PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We're excited to announce that we've just released Sophos UTM 9.506 on AWS. We've added several new features specifically designed for our customers in AWS. With this release, we have introduced the usage of an AWS Profile for deploying OGW, a new update page in WebAdmin, the reduction of permissions needed for Auto Scaling deployments, and included InSpec for checking the health state of a UTM instance. In addition to that, the failover time for our High Availability deployments has been significantly improved.
AWS Profile for OGW
To increase flexibility when it comes to permissions and roles used by the UTM on AWS Auto Scaling deployment, we have introduced the possibility to attach an AWS Profile to deploy and monitor the Outbound Gateway. This makes it possible for our customers to establish privilege separation in their OGW installations. Please see the knowledge base article How to create an AWS profile for automatically deployed OGWs for further details.
Customers already using OGW will also need to follow the KBA to create a new profile and attach it to their existing OGW configuration. Without the profile the OGWs still work as expected and are listed in the WebAdmin, but managing them won’t be possible any longer.
New update page in WebAdmin
We have restructured the update page in WebAdmin for our High Availability and Auto Scaling customers. We have learned that most of our customers use modified templates to deploy our UTM on AWS products. In order to avoid overwriting of their modified templates, we have removed the automated update but added helpful details to the page to ease the process.
The page now shows the AMI ID, a link to the release notes as well as the option to directly navigate to the current stack in the AWS Management Console. In addition to that, links to the most recent template for the deployment type and the changelog are provided.
If no update is available, the WebAdmin page shows information about the current version as well as the details stated above.
Reduced permissions needed for Auto Scaling deployments
We have listened to our customers who were stating that the permissions needed for our Auto Scaling deployment are too broad and potentially aggressive. Thus, we have further reduced the permissions needed for our Auto Scaling deployments in order to align with the principle of least privilege. Please see the changelog and the updated documentation of the permissions on GitHub for more details.
InSpec on UTM on AWS
In order to make it possible for our customers to verify that the UTM on AWS works as expected, we’ve introduced InSpec on the UTM on AWS. InSpec is an audit and test framework developed by Chef.
InSpec will be used to check whether:
The knowledge base article How to use InSpec on the UTM on AWS covers the usage of InSpec as well as how to write custom profiles to extend the solution.
Faster failover for High Availability
Customers relying on our High Availability deployment will now see a reduced failover time resulting in lower downtime.
Disable backend pooling for the WAF on Auto Scaling
We have disabled the backend pooling for the Web Application Firewall for the Auto Scaling deployment now by default. This supports scenarios where load balancers with quickly changing DNS entries reside behind the UTM on AWS.
NUTM-8039 [AWS] Conversion after updating to 9.501 was not possible NUTM-7148 [AWS] Conversion fails due to AWS rate limit exceeded NUTM-7199 [AWS] cloud.sh logs to own log file NUTM-7741 [AWS] Removing password from user data NUTM-7891 [AWS] awslogsd.log is being flooded with log messages NUTM-7896 [AWS] Better Messaging for Conversion Utility NUTM-7979 [AWS] Renaming of "Conversion" to "Conversion Utility" NUTM-7995 [AWS] Decreased failover time for HA NUTM-8041 [AWS] Restore overwrites applied license from license pooling NUTM-8233 [AWS] AWS Profile settings for CloudWatch are overwritten after update NUTM-8388 [AWS] Inspec on UTM on AWS NUTM-8438 [AWS] CloudFormation input can harm basic setup NUTM-8626 [AWS] New update mechanism and page in WebAdmin NUTM-8874 [AWS] dns-resolver stopped working after updating to 9.503 on AWS NUTM-7608 [AWS] Reduction of IAM permissions for Auto Scaling deployments NUTM-8141 [AWS] Disable backend pooling by default within the WAF on Auto Scaling NUTM-8207 [AWS] WAF statistics are inaccurate in Auto Scaling deployment NUTM-8518 [AWS] aws_resource_management is sometimes killed due to timing issue NUTM-8785 [AWS] Authorization token for OGW stated in the template is not validated NUTM-8793 [AWS] aws_egw_stack.log is not uploaded to cloudwatch NUTM-9043 [AWS] Backupd was not started
Sophos UTM 9.506 also includes bug fixes of the following general releases:
You can update to UTM 9.506 by running up2date for UTM Standalone or by updating your CloudFormation stacks for High Availability and Auto Scaling deployments. Let us know what you think about our new release by posting to our user community forums.