UTM 9.7 ?

Anybody have information about Version 9.7?

Once upon a time there was a roadmap :-) ...

Best regards

Alex

  • In reply to ThorstenSult:

    Here’s some more information about 9.7

    German original article:

    English translation:

    Regards

  • In reply to mircevski:

    A Sophos SE told me yesterday that IKEv2 will NEVER be implemented in UTM!

     

    So APX Integration will be the main feature of UTM 9.7...

     

    regards

  • In reply to SWeissflog:

    A statement from Sophos at the time said that IKEv2 would only be postponed in order not to delay the release of UTM 9.6 any further. If IKEv2 is never implemented, that would be a shame.

  • In reply to ThorstenSult:

    UTM 9.7 will not include IKEv2 support, that is not saying that it will never arrive in UTM, but it is not part of UTM 9.7. The screenshot in the latest website mentioned is out of date and does not reflect the current planned content of either UTM 9.7 nor UTM 9.8.

    We will be shortly launching the beta for UTM 9.7 so stay tuned.

     

    Jan

  • The fact that ikev2 is not being released in 9.7 likely means that it never will.  They have made it very clear that SG is the past and XG is the future.  There is no benefit to Sophos to support both, it simply increases their support/development costs.  

    It is the XP/Windows 7 issue all over again.  Even with mounting vulnerabilities due to old core technology, XP (and now Windows 7) were just so good and stable that users didnt want to upgrade.  But at least with these (especially Windows 7 to 10) there WAS an upgrade.  SG to XG offers no simple upgrade path.  The migration tool (hidden behind the partner firewall) doesnt provide 100% conversion of the configuration.  Which means that even after the downtime associated with converting the SG to XG, you still have configuration that must be completed increasing the amount of downtime.  The upgrade scenario looks a bit better if you happen to have an HA pair you can split, but with firewall configuration complexity and a less than 100% configuration migration the potential for prolonged downtime is high. And there are still reports of many bugs (many releases and lots of bugfixes each release) and a lack of feature parity with SG.  All in all the migration from SG to XG is NOT trivial, expensive in terms of manpower (steep learning curve, feature validation, configuration, testing, etc..), and full of risk.      

    So Sophos needs something to drive customers towards XG and as it stands (at least from my perspective) there really is no benefit or compelling reason outside of ikev2 (an industry standard proposed in 2005, revised in 2010, and standardized in 2014).  So it is probably not coming.  I would love to be wrong, however the fact that it was planned and pulled from 9.6, not in 9.7, and not on a roadmap...  it doesn't look good.  It appears that Ikev2 will be used as leverage to twist the arms of customers and force them to switch from SG to XG.

    And even if ikev2 is coming in 9.8, that likely won't be until late 2020/early 2021 and by that time we will have moved on. At this point the loss of trust in Sophos is too great to continue with them.  We will probably ride out our current solution (opensense as VPN endpoints and SG as firewall) another year and then start planning a switch to something else (Checkpoint, Palo Alto?). 

  • In reply to dalgarin@claimtrak.com:

    We're trying it with XG ... but it's not an option for us and most of our clients right now.
    If Sophos abandons the SG or continues to refuse to include simple features just to push the XG, we need to look for a more reliable partner.

    Dirk

     

  • In reply to dirkkotte:

    9.7 Beta out now!

  • In reply to ThorstenSult:

    Up2Date 9.670004 package description:
    
    Remarks:
     System will be rebooted
     Configuration will be upgraded
     Connected REDs will perform firmware upgrade
     Connected APs will perform firmware upgrade
    
    News:
     Feature Release
     .
     Support for new APX AccessPoints
     Certificate Chain support for WebAdmin and UserPortal
     Certificate Chain Support for WebProxy
     New RED Site 2 Site Protocol
     Retirement of UTM Endpoint Management
    
    Bugfixes:
     Fix [NUTM-10804]: [Access & Identity] strongSwan vulnerability fix (CVE-2010-2628, CVE-2018-17540)
     Fix [NUTM-10745]: [Email] Quarantine mail older than 14 days are not getting removed
     Fix [NUTM-10958]: [Email] Quarantined SPX Mails which are released are still available on UTM
     Fix [NUTM-10454]: [WAF] SAVI integration doesn't support scanning files larger than 2GB
     Fix [NUTM-10873]: [WAF] Underscore in DNS-Hostname makes WAF unusable
    
    RPM packages contained:
     libapr-util1-1.6.1-0.gd09a905.rb2.i686.rpm        
     libapr1-1.6.5-0.gdb882c9.rb2.i686.rpm             
     libsaviglue-9.70-35.g5c778eb.rb2.i686.rpm         
     cm-nextgen-agent-9.70-6.gac30f9d.rb2.i686.rpm     
     dehydrated-0.6.5-0.g6d4140c.rb2.i686.rpm          
     firmwares-bamboo-9400-0.328884155.gcf6a697.rb2.i586.rpm
     hostapd-2.2-1.0.287145451.ga02be97.rb8.i686.rpm   
     modauthnzaua-9.70-270.gcb78b67.rb57.i686.rpm      
     modauthzblacklist-9.70-345.gb8b010d.rb9.i686.rpm  
     modavscan-9.70-359.g793e6f1.rb5.i686.rpm          
     modcookie-9.70-0.247140156.g8f24856.rb54.i686.rpm 
     modcustomblockpage-9.70-279.gbe16bc0.rb52.i686.rpm
     modfirehose-2.5_SVNr1309567-14.g4ab2622.rb57.i686.rpm
     modformhardening-9.70-252.g1471b81.rb62.i686.rpm  
     modpcap-9.70-0.142961807.g994d6f0.rb57.i686.rpm   
     modproxymsrpc-0.5-121.gc7f8565.rb65.i686.rpm      
     modproxyprotocol-0.1-30.gac71dfd.rb29.i686.rpm    
     modreverseauth-9.70-0.253882348.g852e9e5.rb59.i686.rpm
     modsecurity2-2.9.1-266.g649c52a.rb61.i686.rpm     
     modsecurity2_beta-2.9.0-460.g62b8fdb.rb61.i686.rpm
     modsessionserver-9.70-0.247653793.g4179dcf.rb60.i686.rpm
     modurlhardening-9.70-252.g1471b81.rb60.i686.rpm   
     modwafexceptions-9.70-322.gd203205.rb13.i686.rpm  
     modwhatkilledus-2.01-0.258193062.g46092ac.rb61.i686.rpm
     navl-tools-4.6.0.50-0.316899012.g8b86fac.rb3.i686.rpm
     oculusd-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm   
     oculusd-dlz_oculus-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
     oculusd-highmem-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
     oculusd-lowmem-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
     perf-tools-3.12.74-0.327535988.gc5bb1a9.rb5.i686.rpm
     python-PyYAML-3.12-1.0.317998409.gab3cfdd.rb2.i686.rpm
     python-argparse-1.4.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-awscli-1.11.36-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-awscli-cwlogs-1.4.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-botocore-1.4.93-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-colorama-0.3.7-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-dateutil-2.6.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-docutils-0.13.1-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-futures-3.0.5-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-jmespath-0.9.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-ordereddict-1.1-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-pyasn1-0.1.9-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-rsa-3.4.2-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-s3transfer-0.1.10-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     python-simplejson-3.3.0-1.0.317998409.gab3cfdd.rb2.i686.rpm
     python-six-1.10.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
     red-unified-firmwares-9600-0.327764422.g822529a.rb2.i586.rpm
     uma-9.70-1.gdb43019.rb2.i686.rpm                  
     waf-ruledumper-1.0-0.318338720.g4e2e015.rb3.i686.rpm
     xorg-x11-Xvnc-7.4-27.114.2.1931.gddf9adc5.rb1.i686.rpm
     ep-reporting-9.70-39.gd06e9bb.rb5.i686.rpm        
     ep-reporting-c-9.70-158.g439c02e.rb4.i686.rpm     
     ep-reporting-resources-9.70-39.gd06e9bb.rb5.i686.rpm
     ep-aua-9.70-9.gd6fadd4.rb4.i686.rpm               
     ep-awed-9.70-20.g6a8dbc3.rb2.i686.rpm             
     ep-branding-ASG-afg-9.70-37.gfc00437.noarch.rpm   
     ep-branding-ASG-ang-9.70-37.gfc00437.noarch.rpm   
     ep-branding-ASG-asg-9.70-37.gfc00437.noarch.rpm   
     ep-branding-ASG-atg-9.70-37.gfc00437.noarch.rpm   
     ep-branding-ASG-aug-9.70-37.gfc00437.noarch.rpm   
     ep-confd-9.70-588.g774f67a3f.i686.rpm             
     ep-confd-tools-9.70-470.gd129d9cd.rb11.i686.rpm   
     ep-init-9.70-9.g7905afa.rb4.noarch.rpm            
     ep-libs-9.70-12.g653adc3.rb4.i686.rpm             
     ep-localization-afg-9.70-37.gf4fd729.i686.rpm     
     ep-localization-ang-9.70-37.gf4fd729.i686.rpm     
     ep-localization-asg-9.70-37.gf4fd729.i686.rpm     
     ep-localization-atg-9.70-37.gf4fd729.i686.rpm     
     ep-localization-aug-9.70-37.gf4fd729.i686.rpm     
     ep-mdw-9.70-635.g15b10bc2.rb4.i686.rpm            
     ep-red-9.70-35.g94b4ce2.rb2.i686.rpm              
     ep-screenmgr-9.70-2.g224e1a8.rb3.i686.rpm         
     ep-tools-9.70-23.gb44eb11.rb3.i686.rpm            
     ep-tools-cpld-9.70-23.gb44eb11.rb3.i686.rpm       
     ep-up2date-9.70-15.g85f07d4.rb5.i686.rpm          
     ep-up2date-downloader-9.70-15.g85f07d4.rb5.i686.rpm
     ep-up2date-pattern-install-9.70-15.g85f07d4.rb5.i686.rpm
     ep-up2date-system-install-9.70-15.g85f07d4.rb5.i686.rpm
     ep-webadmin-9.70-643.gbc4ac8ef3.i686.rpm          
     ep-webadmin-contentmanager-9.70-29.gf8059bd.i686.rpm
     ep-chroot-httpd-9.70-18.gadbf8aa.rb2.noarch.rpm   
     ep-chroot-smtp-9.70-48.ga28fdc6.rb3.i686.rpm      
     chroot-httpd-2.4.18-10.g0c2e255.rb2.i686.rpm      
     chroot-ipsec-9.70-84.g84a2fe5.rb2.i686.rpm        
     chroot-reverseproxy-2.4.39-28.g4c96516.rb3.i686.rpm
     ep-httpproxy-9.70-233.g5ff38467.rb3.i686.rpm      
     kernel-smp-3.12.74-0.327535988.gc5bb1a9.rb5.i686.rpm
     ep-release-9.670-4.noarch.rpm                     


    ftp.astaro.com/.../u2d-sys-9.605001-670004.tgz.gpg
  • In reply to twister5800:

    Hi Martin,

    that link fails firewall security check, CA issues.

    Ian

  • Well...What about to finally release any list of supported 4G/LTE USB modems for appliances as well as RED devices? It is really hard to find working modem...

  • In reply to twister5800:

    Yes...and most of them it is not possible to buy on actual market,3 yrs is long time for this :-(