Secure edge computing through container functionality

Starting with LCOS FX 11.2, Docker containers* can be run directly on your LANCOM R&S®Unified Firewall or vFirewall. Containers enable the fast and secure integration of industry- and project-specific applications exactly where they are needed – completely isolated from the operating system and without impacting firewall functionality. This creates the ideal foundation for secure edge computing: data is processed directly at the point of origin, reducing latency, easing the load on the network, and enabling real-time applications with enhanced security mechanisms. At the same time, containers benefit from the comprehensive protection of the firewall. Another new feature is the ability to edit selected firewall objects created in the LANCOM Management Cloud directly on the local firewall. This allows for quick and easy adjustments with full traceability in the audit log.

Test the new release candidate

Error-free software needs users who put it to the test. We cordially invite you to actively participate in our software development: Feel free to download the LCOS FX Release Candidate from the myLANCOM Firewall License Portal and tell us about your experiences with it!

You can best share your feedback on the LCOS FX Release Candidate with us via the support portal. This portal is available to you as a LANCOM partner or as an end customer with a LANcare contract. We look forward to receiving your feedback.

Please note: A Release Candidate has been extensively tested by LANCOM and includes new LCOS FX features. It is suitable for testing and is not recommended for use in productive environments.

Test the latest features now

* To use the Docker container functionality, you need to activate a SAG Basic or SAG Full license (Secure Application Gateway) on your firewall. 

The SAG Full license can be tested free of charge for 30 days when purchasing a new firewall or upgrading firewalls in isolated test environments to LCOS FX 11.2 RC.

Feature highlights

Icon: Wall with a crane lifting a container – symbolic of a firewall with Docker container functionality

Secure Container Management

With customer-owned Docker containers, you can deploy professional applications and specialized software quickly, in isolation, and independently of the system environment directly on your firewall. This creates a flexible platform for extending functionality – for example, with vulnerability scanners, the isolation of legacy systems, secure remote access, or distributed computing.

Starting with LCOS FX 11.2, you can conveniently manage these self-created containers via the REST API of your LANCOM R&S®Unified Firewall or vFirewall with an active SAG Basic or SAG Full license. During a software update of the firewall operating system, the contents of the Docker containers naturally remain unchanged. Containers and container networks can be created, monitored, and started in real time, whereas firewall rules can be defined precisely and configurations can be automatically restored from backups during updates. Optimized workflows through LMC add-ins as well as an interactive REST API documentation in the web GUI make it easier for you to get started.

This gives you the ideal foundation for secure edge computing: your applications run safely and efficiently directly on-site – for example, at the network edge – enabling fast data processing with enhanced security mechanisms.

Learn more about secure edge computing

Icon: LMC logo with gear wheel and lines

Local editing of LMC objects

Starting with LCOS FX 11.2, you can edit certain firewall objects that were centrally defined in the LANCOM Management Cloud (LMC) directly on the local firewall. This eliminates the need to create duplicate objects, for example when configuring additional features such as NAT. Attributes originating from the LMC via Smartconfig or add-ins remain write-protected and continue to be centrally managed. All other attributes can be flexibly adjusted locally. If an object (e.g., an LMC network) is deleted or removed from a site in the LMC, it is automatically removed locally as well – with full traceability in the audit log. This gives administrators greater efficiency, transparency, and flexibility while maintaining centralized control through the LMC.

Further features & improvements

  • Integration of a SICCT proxy for the secure operation of card readers in the healthcare sector (Telematics Infrastructure)
  • Update and expansion of Bitdefender content filter categories in line with the LCOS operating system
  • Centralized syslog collection in the LANCOM Management Cloud (LMC)
  • Enhanced BGP functionality for flexible and reliable routing
  • SAML: It is possible to select a primary group. This means that only groups and users within this group are synchronized, in order to speed up synchronization in large organizations.
  • SAML: It is possible to use the TrustStore to verify the IDP certificate.
  • SAML: The IDP certificate/CA is selected from a drop-down menu.
  • Lets encrypt: The type and length of the key can be set: RSA 2048 (legacy), RSA 4096, ECDSA (recommended)
  • The menu item “Proxy CAs” has been renamed “TrustStore”.

Notes on container use

  • In general, containers are not limited in terms of resources and can exhaust the appliance’s resources. However, if the RAM is exhausted, the system automatically stops the process that causes the highest memory consumption.
  • Tags of Docker images that are updated upstream, e.g. ‘latest’, are not automatically pulled.
  • To use the Docker container functionality, you need to activate a SAG Basic or SAG Full license (Secure Application Gateway) on your firewall. The SAG Full license can be tested free of charge for 30 days when purchasing a new firewall or upgrading firewalls in isolated test environments to LCOS FX 11.2 RC.

Firmware Lifecycle Management

Our free operating systems LCOS, LCOS SX, LCOS LX, and LCOS FX are constantly undergoing further development. The following information explains our notation of the development status and version names.

To the firmware version overview

Graphic about the phases of the LCOS software development and maintenance

Glossary

Icon: Release Candidate (RC)

Release Candidate (RC)

A release candidate has been extensively tested by LANCOM and includes new LCOS features. It is suitable for testing and is not recommended for use in productive environments.

Icon: Release-Version (REL)

Release version (REL)

The release has been extensively and successfully tested in practice. It contains new features and improvements to previous LANCOM operating system versions and is therefore recommended for use in productive environments.

Icon: Release Update (RU)

Release Update (RU)

A release update is a further development of an initial release version in productive environments and contains minor improvements, security fixes, bug fixes, and smaller features.

Icon: Security Update (SU)

Security Update (SU)

Important security fixes of the respective LANCOM operating system version are included in a security update and ensures that your security level remains very high on an ongoing basis in your productive environment.

Further information

Lifecycle management

With LANCOM Systems you have a manu­facturer at your side who offers unparalleled investment protection. The lifecycle policies from LANCOM also provide full transparency and reliable planning with regard to the firmware updates and product support for your LANCOM infrastructure.

Read more: Lifecycle Management

Overview of firmware versions

Keep track of our current operating systems versions of LCOS, LCOS LX, LCOS FX, and LCOS SX with our firmware version overview. It provides a comparison of the different versions and recommended usage, so that you are always well informed.

Click here for the firmware version overview

LANCOM release process

Our aim is the optimal preparation of our operating systems and other software, not only for its use in practice, but also to adapt it to the wishes of our customers. This is why we enter into active dialog with our customers even during the development phase as part of our release procedure.

Find out more about the LANCOM release process here

Note for LCOS FX download

The LCOS FX Release Candidate is the upcoming version of LCOS FX that will be made available to LCOS FX users for field testing after extensive testing by LANCOM and will contain many new features and enhancements. It is being developed in a practical manner and with direct user feedback in mind.

Before any LCOS update, be sure to backup your current device configuration. Devices featuring the "Firmsafe" function have the option of an initial "test mode" firmware upload. The new firmware is activated permanently only if the device has been accessed with a log-in or for configuration purposes before the pre-set time period has expired. Otherwise, the device switches back to its former version.

The latest version of LCOS FX 11.2 RC1 is ready for download directly in your LANCOM R&S®Unified Firewalls' web interface or via the myLANCOM Firewall License Portal. You can find further information here:

Everything about the Firewall License Portal

Feedback

Tell us about your experience with the release candidate!

You can best share your feedback on the LCOS FX Release Candidate with us via the support portal. This portal is available to you as a LANCOM partner or as an end customer with a LANcare contract. We look forward to receiving your feedback.

FAQ

How can LCOS FX 11.2 be activated on a (new) firewall?

When purchasing and commissioning your firewall for the first time, you should always perform a software update to LCOS FX 11.2. Please note that you will need the corresponding SAG license (SAG Basic or SAG Full) to use the full range of features,…

When purchasing and commissioning your firewall for the first time, you should always perform a software update to LCOS FX 11.2. Please note that you will need the corresponding SAG license (SAG Basic or SAG Full) to use the full range of features, including support for Docker containers. A 30-day trial version of the SAG licenses is included free of charge when you purchase a new firewall, or upgrade your firewall in isolated test environments to LCOS FX 11.2 RC.
On which firewall models can SAG licenses be used?

The SAG Basic and SAG Full licenses can be activated on all current desktop and rack models as well as on the vFirewall (sizes S to XL). To find out when a firewall is no longer supported, please refer to the product tables on the Lifecycle Management website.

 

 

Which customers are SAG licenses best suited for?

The SAG licenses (Basic or Full) are primarily intended for customers who want to flexibly enhance their firewalls with professional features and security mechanisms – without the need for additional hardware or separate servers. Typical use cases…

The SAG licenses (Basic or Full) are primarily intended for customers who want to flexibly enhance their firewalls with professional features and security mechanisms – without the need for additional hardware or separate servers. Typical use cases include:

  1. Integrating specialized applications (professional customization)
    For customers who want to run industry-specific or business-critical applications directly on the firewall via Docker containers, rather than on separate devices or additional servers. This reduces hardware requirements, simplifies the IT infrastructure, and lowers administrative overhead.
  2. Advanced security and analysis functions (extended security)
    For customers who require additional security or monitoring tools beyond the standard firewall features we offer. With SAG licenses, containers with such solutions – e.g., vulnerability scanners or log analysis tools – can be deployed. This enables LANCOM R&S®Unified Firewalls or vFirewalls to be individually extended.
  3. Decentralized tasks and remote maintenance (local administration)
    For customers managing multiple distributed sites who need to perform cross-location tasks reliably without installing extra hardware at each site. SAG licenses allow containers to run directly on the local firewall, supporting decentralized process automation or local services independently of the central data center.
How can service providers access the platform?

LCOS FX 11.2 including WebTunnel can be managed via the LANCOM Management Cloud (LMC) and continues to support all common VPN mechanisms. For example, containers can send status data through a firewall VPN tunnel.

How secure is it to run third-party software on a firewall or similar security device?

Running software in Docker containers directly on security devices offers significant advantages: containers operate in isolated environments with tightly scoped privileges and can be updated or extended flexibly, without affecting the core functionality of the system. All traffic – both between containers and to the…

Running software in Docker containers directly on security devices offers significant advantages: containers operate in isolated environments with tightly scoped privileges and can be updated or extended flexibly, without affecting the core functionality of the system. All traffic – both between containers and to the outside – is consistently filtered through existing firewall rules. Optionally, a reverse proxy with SAML authentication can be placed in front: it manages access control, enforces centralized authentication (e.g., via single sign-on), and helps reduce the system’s attack surface. While running third-party software on a firewall may introduce potential security risks, these can be significantly mitigated through environment hardening, strict access controls, and regular updates – maintaining a high overall level of system security.
How can Secure Edge Computing be managed?

The configuration and installation of containers are handled via the REST API. LCOS FX 11.2 is maintained by LANCOM and supports over-the-air updates. Since the container configuration is included in LCOS FX backups, it is automatically migrated during an update. Docker images are also automatically pulled from the configured registry.

In which scenarios is Secure Edge Computing useful?

Secure Edge Computing is beneficial wherever security-critical data needs to be processed directly on-site — close to the data source and in real time. Workloads no longer have to be offloaded to distant data centers or central infrastructures but can instead be efficiently handled in edge environments. Customer-owned…

Secure Edge Computing is beneficial wherever security-critical data needs to be processed directly on-site — close to the data source and in real time. Workloads no longer have to be offloaded to distant data centers or central infrastructures but can instead be efficiently handled in edge environments. Customer-owned Docker containers can run directly on the firewall, regardless of the surrounding system architecture.

Typical use cases include running vulnerability scanners, isolating legacy systems, or enabling secure remote access. It also supports direct connectivity and monitoring of modern production machines at the edge — helping to detect failures more quickly and optimize production processes.

In short: Secure Edge Computing is ideal wherever data sovereignty, real-time capability, and the security of distributed systems are critical — from healthcare and critical infrastructure to Industry 4.0.

Documentation & links

Release Notes LCOS FX 11.1 RC1

Addendum LCOS FX 11.1 RC1

User Manual LCOS FX 11.1 RC1

Addendum LCOS FX Release Candidate (HTML)

User Manual LCOS FX Release Candidate (HTML)

Your direct line to us

Friendly sales staff with headset take customer call in office

Most questions can be resolved best in direct contact: We look forward to answering your questions and requests by phone or via the contact form.

Inside Sales International Team
+49 (0)2405 49936 122

Feel free to write us