UTM Up2Date 9.600 Released

Hi Everyone,

Today we've started to release UTM 9.600. The release will be rolled out in phases.

  • In phase 1 you can download the update package from our FTP server.
  • In phase 2 we will make it available via our Up2Date servers in several stages.
  • In phase 3 we will make it available via our Up2Date servers to all remaining installations.

What's new in UTM 9.6?

ATP: New Advanced Threat Protection Library

  • Better performance and protection

Certificates: Let's Encrypt Integration

  • Generate and renew Let’s Encrypt certificates from within UTM

  • Generated certificates can be used in all UTM components

RED: Unified RED Firmware

  • Better 3G/4G Support

Sandstorm: Manual File Submission

  • Allows an admin to upload a file for detonation within Sophos Sandstorm

  • Files that have not been received via email or web download can also be analyzed with Sophos Sandstorm

Sandstorm: Persistent Reports

  • Reporting for Sandstorm Activity over time and with historic information

  • Reporting also covering hash lookup based results from Sophos Sandstorm

SMTP Proxy: Enhancements

  • Submission Port support in SMTP Proxy

  • Configurable Listen Address in SMTP Proxy

WAF: Error Page Customization

  • Custom themes for all error pages that are delivered by WAF

  • Allows to provide corporate identity on all pages


Up2Date Information

Behavior Changes

After updating to UTM 9.6, the old content warn HTML template in HTTP Proxy will no longer function correctly. Please download the updated templates, customize them to your needs and re-upload to the UTM. For further details, please see KBA133167.


  • Features Release

  • .
  • ATP: New Advanced Threat Protection Library with better performance and protection

  • Certificates: Let's Encrypt Integration

  • RED: Unified RED Firmware with better 3G/4G Support

  • Sandstorm: Manual File Submission

  • Sandstorm: Persistent Reports

  • SMTP Proxy: Submission Port Support

  • SMTP Proxy: Configurable Listen Address

  • WAF: Error Page Customization


  • System will be rebooted

  • Configuration will be upgraded

  • Connected REDs will perform firmware upgrade

  • Connected Wifi APs will perform firmware upgrade


  • NUTM-10128 [Access & Identity] MDW waits hours for lock on shared cache with AUA

  • NUTM-10130 [Access & Identity] Unable to connect RDP type bookmark with NLA

  • NUTM-7418 [Access & Identity] SAA - Rename Client Auth CA

  • NUTM-9368 [Access & Identity] SSL VPN: optional user auth not working

  • NUTM-9525 [Access & Identity] Disk filling up with argos error messages in endpoint.log

  • NUTM-9843 [Access & Identity] HTML5 VPN portal connections periodically stop working until service is restarted

  • NUTM-10080 [Basesystem] Update to latest Avira SAVAPI version

  • NUTM-10366 [Basesystem] Missing IP address in IPset of user network for STAS

  • NUTM-9783 [Basesystem] IPsec routing issue if gateway interface has additional addresses

  • NUTM-9810 [Basesystem] IPset Object takes 30 seconds to update after SSL VPN connection was established

  • NUTM-9860 [Basesystem] Selfmon trying to start DHCP even when not in use

  • NUTM-10226 [Email] Can't release POP3 messages due to URL in User Portal

  • NUTM-9681 [Email] cssd coredumps and root partition is filling up

  • NUTM-9716 [Email] S/MIME encryption - automatic certificate extraction causing high load / no webadmin access

  • NUTM-9733 [Email] Change default encryption algorithm to 'smime'

  • NUTM-9853 [Email] Fix policy traversal (for gpg, smime, unscanable)

  • NUTM-9882 [Email] Umlauts in mail addresses get corrupted if SPX encryption is used

  • NUTM-10181 [Network] Remove DNSdynamic from available dynamic DNS providers

  • NUTM-10307 [Network] ATP exception still working after deletion

  • NUTM-10337 [Network] High CPU load by AFCd when hotspot is enabled

  • NUTM-10414 [Network] Segfault in oculusd

  • NUTM-2791 [Network] Fix detection of sub applications in Application Control

  • NUTM-4767 [Network] SSH for single host skipping AFC check

  • NUTM-9462 [Network] Update to BIND 9.11 ESV

  • NUTM-10197 [RED] All REDs disconnect intermittently

  • NUTM-10227 [RED] Offline provisioning does not work

  • NUTM-10303 [RED] Unified FW: split networks does not work

  • NUTM-10384 [RED] Update hostapd for Unified-FW

  • NUTM-9026 [RED] TP-LINK MA260 dongle on RED doesn't work anymore after update to v9.5

  • NUTM-9795 [RED] RED50 issue with large packets in Transparent/Split mode

  • NUTM-10060 [Reporting] ATP alerts / events not deleted after three days

  • NUTM-10201 [Reporting] Unable to download S/MIME internal user certificate

  • NUTM-10352 [Sandstorm] Sandstorm Activity Report table and graph do not show same data

  • NUTM-10367 [Sandstorm] Sandstorm Activity Graph does not include email cached results

  • NUTM-2644 [UI Framework] Webadmin prefetching list box not displaying any users, if one user contains a single tick

  • NUTM-10066 [WAF] Existing certificate chain overrides after new certificate chain has been added

  • NUTM-10185 [WAF] Using printenv SSI directive in custom theme causes segfault

  • NUTM-10315 [WAF] Let's Encrypt can't be enabled after upgrade from 9.5 (/etc/ssl/certs not accessible)

  • NUTM-10316 [WAF] Let's Encrypt certificates allow wildcards in domain name list

  • NUTM-10332 [WAF] Let's Encrypt not working over IPv6

  • NUTM-9809 [WAF] Potential memory allocation failure for "Rewrite HTML" + location with special characters

  • NUTM-10188 [WebAdmin] [OTP] QR code not visible for the first user login

  • NUTM-10214 [WebAdmin] Breach Vulnerability in WebAdmin (CVE-2013-3587)

  • NUTM-6945 [WebAdmin] Popup too small for secret when deleting SHA512 OTP token

  • NUTM-7381 [WebAdmin] Login to UserPortal only works at second try when using RADIUS authentication

  • NUTM-9424 [WebAdmin] Webadmin session interrupted with pop-up "Backend connection failed"

  • NUTM-10200 [Web] Segfault in libc-2.11.3.so

  • NUTM-10284 [Web] HTTP Proxy crash with coredumps

  • NUTM-9676 [Web] HTTP Proxy out-of-memory segfault / HTTP Proxy stops working with "Avira engine not available"

  • NUTM-9854 [Web] Warning page bypass using crafted URLs

  • NUTM-9873 [Web] File blocked due to MIME type detection even if there is an exception

  • NUTM-9956 [Web] HTTP Proxy coredumps in geoip scanner

  • NUTM-10365 [Wireless] RED15w: SSID isn't broadcasted when "Enterprise Authentication" is in use


While the release is in soft-release phase, you can find the up2date package on our FTP server at:

If you are already running 9.6 Beta2, please use the following update packages:

  • Update went smooth from 9.510 :)

    Two important things for using Let's encrypt:

    1. When you are using country blocking, you need to create an exception "going to destination" -> %used lets encrypt interface% (mostly firewall wan interface (adresse)) using "http"

    (extra hint: using a dns group definition for "acme-v01.api.letsencrypt.org" wont work)

    2. DNAT for http needs to be disabled for interfaced used for lets encrypt

  • u2d-sys-9.580007-600005.tgz.gpg.md5 is empty

  • Hi j0hnV,

    thanks for the hint. I requested a replacement of the file. For the meanwhile:

    The md5sum of u2d-sys-9.580007-600005.tgz.gpg is b28ed88ecc7dd0a99e745079b7d151e0.

  • New ping/pong at red.log after update

    2018:11:26-11:17:45 utm red_server[4567]: A3400XXXXXXXXX: command '{"data":{"seq":19},"type":"PING"}'

    2018:11:26-11:17:45 utm red_server[4567]: A3400XXXXXXXXX: Sending json message {"data":{"seq":19},"type":"PONG"}

    2018:11:26-11:18:01 utm red_server[4567]: A3400XXXXXXXXX: command '{"data":{"seq":20},"type":"PING"}'

    2018:11:26-11:18:01 utm red_server[4567]: A3400XXXXXXXXX: Sending json message {"data":{"seq":20},"type":"PONG"}

  • After update, RED connexion was lost... In logs, there's a message "ssl connect accept failed because of handshake problems".

    RED is seen by UTM as connected (green button) but no connexion. Reboot don't help, I've deleted all RED config (network, interface, rules etc...) same behaviour.

    The only "solution" was to turn off tunnel encryption even if message with handshake is still here

  • @openfield

    i have the same issue and i send it to the Sophos support.

    br mcwolle

  • After upgrade from 9.510-5 to 9.600-5, proxy started to respond with status "416 Requested range not satisfiable" to any request, that has to be scanned with AV and includes Range: header; in /var/log/http.log, the denied request has reason="range". On the outside wire, the request from proxy to webserver is processed correctly. After putting problematic URL patterns to web filtering exception rule with AV scanning turned off, the requests are processed as before.

    Is this intended behavioral change in 9.6? I know, the partial content serving can be abused to bypass AV scanning, so generally it is good idea to handle requests with partial content differently and not to pass their responses without scanning, but IMHO there should be more sophisticated algorithm at the proxy to deal with this situation: 1) send HEAD to determine the content size, whether it is within size limit for scanning; 2) if it is over the size limit, process request without scanning; 3) if it is within the size limit, request whole content, scan it and serve partial content to the client.

  • Two problems with RED15w after update.

    First: No SSL/TLS connection possible over a RED-Tunnel, connections timed-out. Broke it down to tunnel compression option. If I deactivate the tunnel compression, management interface of an Equallogic storage and another UTM webadmin website behind the RED possible again.

    Second: A RED15w is now a RED15 only. The access point either doesn't work anymore, or maybe, it doesn't get a dhcp lease from the DHCP server on the connected UTM!

  • In case of a RED15w AP connection issue I've found the following log entries:

    2018:11:28-10:14:51 utm awed[5750]: [MASTER] new connection from

    2018:11:28-10:14:51 utm awed[25327]: [A360178B595288F] RED15w from identified as A360178B595288F

    2018:11:28-10:14:51 utm awed[25327]: [A360178B595288F] (Re-)loaded identity and/or configuration

    2018:11:28-10:14:51 utm awed[25327]: [A360178B595288F] Corrupt payload. Device may have wrong key. MD5 of the key is 57e7207b21257b079656311ae387f8f4. Delete device to re-register it.

    After deleting the RED AP and re-registering it works :)  

  • SPX-Outlook-Addin in version 1.3.4. Forget to push 1.3.6 in UTM 9.6.

  • After the upgrade from 9.510-5 to 9.600-5 country blocking stopped working correctly, North America was set to OFF but the UTM keeps blocking https traffic to (Google/USA), I had to add an exception for outgoing https traffic...

  • Did anyone managed to get the correct hash for u2d-sys-9.510005-600005.tgz.gpg ??? I downloaded it 3 times and I still don't get the correct hash.

    Is it SHA-1 ? or something else ?

  • We updated from 9.510 to 9.6 and our Virtual Sophos UTM mixed his virtual interfaces. We had to recover from snapshot. Anyone else with this issue?

  • My SG210 just goes dead for a couple of seconds and returns after updating to the latest 9.600-5 firmware. I though it was my ISP but if lose connections to every subnet that the UTM is responsible for routing the traffic.