Sophos UTM 9.5 released - let's share experience :-)


What’s new in UTM 9.5?

  • WAF Enhancements

WAF URL Redirection gives you the ability to redirect traffic for a WAF protected URL to a different backend system or URL.

Configure minimum allowed TLS version to improve security.

WAF protection and authentication policy templates were added for common Microsoft services for protection and authentication.

True File Type Scanning to be able to block uploads based on MIME type.

WAF Proxy Protocol Support to use the client IP info inside the ProxyProtocol header to make policy decisions and improve logging.

  • Sophos Sandstorm

Datacenter location selection for Sophos Sandstorm without relying on DNS based location detection.

Scan exceptions for Sophos Sandstorm to exclude specific filetypes from being sent to Sophos Sandstorm analysis.


RESTful API to configure Sophos UTM 9.

  • Base System

Certificate Expiration Notification 30 days before expiration date via WebAdmin and e-Mail to be able to react early on certificate renewal.

Support Access with SSH is extending the existing Support Access feature.

64-bit PostgreSQL Database to generate reports with big datasets faster. Existing database will be migrated without loosing any data.

SNMP Monitoring of full filesystem to integrate UTM filesystem monitoring in regular SNMP based monitoring solutions.

Download all UTM logs in a single archive.

Up2Date Information


  • 9.5 Release
  • Features
  • WAF URL redirection
  • WAF configurable TLS version
  • WAF true file type detection
  • WAF templates
  • Sophos Sandstorm configuration of data center
  • Sophos Sandstorm file exceptions
  • RESTful API to configure UTM
  • AWS CloudWatch Logs Agent
  • 64-bit PostgreSQL database
  • Email notification for expiring certificates
  • Support Access for SSH
  • SNMP monitoring of the file system


  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade


  • NUTM-6646 [AWS] REST API panic when unlocking unlocked mutex
  • NUTM-6657 [AWS] Configure AWS profiles via WebAdmin
  • NUTM-6696 [AWS] Configure CloudWatch support via WebAdmin
  • NUTM-6708 [AWS] Cloud update not working with conversion deployments
  • NUTM-6814 [AWS] Rest API is accessible with default password if basic setup has not completed
  • NUTM-6887 [AWS] REST API panic when inserting into node which is not of type array
  • NUTM-7032 [AWS] SignalException not handled for SecurityGroupsManagement#update
  • NUTM-7055 [AWS] queen_configuration_management / aws_resource_management SIGUSR1 handling
  • NUTM-7056 [AWS] LocalJumpError
  • NUTM-7057 [AWS] aws_set_sd_check AWS::EC2::Errors::RequestLimitExceeded
  • NUTM-7061 [AWS] Connection refused - connect(2) for "localhost" port 4472
  • NUTM-3194 [Access & Identity] incorrect SSH logins trigger backend authentication requests
  • NUTM-3222 [Access & Identity] RED10/50: DNS port open on WAN interfaces
  • NUTM-3260 [Access & Identity] User Portal - IPsec Windows Support
  • NUTM-4149 [Access & Identity] [RED] Use Sophos NTP pool servers
  • NUTM-4323 [Access & Identity] NULL pointer deref in red_nl_cmd_tunnel_dump
  • NUTM-4705 [Access & Identity] Don't use DNS server from the RED branch as an ISP forwarder
  • NUTM-4852 [Access & Identity] [RED] flock() on closed filehandle $fhi at /</var/confd/confd.plx>Object/itfhw/ line 563.
  • NUTM-4994 [Access & Identity] STAS creates users even if automatic user creation is disabled
  • NUTM-5134 [Access & Identity] [OTP] User Portal should recommend Sophos Authenticator
  • NUTM-5925 [Access & Identity] [RED] prevent configuration for VLAN for Split modes
  • NUTM-6387 [Access & Identity] HTML5 VNC connection not disconnecting
  • NUTM-6641 [Access & Identity] [OTP] user can select algorithm for automatic tokens
  • NUTM-6668 [Access & Identity] [IPsec] L2TP/Cisco policy changes do not update ipsec.conf
  • NUTM-6749 [Access & Identity] RED15w does not send split DNS traffic over RED tunnel
  • NUTM-5965 [Basesystem] Sensors command on SG125w doesn't show hardware fan RPM
  • NUTM-6468 [Basesystem] BIND Security update (CVE-2016-9131, CVE-2016-9147, CVE-2016-9444)
  • NUTM-6718 [Basesystem] Update NTP to 4.2.8p9
  • NUTM-6846 [Basesystem] Linux kernel: ip6_gre: invalid reads in ip6gre_err() (CVE-2017-5897)
  • NUTM-6847 [Basesystem] BIND Security update (CVE-2017-3135)
  • NUTM-6902 [Basesystem] Linux kernel: ipv4 keep skb->dst around in presence of IP options (CVE-2017-5970)
  • NUTM-7048 [Basesystem] Implement software workaround for Intel CPUs
  • NUTM-7067 [Basesystem] Update OpenSSH to openssh-6.6p1
  • NUTM-7370 [Basesystem] Bootsplash still shows 9.4 instead of 9.5
  • NUTM-7653 [Basesystem] Internal SSL certification verification broken
  • NUTM-5658 [Confd] Stripped restore unaccessable if default internal interface is removed
  • NUTM-3062 [Email] Mails From mail spool gets quarantined because of "500 Max connection limit reached" in cssd
  • NUTM-4753 [Email] Support recipient verification with multiple AD servers
  • NUTM-5350 [Email] Per user blacklist does not apply until smtp service restarts
  • NUTM-5823 [Email] Scanner timeout or deadlock for all mails with a .scn attachment
  • NUTM-5892 [Email] SMTP Exception doesn't allow '&' sign within the email address
  • NUTM-6135 [Email] DLP custom expression doesn't get triggered if the email body contains certain strings
  • NUTM-6355 [Email] Email not blocked with expression list
  • NUTM-4474 [Kernel] Kernel panic - not syncing: Fatal exception in interrupt
  • NUTM-6358 [Kernel] Kernel: unable to handle kernel NULL pointer dereference at 0000000000000018
  • NUTM-4969 [Network] Uplink does not recover from error state
  • NUTM-5314 [Network] 10gb SFP+ flexi module interface fails when under load
  • NUTM-5428 [Network] Bridge interface can not acquire Dynamic IPv6 address correctly. This interface repeats up/down.
  • NUTM-5831 [Network] Changing static IP on interface does not take effect immediately
  • NUTM-5861 [Network] IPv4 static address gets deleted from confd (and WebAdmin) once IPv6 on the same interface fails to obtain dynamic address
  • NUTM-6077 [Network] Static route on bridge interface disappears after rebooting the UTM
  • NUTM-6807 [Network] SSL VPN not being redistributed into OSPF
  • NUTM-6901 [Network] Eth0 is removed while configuring bridge interface
  • NUTM-2420 [WAF] Remove session management from basic authentication
  • NUTM-5603 [WAF] Issue with expired lifetime of WAF connections without any hint
  • NUTM-5628 [WAF] WAF - Provide import and export options for HTTPS domain list
  • NUTM-5640 [WAF] GUI issue when adding wildcard certificate into Virtual Webservers
  • NUTM-6156 [WAF] UTM still fails scan for CVE-2016-2183 (SWEET32) after update to 9.408
  • NUTM-6294 [WAF] WAF - Naming collisions for default profiles
  • NUTM-6522 [WebAdmin] SMC Test failed after Settings are applied
  • NUTM-6788 [WebAdmin] Add support for SG105W, SG135W and SG230 in WebAdmin
  • NUTM-7337 [WebAdmin] Fix appliance picture for SG105w N9
  • NUTM-6467 [Web] FTP connection fails when using transparent FTP Proxy
  • NUTM-6732 [Web] Certificate issue with transparent Web Proxy - "unable to get local issuer certificate"
  • NUTM-6876 [Web] Remove insecure RC4 from default cipher list for Web Protection HTTPS scanning on upgrade to 9.5 or restore of pre-9.5 backup
  • NUTM-7586 [Web] Chrome v58 and higher fail verification with HTTPS scanning enabled
  • NUTM-5638 [WiFi] RED15w - integrated AP isn't shown as pending in transparent / split mode
  • NUTM-5786 [WiFi] RED15w - if more then one SSID is configured only one is working correctly
  • NUTM-6215 [WiFi] Issue when roaming between wireless with some clients
  • NUTM-6335 [WiFi] VLAN fallback not working for integrated AP from RED15w
  • NUTM-6448 [WiFi] AP55 stuck as inactive
  • NUTM-6511 [WiFi] AP does not get IP address on 100 Mbit ethernet link


While the release is in soft-release phase, you can find the up2date package on our FTP server at:

File size: ~301MB

  • I see an old issue back: STA WPA failure - reason_code="2"

    Most with iOS devices.

    2017:05:02-16:39:59 A400***** awelogger[6659]: id="4105" severity="info" sys="System" sub="WiFi" name="STA WPA failure" ssid="****" ssid_id="WLAN0.1" bssid="**:**:**:**:**:**" sta="**:**:**:**:**:**" reason_code="2"


    Anyone else having this issue?

  • In reply to Johan@NetStream:

    Are the phones having problems staying on the wifi or??

  • In reply to twister5800:

    Yes that's correct, after mulitple reconnects they are connected again.

    On another UTM a Dell client is not able to connect at all, i have an open support case for that.

  • In reply to Johan@NetStream:

    Okay, what about "fast transitioning", do you have that enabled under wifi?

  • In reply to twister5800:

    That option is already disabled due to compatibility issues ;-)

  • hmm, the WAF firewall templates are still named without a description for which Exchange version these are intended

    as AttilaKovacs said in the following post, these are for Exchange <= 2013

    or do you fixes the bug, that Exchange 2016 with more than one realserver isn't working. I'm wondering, that I'm the only one who had this problem and wait for a solution



    I've also find a little cosmetic bug in the WAF, but this is also present in previous versions.

    In our Exchange certificate is the domain (uppercase A, yes that wasn't the best work :D). You can select the domain in the virtual webserver, save and the service is created with an lower case a ->
    If you edit the virtual webservice the domain isn't selected

  • In reply to Johan@NetStream:

    Yup. same thing here, not all 2,4GHz devices like this 802.11r feature :-)

    Tried to look at my own log, I have two AP55's at home with 27 wireless devices right now, I did only see WPA failure because I ran around the house like a mad man with my phone, but besides that, i have no wifi dropouts.


    Which AP's do you use?

  • In reply to logan517:

    Hi Logan,


    I am not a Sophos Employee, just a home user, and at work a Sophos Partner ;)

    You are right, it's sad they did'nt add support for Exchange 2016, because of it's MAPI feature (they said), but I actually use WAF fine with MAPI on Exchange 2016, but I only have one server at home with this config atm.

  • In one testcluster the first HA node started update, but after it finished and was rebooted seems unable to talk with master Postgres...

    So it is now in "reserved" state and is not going to update the second or going live to 9.5

    From Logfile it tryed the Postgres connection every 200 second but always end in "no connection to master database"

    I was forced to reinstall the old 9.413 because there was no other chance for quickly reenable the cluster




  • It is a win for me, but I had to search for it.  I use a hosted multifactor solution for vpn connections via radius.  The default timeout is 3.  I typically had to manually modify the configuration file after *some* updates or I cannot get authenticated quickly enough.  After this reboot, that file changed and I could not find where to set the radius timeout.  I still have not found the proper text file (or CC setting), but I did find that they have a per-server timeout option in the GUI now.  Changed it there and it is working again.  w00t!  Is there a good place to find a true changelog for this update that identifies the different changes like this?  I did not a lot of information of new configurations anywhere.

  • In reply to morlin3:

    Have you saved the HA Live log?

    It will upgrade from 32bit to 64bit Postgresql db, maybe somthing went wrong on that part :-)

  • In reply to twister5800:


    It will upgrade from 32bit to 64bit Postgresql db, maybe somthing went wrong on that part :-)


    Hi twister, that's not correct. The DB is NOT automatically converted to 64bit. The fresh installation will now default to 64bit, but there is no conversion done on an upgrade.
  • In reply to talex:

    Are you sure about this?

    "64-bit PostgreSQL Database to generate reports with big datasets faster. Existing database will be migrated without loosing any data."

    No where does it say this is a manual process??

    This is pretty poor on Sophos part, advertising a feature with out letting people know it won't actually work with the new update.  If I wasn't reading here on the forums I would never know and as the change log says all my existing databases are converted to 64bit I would belive I am using 64bit .

    Please tell me sophos hasn't lied????

  • In reply to StealthyM:

    In the thread they announced this update database there is a second post with their correction. there is a script which you need to trigger manually. But yes i saved HA log and im in contact with support already since we are sophos Partner

    Send by mobile

    Kind regards