Sophos UTM 9.506 on AWS Release Notes

We're excited to announce that we've just released Sophos UTM 9.506 on AWS. We've added several new features specifically designed for our customers in AWS. With this release, we have introduced the usage of an AWS Profile for deploying OGW, a new update page in WebAdmin, the reduction of permissions needed for Auto Scaling deployments, and included InSpec for checking the health state of a UTM instance. In addition to that, the failover time for our High Availability deployments has been significantly improved.

AWS Profile for OGW

To increase flexibility when it comes to permissions and roles used by the UTM on AWS Auto Scaling deployment, we have introduced the possibility to attach an AWS Profile to deploy and monitor the Outbound Gateway. This makes it possible for our customers to establish privilege separation in their OGW installations. Please see the knowledge base article How to create an AWS profile for automatically deployed OGWs for further details.

Customers already using OGW will also need to follow the KBA to create a new profile and attach it to their existing OGW configuration. Without the profile the OGWs still work as expected and are listed in the WebAdmin, but managing them won’t be possible any longer.

New update page in WebAdmin

We have restructured the update page in WebAdmin for our High Availability and Auto Scaling customers. We have learned that most of our customers use modified templates to deploy our UTM on AWS products. In order to avoid overwriting of their modified templates, we have removed the automated update but added helpful details to the page to ease the process.

The page now shows the AMI ID, a link to the release notes as well as the option to directly navigate to the current stack in the AWS Management Console. In addition to that, links to the most recent template for the deployment type and the changelog are provided.

If no update is available, the WebAdmin page shows information about the current version as well as the details stated above.

Reduced permissions needed for Auto Scaling deployments

We have listened to our customers who were stating that the permissions needed for our Auto Scaling deployment are too broad and potentially aggressive. Thus, we have further reduced the permissions needed for our Auto Scaling deployments in order to align with the principle of least privilege. Please see the changelog and the updated documentation of the permissions on GitHub for more details.

InSpec on UTM on AWS

In order to make it possible for our customers to verify that the UTM on AWS works as expected, we’ve introduced InSpec on the UTM on AWS. InSpec is an audit and test framework developed by Chef.

InSpec will be used to check whether:

  • S3 resources are available and accessible.
  • System services are running.
  • Important ports are accessible.
  • PostgreSQL databases exist and contain the correct schema.
  • System configuration files exist.
  • Log files do not contain any severe errors.

The knowledge base article How to use InSpec on the UTM on AWS covers the usage of InSpec as well as how to write custom profiles to extend the solution.

Faster failover for High Availability

Customers relying on our High Availability deployment will now see a reduced failover time resulting in lower downtime.

Disable backend pooling for the WAF on Auto Scaling

We have disabled the backend pooling for the Web Application Firewall for the Auto Scaling deployment now by default. This supports scenarios where load balancers with quickly changing DNS entries reside behind the UTM on AWS.

Included issues

NUTM-8039 [AWS]               Conversion after updating to 9.501 was not possible
NUTM-7148 [AWS]              Conversion fails due to AWS rate limit exceeded
NUTM-7199 [AWS]              cloud.sh logs to own log file
NUTM-7741 [AWS]              Removing password from user data
NUTM-7891 [AWS]              awslogsd.log is being flooded with log messages
NUTM-7896 [AWS]              Better Messaging for Conversion Utility
NUTM-7979 [AWS]              Renaming of "Conversion" to "Conversion Utility"
NUTM-7995 [AWS]              Decreased failover time for HA
NUTM-8041 [AWS]              Restore overwrites applied license from license pooling
NUTM-8233 [AWS]              AWS Profile settings for CloudWatch are overwritten after update
NUTM-8388 [AWS]              Inspec on UTM on AWS
NUTM-8438 [AWS]              CloudFormation input can harm basic setup
NUTM-8626 [AWS]              New update mechanism and page in WebAdmin
NUTM-8874 [AWS]              dns-resolver stopped working after updating to 9.503 on AWS
NUTM-7608 [AWS]              Reduction of IAM permissions for Auto Scaling deployments
NUTM-8141 [AWS]              Disable backend pooling by default within the WAF on Auto Scaling
NUTM-8207 [AWS]              WAF statistics are inaccurate in Auto Scaling deployment
NUTM-8518 [AWS]              aws_resource_management is sometimes killed due to timing issue
NUTM-8785 [AWS]              Authorization token for OGW stated in the template is not validated
NUTM-8793 [AWS]              aws_egw_stack.log is not uploaded to cloudwatch
NUTM-9043 [AWS]              Backupd was not started

Sophos UTM 9.506 also includes bug fixes of the following general releases:

You can update to UTM 9.506 by running up2date for UTM Standalone or by updating your CloudFormation stacks for High Availability and Auto Scaling deployments. Let us know what you think about our new release by posting to our user community forums.