UTM Up2Date 9.508 Released

Hi Everyone,

Today we've released UTM 9.508. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.


  • When installing the update packages manually, please make sure to upload both update packages 9.507 and 9.508.
  • S/MIME Encryption updates: This release brings changes to the S/MIME feature to fully conform with new GDPR regulatory requirements for encryption. Core to these changes are new algorithms to perform encryption and signatures within S/MIME. Due to the changes in the signature algorithms, older implementations of S/MIME - including previous Sophos UTM releases - can no longer verify signatures produced with the new algorithms. Encryption and decryption of emails is not affected by this change. For details, please read the following KBA at https://community.sophos.com/kb/en-us/131727.

Up2Date Information


  • Maintenance Release


  • System will be rebooted
  • Configuration will be upgraded
  • Connected APs will perform firmware upgrade


  • NUTM-8739 [Access & Identity] Argos segfault and coredump after update to v9.502
  • NUTM-9164 [Access & Identity] SSLVPN installation packages fail to copy user profile during installation
  • NUTM-9344 [Access & Identity] All users are locked when a lockout policy via GPO was set
  • NUTM-9047 [Basesystem] VLAN interface on the bridge doesn't come up when slave becomes the master
  • NUTM-9296 [Configuration Management] Report Auditor is unable to open the dashboard in UTM
  • NUTM-9397 [Configuration Management] Log Remote Archiving via SCP fails when used with OpenSSH >= 7.0
  • NUTM-9497 [Documentation] ATP - Invalid status display on Webadmin for Japanese,Russian,Spanish language
  • NUTM-4174 [Email] POP3 spool cleanup does not work
  • NUTM-8794 [Email] Wrong MIME Type detection
  • NUTM-8937 [Email] Upgrade SMIME
  • NUTM-9046 [Email] SPX binary error with Office365
  • NUTM-9098 [Email] Mail stuck in work queue
  • NUTM-9252 [Email] Patch Exim for CVE-2014-2972 and CVE-2016-9963
  • NUTM-9259 [Email] POP3 Proxy coredump in "libc_start_main"
  • NUTM-9337 [Email] Selecting an AD Server for AD Recipient Verification in SMTP isn't possible after update to v9.506
  • NUTM-9382 [Email] WebAdmin user not able to disable the "Recipient Verification" in SMTP Routing
  • NUTM-9303 [HA/Cluster] HA "max_nodes" option set to 3 causes named to fail to start
  • NUTM-9405 [HA/Cluster] Interface MAC addresses shouldn't get replicated on slave node if virtual_mac is set to 0
  • NUTM-3497 [Network] BGP soft-reconfiguration not working
  • NUTM-8118 [Network] After upgrading to 9.500 "Service Monitor not running - restarted" notifications being received
  • NUTM-8432 [Network] Local Privilege Escalation via confd Service
  • NUTM-8604 [Network] Changing a bridge IP address causes bridge to go down when using vlans
  • NUTM-8887 [Network] DNS group objects doesn't delete old IP addresses
  • NUTM-9064 [Network] Network monitoring daemon constantly restarts since upgrade to 9.503
  • NUTM-9177 [Network] Disabled static routes are being put into the routing table
  • NUTM-9465 [Network] Wrong/Old IPv6 Tunnel Broker URLs in Webadmin
  • NUTM-8759 [Sandboxd] Add support for Sandstorm's Asia data centre
  • NUTM-9006 [UI Framework] Not possible to download different SSLVPN User Profiles in one Firefox session
  • NUTM-6955 [WebAdmin] Error text appears in dialog when trying to view user object usage
  • NUTM-8567 [WebAdmin] Update to ImageMagick-7.0.7-11
  • NUTM-9116 [WebAdmin] Object information can't be displayed for specific objects
  • NUTM-9128 [WebAdmin] PCI Scan failing on UserPortal due to missing HSTS and CSP
  • NUTM-9430 [WebAdmin] Issue with X-Content-Type-Options header presented by UTM
  • NUTM-7201 [Web] HTTP Proxy connections hang in CLOSE_WAIT state
  • NUTM-8638 [Web] Add group visibility in log with unlimited AD groups
  • NUTM-8746 [Web] After changing group membership, old one is still available from winbind
  • NUTM-8886 [Web] TLS Input/output error when connecting to web site
  • NUTM-9113 [Web] HTTP Proxy coredump on 9.505
  • NUTM-9166 [Web] HTTP Proxy coredump on function deny_ntlm_auth
  • NUTM-9332 [Web] DNSExpire coredump causes slow browsing
  • NUTM-9416 [Web] HTTP Proxy coredump on 9.506 with signal SIGFPE Arithmetic Exception
  • NUTM-3127 [Wireless] AP55/100 connection issues - disconnected due to excessive missing ACKs
  • NUTM-6640 [Wireless] Fix visibility of Fast Transition option in different security modes
  • NUTM-7013 [Wireless] Frequent disconnects on guest wifi network after >1 week
  • NUTM-8243 [Wireless] Update dropbear SSH Server to fix CVE-2016-7409, CVE-2016-7408, CVE-2016-7407, CVE-2016-7406
  • NUTM-8299 [Wireless] UTM stops broadcasting SSIDs for the built-in wireless after upgrade to 9.5
  • NUTM-8781 [Wireless] W-appliance - wireless network connection issue with Bridge to AP LAN
  • NUTM-8827 [Wireless] Internal wireless not broadcasting SSID after updating to 9.503
  • NUTM-8832 [Wireless] Integrated wireless adapter can be deleted
  • NUTM-8930 [Wireless] Unable to see the SSID and connect to local wifi on 2.4 Ghz band
  • NUTM-8940 [Wireless] kernel: [ xxxx.xxxxx] CPU: 0 PID: 13902 Comm: iw Tainted: G W O 3.12.74-0.265397234.g263c982.rb6-smp64 #1
  • NUTM-8945 [Wireless] SG115w SSID not broadcasted since updated to 9.503


Up2Date Information for Wireless Firmware 11.0.003

As part of UTM 9.508, the wireless firmware is updated to 11.0.003.


  • NUTM-9338 [Wireless] Client is not getting disconnected if MAC address is removed from whitelist
  • The soft release is available for download from the below FTP link:

    DL: ftp.astaro.com/.../u2d-sys-9.507001-508010.tgz.gpg

    Size: 167MB

    MD5: fc1f20ea2cc397863213c86115da3d55

  • Exchange 2019 will probably be released by the end of the year if there is ever an update to the waf for Exchange 2016 before we eventually migrated to 2019 :D

  • Will all the s/mime certificates for email encryption automatically be regenerated?

    If not- how to export a list with email encryption users and comments? And then how to import this list for automatically regenerate smime certificates?

  • Markus,

    Article  community.sophos.com/.../131727  captured the information on how to deal with (optional) certificate regeneration.

  • The UTM 576 Bug is back :(

    My first Sophos was plagued with problems, slow or non-existent loading of sites like the BBC, Google Maps or Reddit. It took months of emails, research and support tickets before we found the problem was an MTU setting.

    The 9.4 series firmware introduced a bug where it would only allow whatever MTU your ISP sent. In many cases this was 576, however this caused the browsing problems described above.

    I’ve been speaking with Sophos Support and they said this problem can be worked around in CLI or do a factory image of 9.5.

    The first fix was to modify the backend via CLI to ignore the ISP MTU, this worked.

    Once the WAN MTU was set to 1500 all the problems went away.

    But I was advised re-imaging to 9.5 would fix the problem for good.

    So yesterday I factory imaged 2 Sophos units to 9.5 and the bug was gone

    Today I updated my test SG 135 to 9.508-10 and the bug has returned!

    So now I have to refuse all future updates from the Factory ISO of 9.5, or presumably hack a workaround in CLI again?

    What should I do?

  •  I sent you a private message regarding your issue.

    The issue you described may not be related to updating to 9.508. It could be due to re-imaging your UTM.

    By default MTU auto discovery feature is enabled and if your ISP DHCP server broadcast a small MTU size you may run into the issue you described. Please see my message for further details on the issue,

  • "The issue you described may not be related to updating to 9.508. It could be due to re-imaging your UTM."

    As I stated in my original comment:

    "So yesterday I factory imaged 2 Sophos units to 9.5 and the bug was gone."

    I was advised by Sophos Support that re-imaging using the ISO 9.5 was the best way to remove this bug.

    They were right, re-imaging gets rid of this bug, I was very happy.

    What made me very unhappy was updating from 9.502 to 9.508-10 re-introduced this bug.

    What really upsets me is that this bug took me months to find as Sophos Support had no idea what was causing all my problems.

    Until one clever person finally realised it was the MTU problem.

    This was fixed in the 9.5 ISO, Sophos have now brought it back.

    Please, for the sake of all our sanity, enable the MTU setting in the GUI!

  •  Thanks for the feedback, we will look into adding a UI option for disabling auto_mtu_discovery feature.

    Re-imaging your system enables auto_mtu_discovery feature which was previously disabled.

    The question I have is, prior to re-imaging your UTM did you update to 9.508 and run into this issue or did you run into this after re-imaging your UTM and then updating to 9.508? What was the original reason for re-imaging your UTM to 9.5?

  • Hi all,

    Researching the upgrade path from 9.506-2 to 9.508-10 to see what problems to expect and would love a fill in on the MTU issue described here. You can change the MTU setting in interfaces, so not sure what you are referring to. If there is an issue with MTU directly impacting web browsing then I could very well be suffering from the same issue.

    I have noticed that our UTM performs better for browsing sites after a reboot, so much so that I scheduled a reboot to occur every night. Even had users compliment how fast the internet was when they were not aware that I had implemented the workaround. A single HTTP file download such as speed test will be fine, however browsing is sluggish and times out - gets worse over time. There is definitely an issue with an underlying service somewhere, and it has existed for a long time.

    I will be remote upgrading our UTM so want to avoid having to reimage the system as much as possible.

  • Updated from 9.506 to 9.508, MTU auto discovery previously disabled on WAN interface. After applying up2date's, MTU auto discovery is still disabled on WAN interface.

    TLDR -> Interface MTU settings retained after applying this update.

  • After update to UTM 9.508, AWS VPN tunnels failed.

    After the update, I have site to site vpn connection issue. The vpn connection status is up, but i cant reach our amazon vpc server. I have tried to delete the connection and setup again. But still cant access.

    No roll back issue, only restore from backed up AMI solve the issue.

  • This breaks AWS VPC. By all accounts it’s a known issue and sophos have a patch but not realeased yet. They really should have pulled the update. So angry.