UTM Up2Date 9.506 Released

Hi Everyone,

Today we've released UTM 9.506. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.

 

Up2Date Information

News

  • Maintenance Release

Remarks

  • System will be rebooted
  • Connected APs will perform firmware upgrade
  • Connected REDs will perform firmware upgrade

Bugfixes

  • NUTM-8651 [AWS] AWS Permission for "Import Via Amazon Credentials"

  • NUTM-7678 [Access & Identity] Pluto dies with coredump at L2TP connections

  • NUTM-8211 [Access & Identity] SSL VPN connection issue with prefetched AD groups

  • NUTM-8756 [Access & Identity] AUA debug log contains plain text passwords

  • NUTM-8889 [Access & Identity] ESPdump with algorithm GCM does not work

  • NUTM-8912 [Access & Identity] HTML5 VPN: keyboard input not working on Android devices

  • NUTM-7670 [Basesystem] Update to BIND 9.10.6

  • NUTM-8427 [Basesystem] postgres[xxxxx]: [x-x] FATAL:  could not create shared memory segment: No space left on device

  • NUTM-8769 [Basesystem] Small models of  SG105 / SG115 / SG125 / SG135 take over 5 minutes to accept network connection

  • NUTM-9063 [Configuration Management] Regenerating the Web Proxy CA breaks all SSL VPN clients

  • NUTM-8313 [Email] POP3 Proxy generate core dumps in versions v9.414 and v9.501

  • NUTM-8509 [Email] Remove 3DES and SHA1 from SMIME

  • NUTM-8645 [Email] MIME Type Detection 9.5

  • NUTM-9061 [Email] User cannot open the SMTP Routing tab

  • NUTM-8419 [Logging] "Search Log Files" has different search result in spite of same time frame

  • NUTM-8783 [Logging] SMBv1 still required for remote logging to a smb share

  • NUTM-8341 [Network] Network monitor core dump

  • NUTM-8685 [Network] Some clients display an "Unknown" vendor on the wireless client list

  • NUTM-8738 [Network] Error messages in fallback log about damaged static routes

  • NUTM-8838 [Network] Watchdog consumes constantly 100% CPU

  • NUTM-7396 [RED] UTM RED kernel log shows "seq invalid" messages

  • NUTM-6968 [REST API] Insert REFs of new objects into single REF node

  • NUTM-7981 [Reporting] WAF-reporter logs irrelevant information

  • NUTM-8359 [Reporting] SMTP log on Mail Manager is empty after upgrading postgres to 64bit

  • NUTM-7802 [Sandboxd] If using a ' character in the email address, postgres is not able to insert this to the TransactionLog (Sandbox)

  • NUTM-8715 [UI Framework] Unable to access "Manage Computers" page

  • NUTM-8061 [WAF] WAF still reporting virus found when AV engine on the UTM is updating

  • NUTM-8751 [WAF] Newly created web server listens on the slave node instead of the master node

  • NUTM-8806 [WAF] Issue with TLS settings for virtual webserver

  • NUTM-8861 [WAF] Leftover of shm files cause a WAF restart loop

  • NUTM-5964 [WebAdmin] Support Access: WebAdmin not properly displayed after login via APU

  • NUTM-8512 [WebAdmin] Can't use string ("0") as a HASH ref while "strict refs" in use at /wfe/asg/modules/asg_ca.pmline 1105

  • NUTM-8571 [WebAdmin] User with only "Report Auditor" rights receives strict refs error after login into WebAdmin

  • NUTM-8807 [WebAdmin] External link to Sophos UTM Knowledge Base is not correct

  • NUTM-8871 [WebAdmin] Year of Single Time Events cannot be later than 2019

  • NUTM-7994 [Web] Customized templates do not allow to accept quota and access site

  • NUTM-8037 [Web] HA: Low disk space alert from slave

  • NUTM-8107 [Web] CONFD.PLX is taking high CPU load

  • NUTM-8502 [Web] HTTP Proxy coredumps with CentralFreeList in v9.413

  • NUTM-8687 [Web] Segfault and coredump from HTTP proxy

  • NUTM-8691 [Web] Certificate error on accessing sites with https scanning enabled

  • NUTM-8752 [Web] NTLM Issue with AD SSO in Transparent Mode

  • NUTM-8771 [Web] Wrong country showing up in Web proxy requests

  • NUTM-8826 [Web] Teamviewer via Standard Mode with AD-SSO not possible since v9.502

  • NUTM-8834 [Web] iOS11 user agent string is not detected as iOS

  • NUTM-8849 [Web] Can't download Traveler_90119_Win.zip with HTTP proxy in Transparent Mode

  • NUTM-3129 [Wireless] SG125w failed to create interface wifi0: -23 (Too many open files in system)

  • NUTM-4720 [Wireless] Issues with 2.4 GHz channel 12 and 13 / inconsistent channel availibility / AWE_DEVICE_CHANNEL_INVALID

  • NUTM-8288 [Wireless] Roaming issues with iPhone7 and RADIUS authentication

  • NUTM-8391 [Wireless] AP55C/AP100X disconnecting from UTM repeatedly

  • and again no waf support for exchange 2016 with more than one real server -.-

    thx sophos

  • is this the Up2Date to end all those AD SSO problems?

  • So far so good, everything updated on our Test UTM. I have noticed the web interfaces is snappy/faster than before. Also it appears the internet browsing through the web proxy appears faster (but this could be due to the fact after a fresh reboot). However, there is definitely speed improved for the web interface. Loading menu items is almost instant.

    I can confirm that the slow boot up bug for the lower end SG models is now fixed. My test 105w booted up in 2 minutes 30 seconds, whereas before it would take 6 minutes.

  • Where can I download this update? On the FTP it cannot be found (Status: 27-11-2017 - 12:25 CET)

  • Hi

    I am not sure if this is a bug (it could be the update reacting to a misconfiguration) but it just occurred right after the above update, so  I thought I'd better note it, just in case it is a genuine problem and someone wishes to investigate it:

    I've been using Sophos UTM with a Draytek V120 [PPPoE to PPPoA] modem to connect to ADSL. After the 9.506 update (just yesterday) I discovered that a DNAT rule wasn't working, and after quite some time investigating things, I noted that when looking at the interfaces, the WAN one was showing a different public IP address to the IP that had been assigned by my ISP. I tried a few enable/disable of the WAN interface (and reboots of the UTM) and it the IP shown in the WAN interface seemed to toggle between two different ones (neither were the one issued by the ISP, so perhaps previous ones, cached somewhere by Sophos UTM).

    I tried numerous things including setting up the WAN interface again (changing to Ethernet, then back to PPPoE and re-entering the ISP credentials), reverting to previous configurations, reverting to previous configurations and rebooting, but nothing fixed it (the shown address was different to the one issued) so to get around the problem, I have just swapped the V120 modem for an old router (with Sophos UTM in its DMZ) and changed the WAN interface back to a plain old Ethernet interface, so with the WAN now having a fixed address [internal range, but not from the ranges that I use LAN side] that has sorted the DNAT rule.

    Hope that is of some use or interest, but I will just leave it double-NATted for now and re-test after the next firmware update.

    Bri

    Notes:

    Just before reverting to a double-NAT arrangement, I SSH'd into the unit and running ifconfig showed that no IP address against the WAN interface (whereas I am sure it used to show the ISP issued one).

    The DNAT rule is to permit public access to a R Pi running DarkIce and IceCast to stream audio from a microwave radio beacon receiver.

  • NB Further to the above notes, I should add that:

    -The ISP assigned IP address changes at every re-connection (I do not have a static public IP address).

    -I am a home user running Sophos UTM on a J1900 based fanless PC (Alibaba sourced 'industrial router')

    -It worked after the initial post-update reboot (and the stream was publicly accessible) but I had to again reboot (due to mains power re-arrangement requirement) and that's when the above issues started to occur.

    I wonder if this could be vaguely related to KIL issue NUTML-11909 (Cable Modem: every renew of the ip address adds a new ip address to the dhcp interface) but I didn't see any evidence of multiple WAN addresses (or anything in the additional addresses list)?

  • is the AD SSO Issue sorted?  Its like Russian roulette every time you do an update!

  • Thanks for the time events after 2019

  • Does this mean you took away the ability to select the TLS level?

    NUTM-8806 [WAF] Issue with TLS settings for virtual webserver

  • SSO problem was solved in my case by adding "local" to the domain name in the SSO activation window. I've done that when updating from 9.501 to 9.505. Up2date from 9.505 to 9.506 no more problems with SSO.

  • We are experiencing extremely slow upload on the web.  Any ideas?

  • @Rhonda Is "TCP Window Scaling" enabled under Network Protection > Firewall > Advanced and are you able to use tcpdump or Wireshark to see whether it is actually happening?