What's new in GFI KerioControl

Version 9.4.4p1

Released: April 18, 2024

  • Resolves an issue with HTTPS connections on port 443 in certain setups, particularly over VPNs or between different subnets.

Version 9.4.4

Released: February 22, 2024

  • IKEv2 support
  • Significant overall performance improvements
  • More accurate AppManager connectivity display
  • Appliances removed from AppManager stop processing AppManager-related data
  • NG511 appliance performance degradation in HA mode
  • Discrepancy between Interface Window and VPN Clients Window for users connected via VPN
  • IPSec Tunnels are no longer disconnected when the configuration is updated
  • SNMP is functional
  • 2FA verification message incorrectly showing default "30 days" expiration value
  • Custom logo not displayed on the login page
  • Corrected Mexico local time
  • Multiple memory leaks fixed
  • No checksum errors recorded on winroute.cfg after performing IPS or KerioControl updates
  • Errors encountered on some websites during categorization
  • CIDR address formats within the shared definitions are properly handled when synchronized via AppManager

Downloads and Upgrades:

For product downloads and information about upgrading GFI KerioControl, visit the GFI Upgrade Center.

Access the Kerio Legacy Product and Documentation Archive

If you have additional queries about these changes, please do not hesitate to contact us or an authorized GFI Partner directly.

Version 9.4.3

Version 9.4.3 Patch 4

Released: January 30, 2024

  • GFI KerioControl detecting the same build as new one when checking for new updates

Version 9.4.3 Patch 3

Released: January 25, 2024

  • Updated GFI Agent for better AppManager performance and stability
  • Shared definitions - IP Address groups are not synchronized to GFI KerioControl appliances

Version 9.4.3 Patch 2

Released: December 13, 2023

  • UEFI Bios support can be activated through the UI
  • New installations can choose to install the product with UEFI BIOS mode support on the install screen
  • The advanced configuration page of network interfaces is displayed properly
  • The appliance not rebooting properly on the second reboot after UEFI BIOS support was activated

Version 9.4.3 Patch 1

Released: October 26, 2023

  • Upgrade failing to 9.4.3 version
  • Appliance not booting after shutdown
  • Fixed SNORT problem with periodically consuming a high amount of CPU 
  • Product UI shows an incorrect AppManager status
  • MyKerio is no longer enabled automatically

Version 9.4.3

Released: October 9, 2023

  • GFI AppManager support
  • UEFI Support
  • VPN Client for MacOS supports modern MacOS versions using system extensions
  • VPN Client for MacOS is now supported on Intel, M1 and M2 silicon
  • Checksum error messages
  • Default IKE protocol versions for IPSec VPN tunnel changed from IKEv1 to IKE
  • OS information found under Web Admin > Status > VPN Clients is not accurate
  • Slow loading of some websites on 9.4.2 patch 1 with QUIC
  • WiFi not working on NG100W and NG300W boxes in some cases after the upgrade to 9.4.2p1
  • 9.4.2p1 RADIUS authentication doesn't allow selecting a certificate and provides an 'ubuntu' cert instead
  • NG510/NG511 device display is blank after upgrade to 9.4.2p1
  • After 9.4.2 upgrade, Hyper-V Appliance showing interface details as "Legacy Network Adapter"
  • Time mismatch for UTC+13 TimeZone
  • Wrong Czech translations of some pages
  • Fix for Brasilian Time Zone (UTC -03:00 Brasilia) due to incorrect DST recognition
  • DoS Attack Vulnerability generated by Protocol renegotiation on ports 4081 and 4090 (VPN)
  • Fixes for potential memory leaks
Version 9.4.2 Patch 1

Version 9.4.2 Patch 1

Released: October 17, 2022

  • The virtual network adapters become unavailable (on VMware deployments only)
  • Missing VMware images
Version 9.4.2

Version 9.4.2

Released: October 11, 2022

  • Kernel upgrade
  • 2FA token expiration configuration for VPN
  • HTTP/S redirection in reverse proxy
  • Issues with Mac upload speed degradation
  • Updated IPSec VPN
  • Updated IPsec SNAT
  • WiFi authentication errors with Radius


Released: May 31, 2021

Product Changes:
  • M1 MAC VPN client support

  • Interface mapping of NG511 Fixed

  • macOS VPN client updated to fix a script that was preventing installation on Big Sur

  • Update Windows VPN Client to make it compatible with Windows 20H2

  • New configuration ""L2TPUpScriptWaitSeconds"" and "L2TPUpScriptConnectTryCount"" introduced to recover stuck LT2P connections

  • New configuration ""DisableUniqueIDs"" introduced to prevent IPSec VPN disconnects

  • New traffic patterns added to properly block Teamviewer connections

  • Introduce new configuration ""InternetLinkAutoGatewayInterfaceList"" to stop probing interfaces which doesn't have a gateway

  • Fix HA interface name validation failure happens when one of HA machine has legacy interface names

  • OpenSSL library is upgraded from 1.0.2j to 1.1.1d

  • HSTS (Strict-Transport-Security) Header added

  • Upgrade and Factory-reset scripts are failing because of signature image issue

  • Links on the IP Blacklist screen were either wrong or timing out. Now all links corrected

  • Info message displayed after distrusting a certificate updated for VPN connections

  • Fix crash in HA Slave machine happens when slave account host activity

  • TLS triple handshake vulnerability fixed by updating /etc/sshd_config configuration file

Patch resolution details:
  • Using Active Directory authentication (only). It causes authentication with Active Directory to fail making AD user connections not possible.

  • HSTS causes 2FA fail on Kerio VPN

Version 9.3.5

Version 9.3.5

Released: August 27, 2020

  • The custom logo does not appear on login or deny pages

  • Wrong Country code for Serbia

  • Active Connections - Destination Country missing table information

  • Active Connections - Source Country missing table information

  • Content filter rules not blocking Teamviewer

  • Page refresh/close display an error dialog on Google Chrome

  • Unable to complete PPPoE discovery (NBN connection)

  • VPN Driver does not install on Windows 10 Update 2004

  • KerioControl Slave unit fails to dial PPPoE

  • Localization string "Alert-HA" not found in any language

  • Statistics report errors in HA-Slave control

  • Unable to differentiate email report if from Master or Slave

  • Fixes for NG110, NG310, NG510/511 compatibility issues

Version 9.3.4

Version 9.3.4

Released: February 13, 2020


Support for a wide range of USB WIFI Adapters - Drivers:

  • rtl818x_pci.ko

  • rtl8187.ko

  • btcoexist.ko

  • rtl8188ee.ko

  • rtl8192c-common.ko

  • rtl8192ce.ko

  • rtl8192cu.ko

  • rtl8192de.ko

  • rtl8192se.ko

  • rtl8723be.ko

  • rtl8723-common.ko

  • rtl8821ae.ko

  • rtl_pci.ko

  • rtl_usb.ko

  • rtlwifi.ko

  • rt2400pci.ko

  • rt2500pci.ko

  • rt2500usb.ko

  • rt2800lib.ko

  • rt2800mmio.ko

  • rt2800pci.ko

  • rt2800usb.ko

  • rt2x00lib.ko

  • rt2x00mmio.ko

  • rt2x00pci.ko

  • rt2x00usb.ko

  • rt61pci.ko

  • rt73usb.ko

  • Last few entries of Active Connections list not displayed correctly in Firefox

  • Active connections table do not show the column entries when the order is changed

Version 9.3.3

Version 9.3.3

Released: December, 27 2019

  • HyperScan engine in SNORT for increased performance

  • VPN Tunnel supports SHA2 in Phase2

  • Cannot add multiple VPNs into traffic rules

Version 9.3.2

Version 9.3.2

Released: November, 21 2019

  • VPN Client Support for macOS Catalina

  • VPN Client compatibility with Microsoft Windows 10 (1903)

  • PPPoE Interface not saved on Edit

  • SACK Vulnerability patches to Kernel

  • Problem with port forwarding by source IP with DHCP

  • ScreenConnect application keeps disconnecting

  • DHCP allocated incorrect number shown on UI

  • "Single Internet Link" forwards all traffic to a dead-end if 1 WAN link present

  • Web filter not blocking streaming websites

  • Microsoft Discovery Service not finding devices over VPN

  • Source NAT preselects first entry in list repeatedly

  • User not able to configure tcp_min_snd_mss

  • HA - Active Slave does not apply MAC filter rules properly

  • HA - Sync not working correctly due to incorrect archive filesize

  • VPN Client not opening browser when 2FA configured (Linux)

Version 9.3.1

Version 9.3.1

Released: September, 17 2019

  • HA Disconnect Kerio VPN on passive slave

  • HA VLANs removed on sync from Master to Slave

  • HA Bandwidth management link speed is not persistent on slave

  • HA Fails to Start

  • HA Several improvement and network compatibility fixes

  • Some Web pages are not blocked and can be accessed via Bing search

  • 3rd party IPsec VPN tunnel not being established due to unknown crypto suites

  • Update to driver for PCI Network Card Intel X710-T4

  • IPSec VPN tunnel failed to reconnect after an interruption on the remote side since 9.3.0

  • Kerio Interfaces staying "no connectivity" even when there is a connection

  • An unauthorized user can access the internet with the help of authorized users

  • Malicious URL to KerioControl login page can be used to inject code in session

Version 9.3

Version 9.3

Released: April, 9 2019

  • High Availability - Active/Passive - Enable a secondary (Slave) identical KerioControl to take over when the primary (Master) device is offline

  • IKEv2 Support (enable via console)

  • Primary IP for WAN interface changes after reboot

  • Last few entries of DHCP reservation list not displayed correctly in Firefox

  • Address group still visible after being deleted

  • IPSEC Tunnel drops in certain circumstances

  • Configuration restore wizard IP addresses not populating

  • Teamviewer application not blocked by Content Filter

  • SafeSearch blocks Yandex

Version 9.2.9

Version 9.2.9

Released: January, 31 2019

  • Memory Swap support

  • Kerio VPN - Disabled insecure and vulnerable protocol Blowfish

  • Change snort nice value to -4 to improve traffic

  • IRQ improvements for snort process to improve traffic

  • HW NG500 crash

Note: Older Kerio VPN Clients are not able to connect using this build. To allow please follow the following steps.

Open ssh connection or from console
Go to /opt/kerio/winroute folder
Run ./tinydbclient "Update VPN set AllowBlowfishCipher=1"

Version 9.2.8

Version 9.2.8

Released: November 27, 2018

  • Limit Bandwidth Per Host

  • Optimize Application Awareness memory footprint

  • Reconfigure Kerio AV to optimize memory usage

  • Kerio VPN new encryption protocol AES

  • Kerio VPN Client supports the new protocol

  • Force hostname for VPN clients

  • Accessing User and Groups crashes WebAdmin on IE11

  • User Statistics not getting updated

  • Installation of VPN Client fails on Ubuntu 18.04 LTS 64-bit Desktop version

  • No traffic over VPN after enabling 2FA on iPhone running iOS 11.4.1

  • Kerio VPN 2-Step Verification Unable to resolve hostname

  • Filtering Web Content by word occurrence returns broken HTML

  • User details not getting updated in Active hosts

Note: KerioControl VPN Client does not work with previous versions of KerioControl (version 9.2.7 and earlier)

Version 9.2.7

Version 9.2.7

Released: September 4, 2018

  • 2-Step verification UI improvements

  • DHCP leases column added in DHCP

  • DST notification added to time zone settings page

  • IPv6 anti-spoofing functionality added

  • Linux VPN client now supports systemd

  • Unify approach to entering URL in rules

  • Upgraded Firefox install CA walkthrough screenshots

  • Categories are not getting merged one when testing the miscategorized URLs in Content filter

  • Changing description for multiple users changes only those who have separate configuration

  • Crash with error handling during domain joining/leaving

  • Disable view user statistic when multiple users are selected

  • Entries with multiple members in Service list not getting searched

  • HTTP Cache dump should works without selected cache any message type

  • Interface group ordering disabled

  • IPSec connection is dropped every 3 hours

  • IPsec: Some fields are cleared when Cipher configuration dialog is closed

  • P2P suspicious connection detection

  • Preventing license usage when there is spoofing IPv6 connection

  • Show details while joining AD fails because of time skew

  • Technical support button on dashboard redirects to GFI support now

  • Tunnel reset when cipher config dialog is closed

  • User right column sort by rendered value

  • SafeSearch blocking Google Cloud Messaging

  • View Guest users in KerioControl Statistics opens stats of "Not logged in" user

Version 9.2.6

Version 9.2.6

Released: May 16, 2018

KerioControl 9.2.6 includes security enhancements to allow encryption of personal and sensitive data collected and stored by the product.

  • Added support for Encrypting personal/sensitive data stored on the disk

  • Crash in some occasions due to empty HTTP header name

Version 9.2.5

Version 9.2.5

Released: March 22, 2018

KerioControl 9.2.5 provides security improvements with an upgrade to the IPSEC VPN encryption key and complete removal of PHP code in the server code base. This release also includes over 20 customer reported fixes.

  • Removal of PHP server-side scripting from Web Interface

  • Upgrade of strongSwan 5.5.1

  • Improved starting/stopping of VPN Client on Debian 8

  • VPN Client now supports macOS High Sierra

  • Translation issues

  • User preferences automatic language set to detected language

  • Installation of VPN Client fails on Windows 7, 8

  • The WiFi driver has been updated for better compatibility and stability

  • Dashboard Traffic Chart Tile does not show relevant units

  • Changing description for multiple users changes only those who have separate configuration

  • Empty exclusions for connection limit corrupts config

  • View Guest users in KerioControl Statistics opens stats of "Not logged in" user

  • WebAdmin error during configuration import

  • Install CA screenshots are from old FireFox

  • Menu bar icon not optimized for Mac with retina

  • Remote Services: Data are not reloaded when changes are discarded on screen reload

  • Bandwidth management traffic dialog: wrong info text

  • Crash in ThreadCpuTime, when gdata.start_error = 1

  • Assert in DhcpLeaseTab::save()

  • W10 Edge cannot login and access web interface if IPv6 is enabled

  • Missing limiter of AV check failed alert

  • Russian Business Network blacklist is missing in IPS update

  • Remove unsecure DES-CBC3-SHA from cipherlist

  • Wi-Fi should be WiFi (legal requirement)

  • Kerio VPN tunnels are using local networks defined in IPsec section (as Remote networks)

  • Exported cfg. backup is corrupted

  • Sending notifications from KerioControl - InCorrect Format of notification

  • On Groups page, "Rights" column is not sorted in correct order

9.2.5 Patch 1
  • Crash every hour when sending email for invalid user after antivirus scanning

9.2.5 Patch 2
  • NTLM Authentication issue

  • 2 Step Authentication issue

  • Recompilation of WIFI driver with different flags for more compatibility

9.2.5 Patch 3
  • Crash when SNAT missing target interface

9.2.5 Patch 4
  • Crash when multiple pages denied occur while first deny is delayed

  • Crash when internal page requests using same "lang" parameter

  • UPnP not listening on all interfaces

9.2.5 Patch 5
  • 2 Step Verification for user does not show QR Code

Version 9.2.4

Version 9.2.4

Released: October 26, 2017

KerioControl 9.2.4 provides a WiFi security update to the WPA2 protocol for the NG100W and NG300W hardware appliances.

  • Updated hostapd for enhanced WiFi security

Version 9.2.3

Version 9.2.3

Released: August 21, 2017

KerioControl 9.2.3 brings fixes for customer reported issues including a Security Settings error and fixes a possible loop that resulted in the CPU locking.


  • OpenSSL upgraded from 1.0.1u to 1.0.2j

  • Updated country list used in SSL Certificate definition

  • CPU lock due to winroute loop

Version 9.2.2

Version 9.2.2

KerioControl 9.2.2 brings you significant performance improvements in all KerioControl's security and inspection methods and filters. For example:

  • KerioControl now supports 64-bit hardware, which can improve performance by 15-20%

  • Large segment offload (LSO)

Kerio Antivirus

KerioControl 9.2.2 introduces Kerio Antivirus. Kerio Antivirus is powered by the Bitdefender antivirus engine and replaces the current Sophos Anti-Virus.

When upgrading to KerioControl 9.2.2 from earlier versions, Kerio Antivirus automatically replaces the Sophos Anti-Virus.

Read more in our Knowledge Base: Configuring antivirus protection.

KerioControl hardware devices support Wi-Fi

Kerio Technologies launches KerioControl NG100W and KerioControl NG300W hardware devices with embedded WiFi access point which provide connectivity for wireless devices such as cell phones, tablets, and laptops. The KerioControl WiFi module supports:

  • Dual-band antenna, which provides 2.4 or 5 GHz

  • Wireless standards 802.11a, b, g, n, and ac

  • Authentication: none, WPA, WPA2 (PSK or Enterprise)

  • Up to eight wireless networks (SSIDs)

Read more in our Knowledge Base:

Optimizing performance with LSO

KerioControl includes large segment offload, also referred to as generic segmentation offload. LSO allows the network interface controller to process the segmentation of a data transfer and significantly improves performance. However, these improvements are noticeable only during large data transfers, such as file downloads, or video streams.

The throughput gain depends on the particular deployment. For example, you can expect up to 400 Mbps on the KerioControl NG100 hardware appliance.

Read more in our Knowledge Base: Optimizing performance with large segment offload.

Blocking incoming connections from specified countries

KerioControl allows you to filter incoming traffic by country (GeoIP). KerioControl then blocks all IP addresses that belong to the countries specified in the filter.

Read more in our Knowledge Base: Blocking all incoming connections from specified countries.

IPsec VPN tunnel configuration update

KerioControl 9.2 adds a detailed configuration for IKE and ESP ciphers used in IPsec VPN tunnels. With this detailed configuration you can easily create IPsec VPN tunnels with third-party firewalls.

Read more in our Knowledge Base: Configuring IPsec VPN tunnel.

Changes in system requirements

Added support

  • KerioControl supports 64-bit hardware.

  • Hyper-V on Windows Server 2016.

Discontinued support

For more details, see KerioControl technical specifications.


  • KerioControl 9.2 and newer supports 64-bit hardware.

  • Upgrade from KerioControl 8.0 and newer.

KerioControl does not permit upgrades from versions older than 8.0.