfer Protocol).
• Added support for Philips Intellivue protocol for patient monitoring devices.
• Added asset support for Siemens Apogee Ethernet P2 protocol
• Improved omron-fins protocol detection to match omron-fins running on non-standard ports
• Process variable support for Schneider OFS (OPC for Factory Server)
• New logics on malformed Ethernet IP packets have been introduced
• Guardian now supports the MPLS protocol.
CMC and AAA

• Previously, Nozomi supported authentication on integration with Microsoft AD, but did not support
other LDAP (Lightweight Directory Access Protocol) implementations. Now, customers using other
LDAP solutions can integrate them with Nozomi; click Administration > Users > LDAP.
• You can now filter assets, nodes, and the graph by Site name.

• Improved alert description to include information required to perform a proper investigation.
• Guardian can now identify all Siemens CPE machine codes.
• Improved the n2os_va service's memory usage to make it more efficient.
• Guardian now reports vulnerabilities related to the Linux kernel.
• Guardian now generates CPEs for individual modules of Mitsubishi PLCs.
Base OS
• An anonymized version of the support archive is now available.
• It is now possible to choose whether to include traces or not when downloading or scheduling a
backup archive.
• We have updated N2OS to support USB and SD on Siemens Ruggedcom APE modules.
• Introduced a new alert SIGN:OUTBOUND-CONNECTIONS detecting increases in the amount of
outbound connections by a single host
• Fixed an issue that prevented the default zone name setting to be persisted across system. Such
setting is now available from the UI.
• Introduced core improvements to synchronization of assets between Guardian and CMC.
• Improved broadcast nodes detection, now also the subnet information is used to detect if a node
has a broadcast IP address.
• Links creation is now disabled for the WUDO protocol to avoid creating excessive noise in the
Environment View
• Now the /data/tmp/ directory is always cleaned-up properly from files older than 12 hours.
• Added n2os-ntp-forceupdate on FreeBSD-based n2os to force a NTP time sync.
• Adaptive Learning is now the default detection approach.
| N2OS 21.0.0 | 38
• When a Guardian is connected to a multi-context CMC, the default sync interval for n2os.conf and
n2os.conf.user files have been increased to 3 hours.
Resolved issues
• N2OS-6548: IP addresses reserved by the IETF for documentation purposes (as in RFC 5737) are
no longer recognized as public.
• N2OS-7515: Fixed an issue that prevented the CMC from verifying the ThreatIntelligence bundle
during manual update.
• N2OS-7802: Fixed display issues in the in-product documentation.
• N2OS-7864: Fixed an issue with Threat Intelligence update indicator based on network connection
enable status.
• N2OS-7952: Fixed an issue that prevented the proper clean-up of deleted alert rules.
• N2OS-8587: Error codes used by Smart Polling target machines are now shown only in the
Guardian logs, and not in the UI.
• N2OS-8847: Improved the system's resilience to non-ASCII characters in node properties.
• N2OS-8903: Fixed an upgrade issue that could reset the created_at values for assets.
• N2OS-8908: Fixed an issue where the Graph view Type filter was not correctly populating filter
options.
• N2OS-8926: Fixed a performance issue that occurred when loading plans on the Smart Polling
Summary page.
• N2OS-8946: Improved some formatting within the Operational report template.
• N2OS-8980: Fixed a bug which prevented bulk learning/deleting from working when filtering the
nodes and links tables.
• N2OS-9021: Fixed an issue that prevented the Alerts Creation Time field from appearing correctly in
reports generated using a report widget.
• N2OS-9064: Fixed an issue where the alerts/incidents closure wasn't propagated correctly to
connected appliances.
• N2OS-9118: Fixed an issue that prevented the Asset view from being displayed when a user clicked
Focus on Appliance. This issue occurred on CMCs running in All-in-One mode
• N2OS-9138: Improved handling of http exceptions including logging the error.
• N2OS-9146: Fixed newline issue in Syslog messages.
• N2OS-9202: Fixed an issue that prevented time zone changes from taking immediate effect.
• N2OS-9214: Fixed an issue that caused the unexpected, spurious reopening of incidents. Also fixed
a similar issue with unexpected, spurious acknowledgment/unacknowledgment of alerts.
• N2OS-9235: Now the tooltip of the Type icon of a connected appliance shows the correct text.
• N2OS-9241: Fixed an issue that caused appliances to fail synchronizing date/time to a CMC.
• N2OS-9263: Fixed issue with multiple GSDML file imports over-writing existing entries. Now all
entries are retained.
• N2OS-9280: Improved embedded Asset Intelligence contents to avoid some false positives alerts
for Rockwell hardware.
• N2OS-9288: Fixed an issue about the separation of nodes with the same IPs coming from different
RCs
• N2OS-9294: Fixed an issue with CMCs in HA, which caused Users and Appliances to be
overwritten by the other CMC.
• N2OS-9304: Fixed graphing issue when graph data set is empty
• N2OS-9320: Fixed an issue where CEF alerts not being sent if one of the nodes in a CMC HA
cluster is down.
• N2OS-9380: Improved handling of Assets having the same name
Security fixes
• Fixed an issue that prevented SAML authentication to work when using Google Chrome.
• In order to decrease the time needed to generate a support archive, the archive no longer contains
the HIDS report.
| N2OS 21.0.0 | 39
• Improved the web server's security by adding request limits to port 80, which handles HTTP to
HTTPS redirection.
• An unauthorized API request now returns a 404 error.
• Resolved false positive HIDS audit events regarding changes made to /etc/hw_conf_nozomi file.
• Improved system resilience to Denial of Service (DoS) attacks: system will now block the offending
IP address for 5 minutes when the management interface is under flooding.
• Console access now warns that unauthorized system changes will void the Support agreement.
• Upgraded NodeJS to v12.20.1 to address CVE-2020-8265, CVE-2020-8287, and CVE-2020-1971).
• Updated sudo package to resolve CVE-2021-3156
• Updated the version of Ruby on Rails to address CVE-2021-22880 and CVE-2021-22881.
• Updated the node component in order to resolve CVE-2021-22883, CVE-2021-22884, and
CVE-2021-23840.
• Addressed an issue in OpenSSL in order to resolve CVE-2021-3449 and CVE-2021-3450.
• Updated the activerecord-session_store component in order to resolve CVE-2019-25025.
• Included new language to the User Manual to notify users where to find our SBOM (Software Bill of
Materials).
• Updated postgresql minor version in order to resolve CVE-2020-25694, CVE-2020-25695 and
CVE-2020-25696.
• Upgraded Ruby to 2.6.7 to address CVE-2020-25613 and CVE-2021-28965, even though both
libraries involved are not used in the product
• Upgraded FreeBSD base OS to 12.2-RELEASE-p6 address CVE-2020-29568, CVE-2020-25578,
CVE-2020-25579 and CVE-2021-29626
Upgrade remarks
• If upgrading from a version from 19.0.0 to 20.0.7.6
| N2OS 20.0.7.7 | 40
N2OS 20.0.7.7
CMC and AAA

• Resolved various issues on operations performed through the CMC "go to appliance" feature.
• SAML clock drift is now configurable, this feature is useful for those situations where the clock of
Guardians and CMCs is not perfectly aligned.
Base OS
• Improved Web UI performance when many users are connected, and added the possibility to
manually tune the amount of concurrent requests the Web UI can handle.
• Improved performance of "links" queries and Links visualization in tables.
• Links creation is now disabled for the WUDO protocol to avoid creating excessive noise in the
Environment View
Resolved issues
• N2OS-9366: Fixed a bug that prevented bulk learning/deleting from working when filtering the
nodes and links tables.
• N2OS-9471: Muted alerts no longer generate traces.
Security fixes
• Upgraded rails to 5.2.5.
Upgrade remarks
• If upgrading from a version < 18.5.9
1. You must first upgrade to 18.5.9
2. Then to the latest version of 19.x, Note: please see the upgrade remarks of 19.0.0.
• If upgrading from a version 19.0.x see upgrade remarks of 20.0.0.

N2OS-ReleaseNotes-22 0 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

N2OS-ReleaseNotes-22 0 0

Uploaded by

Copyright:

Available Formats

| Table of Contents | ii

CMC and AAA

Contents and detection

Update Path Recommendation

If you are on a 20.x release older than 20.0.7.7:

If you are on a 21.x:

20.0.0 update remarks

docker exec -d <CID> \

probe protocol modbus ports tcp/xxxx

CMC and AAA

Contents and detection

Update Path Recommendation

If you are on a 19.x release:

If you are on a 20.x release older than 20.0.7.7:

If you are on a 21.x:

20.0.0 update remarks

docker exec -d <CID> \

CMC and AAA

Contents and detection

Update Path Recommendation

If you are on a 19.x release:

If you are on a 20.x release older than 20.0.7.7:

If you are on a 21.x:

20.0.0 update remarks

docker exec -d <CID> \

CMC and AAA

Contents and detection

Update Path Recommendation

If you are on a 19.x release:

If you are on a 20.x release older than 20.0.7.7:

If you are on a 21.x:

20.0.0 update remarks

docker exec -d <CID> \

Update Path Recommendation

If you are on a 19.x release:

If you are on a 20.x release older than 20.0.7.7:

If you are on a 21.x:

20.0.0 update remarks

docker exec -d <CID> \

Update Path Recommendation

If you are on a 19.x release:

If you are on a 20.x release older than 20.0.7.7:

If you are on a 21.x:

20.0.0 update remarks

docker exec -d <CID> \

va_notification matching type="" discard

CMC and AAA

Contents and detection

• Update FreeBSD to resolve CVE-2018-6927, CVE-2021-29631, CVE-2021-29630,

Upgrade Path Recommendation

If you are on a 19.x release:

If you are on a 20.x release older than 20.0.7.7:

If you are on a 21.x:

20.0.0 upgrade remarks

docker exec -d <CID> \

CMC and AAA

Contents and detection

CMC and AAA

• Non-administrative users can now manage learning from Alerts.

Contents and detection

CMC and AAA

Contents and detection

Contents and detection