Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Sophos UTM v9.1 and v9.2 are affected by the OpenSSL vulnerability ('Heartbleed' bug). Therefore we strongly recommend that customers patch their Sophos UTM's. This article explains how to download the patch, apply it to your UTM and regenerate the SSL certificates.
Applies to the following Sophos product(s) and version(s) Sophos UTM v9.1 and v9.2
The following modules are affected:
Each of the steps above are explained in detail below. It is important to follow the steps in the order listed. If you have problems contact Technical Support (link at the bottom of this article).
Note: If you are already running firmware release 9.111-7 or 9.201-23 you do not need to follow this step.
How to manually apply an Up2Date package
Although the update process through WebAdmin is not affected by the Heartbleed bug, we recommend installing the patch manually through shell access (SSH) to the UTM once the UTM has been connected to the internet and your local network. Instructions for configuring shell access on the UTM is provided in KBA 133645.
Options for SSH Access to the UTM
This is the easiest way to login to the UTM through the shell and requires no additional software like Putty. Attach a monitor and USB keyboard to the UTM and you can login directly with the root username and password you set in KBA 133645.
Mac and Linux users can use the Terminal program to login remotely to the UTM
Download the Putty application and follow the steps in KBA 133645 to connect to the UTM through the shell.
Download updates and install
Firmware versions between 9.100-8 to 9.107-33
First update to 9.109-1 through the UTM (Management - Up2Date) by sequentially applying the updates rather than clicking on the button "Update to latest version now".
Firmware versions between 9.109-1 and 9.2x
In case you have a new UTM device which has never been connected to the internet and your local network:
In this case you have the option to install the package via the WebAdmin.
Before you can trigger the update you have to download the needed package to your local system:
9.107-33.1 update to 9.109-1
ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.107033-108023.tgz.gpg (MD5) (first update: from 9.107 to 9.108)
ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.108023-109001.tgz.gpg (MD5) (second update: from 9.108 to 9.109)
9.109-1 update to 9.111-7 (both updates are needed)
ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.109001-110022.tgz.gpg (MD5) (first update: from 9.109 to 9.110)
ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.110022-111007.tgz.gpg (MD5) (second update: from 9.110 to 9.111)
9.111-2 to 9.111-7 (Heartbleed patched release for 9.1x)
9.200-11 to 9.201-23 (Heartbleed patched release for 9.2x)
Now you can install the package via the WebAdmin. Therefore proceed as follows:
Note: Please repeat these steps for the Upload until you are at least on version 9.111-7
For more detailed information please check our update instructions for new Sophos UTM hardware:
Instructions for new Sophos UTM hardware
To ensure you have a copy of your current configuration, logon to the WebAdmin and navigate to Support | Printable Configuration and save the output locally.
Navigate to Management | Shutdown/Restart and click on Restart (Reboot) the system now
The next step is to regenerate the certificates for the following modules:
Note: It is not sufficient to only regenerate the certificate for the WebAdmin via the section Re-generate WebAdmin certificate in the WebAdmin. You first of all have to regenerate the CA via the CC. If you missed this step because of the initial version of this KB article please consider this step.
To regenerate the CA proceed as follows:
Next step is to re-generate the certificate for WebAdmin with the new CA, proceed as follows:
The WebAdmin certificate will be regenerated. Your UTM will reload automatically and you will have to re-login.
For IPSec Site-to-Site VPN:
If you use the UTM's VPN CA for IPSec Site-to-Site VPN as for SSL Site-to-Site VPN proceed as follows:
Note: If you are only using IPSec Site-to-Site VPN without SSL Site-to-Site VPN you do not have to consider these steps.
The CA will be regenerated. UTM informs you about success.
For SSL Site-to-Site VPN:
In case you are using SSL Site-to-Site VPN proceed as follows:
Note: Once the CA is regenerated for the SSL Site-to-Site VPN you have to deploy the new VPN configuration to the remote gateway as regenerating the CA will result in a loss of the VPN connection for the remote gateway.
For IPSec Remote Access VPN:
If you use the UTM's VPN CA for IPSec Remote Access VPN as for SSL Remote Access VPN proceed as follows:
Note: If you are only using IPSec Remote Access VPN without SSL Remote Access VPN you do not have to consider these steps.
For SSL Remote Access VPN:
In case you are using SSL Remote Access VPN proceed as follows:
Note: Once the CA is regenerated you have to deploy the new VPN configuration to all of your clients as regenerating the CA will result in a loss of the remote connection for all VPN clients.
Note for SSL VPN Client: To protect clients against malicious SSL VPN servers and man-in-the-middle attacks, it is highly recommended to not only redeploy new SSL VPN configurations, but also update the client to the latest version.
For HTML5 VPN Portal:
If you use HTTPS encrypted HTML5 VPN portal connections to UTM or SUM you have to regenerate the certificates. Proceed as follows:
The regenerated certificate is active.
For Cisco VPN:
If you use the UTM's VPN CA for Cisco VPN as for SSL Remote Access VPN proceed as follows:
Note: If you are only using Cisco VPN without SSL Remote Access VPN you do not have to consider these steps.
For Webserver Protection:
To regenerate the certificates for Webserver Protection, proceed as follows:
The regenerated certificate is active now.On demand repeat this for other affected virtual webservers.
If you use certificates for SMTP which were generated by the UTM and you use TLS settings regenerate the certificates for SMTP. Proceed as follows:
If you use certificates for POP3 which were generated by the UTM and you use TLS settings regenerate the certificates for POP3. Proceed as follows:
If you use RED devices it is necessary to delete them all and reconfigure them. Proceed as follows:
Alternatively you can use the following knowledge base article to reconfigure all RED devices at once: KBA 120916
Once you reconfigured the RED devices you have to reassign the interfaces. Therefore proceed as follows:
Do NOT restore the devices with help of backups because it may be that then affected certificates will be restored, too.
For HTTP Proxy:
If you use HTTPS encrypted CAs for HTTP proxy, proceed as follows:
The CA's will be regenerated.
For Client Authentication:
If you use the feature Client Authentication, proceed as follows:
Once the system has been patched and all certs regnerated please change the security credentials for:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.