UTM Up2Date 9.414 Released

Up2Date 9.414002 package description:

 System will be rebooted
 Configuration will be upgraded
 Connected REDs will perform firmware upgrade
 Connected Wifi APs will perform firmware upgrade

 Maintenance Release

 Fix [NUTM-6646]: [AWS, REST API] REST API panic when unlocking unlocked mutex
 Fix [NUTM-6868]: [AWS, REST API] Missing trailing slash in Swagger URLs
 Fix [NUTM-6887]: [AWS, REST API] REST API panic when inserting into node which is not of type array
 Fix [NUTM-7173]: [AWS, REST API] [RESTD] Selfmon cannot (re)start restd
 Fix [NUTM-6503]: [AWS] Migrate to new iaas_* functions
 Fix [NUTM-6708]: [AWS] Cloud update not working with conversion deployments
 Fix [NUTM-6727]: [AWS] AWS_CONVERSION_PRE_CHECK_FAILED (Pre-check failed: 127.)
 Fix [NUTM-6814]: [AWS] Rest API is accessible with default password if basic setup has not completed
 Fix [NUTM-7032]: [AWS] SignalException not handled for SecurityGroupsManagement#update
 Fix [NUTM-7055]: [AWS] queen_configuration_management / aws_resource_management SIGUSR1 handling
 Fix [NUTM-7056]: [AWS] LocalJumpError
 Fix [NUTM-7057]: [AWS] aws_set_sd_check AWS::EC2::Errors::RequestLimitExceeded
 Fix [NUTM-7061]: [AWS] Connection refused - connect(2) for "localhost" port 4472
 Fix [NUTM-7374]: [AWS] Link to RESTful API documentation
 Fix [NUTM-7442]: [Access & Identity, RED] [RED] 3G Failback with RED15(w) not working if DHCP server is shutting down
 Fix [NUTM-3240]: [Access & Identity] Update RED10, RED15, RED50 OpenSSL to most current version
 Fix [NUTM-4852]: [Access & Identity] [RED] flock() on closed filehandle $fhi at /</var/confd/confd.plx>Object/itfhw/red_server.pm line 563.
 Fix [NUTM-5925]: [Access & Identity] [RED] prevent configuration for VLAN for Split modes
 Fix [NUTM-6387]: [Access & Identity] HTML5 VNC connection not disconnecting
 Fix [NUTM-6504]: [Access & Identity] OpenVPN 2.4.0 deprecated option "tls-remote"
 Fix [NUTM-6606]: [Access & Identity] Re-occuring issues with the Sophos UTM Support access
 Fix [NUTM-6668]: [Access & Identity] [IPsec] L2TP/Cisco policy changes do not update ipsec.conf
 Fix [NUTM-6749]: [Access & Identity] RED15w does not send split DNS traffic over RED tunnel
 Fix [NUTM-7111]: [Access & Identity] Multiple open vulnerabilities in libvncserver
 Fix [NUTM-7157]: [Access & Identity] VPN users not being created when backend AD group is used
 Fix [NUTM-7295]: [Access & Identity] HTML5 VPN: Comma not working on Portuguese (Brazil) keyboard
 Fix [NUTM-7350]: [Access & Identity] [RED] USB stick E3372 does not work with RED 15
 Fix [NUTM-7377]: [Access & Identity] Remote Access tab won't load after selecting the OTP Token tab in the User Portal
 Fix [NUTM-7774]: [Access & Identity] HTML5 - Mouse not working on Touch Devices
 Fix [NUTM-7874]: [Access & Identity] Openvpn: DoS due to Exhaustion of Packet-ID counter (CVE-2017-7479)
 Fix [NUTM-5965]: [Basesystem] Sensors command on SG125w doesn't show hardware fan RPM
 Fix [NUTM-6468]: [Basesystem] BIND Security update (CVE-2016-9131, CVE-2016-9147, CVE-2016-9444)
 Fix [NUTM-6718]: [Basesystem] Update NTP to 4.2.8p9
 Fix [NUTM-6847]: [Basesystem] BIND Security update (CVE-2017-3135)
 Fix [NUTM-6956]: [Basesystem] Hardware LCD screen: IP address of ports other than eth0 cannot be changed through LCD
 Fix [NUTM-7626]: [Basesystem] BIND Security update (CVE-2017-3136, CVE-2017-3137)
 Fix [NUTM-7646]: [Basesystem] NTP Security update (CVE-2017-6458, CVE-2017-6460)
 Fix [NUTM-7742]: [Basesystem] Update Appctrl (
 Fix [NUTM-5658]: [Confd] Stripped restore unaccessable if default internal interface is removed
 Fix [NUTM-6976]: [Confd] Privilege escalation though LOGAUDITOR and REPORTAUDITOR
 Fix [NUTM-7160]: [Confd] "&" sign in RADIUS secret will be converted into "&amp;"
 Fix [NUTM-7636]: [Confd] If changing name in REF_DefaultSuperAdmin 'Admin reset password' page is not presented
 Fix [NUTM-7976]: [Confd] [TA] - If changing name in REF_DefaultSuperAdmin 'Admin reset password' page is not presented
 Fix [NUTM-3062]: [Email] Mails from mail spool get quarantined because of "500 Max connection limit reached" in cssd
 Fix [NUTM-3513]: [Email] MIME type filter doesn't detect real mime type
 Fix [NUTM-3516]: [Email] POP3 prefetch sometimes stops working
 Fix [NUTM-3669]: [Email] SMTP Proxy vulnerable by TLS renegotiation (CVE-2011-1473)
 Fix [NUTM-3671]: [Email] SPX encrypted messages are vulnerable to access without proper authentication
 Fix [NUTM-3677]: [Email] Maildrop locked for account_id
 Fix [NUTM-4324]: [Email] Changing Email Protection settings fails with Sandstorm enabled and trial expired
 Fix [NUTM-5350]: [Email] Per user blacklist does not apply until smtp service restarts
 Fix [NUTM-5545]: [Email] Quarantine report can't be enabled under some circumstances
 Fix [NUTM-5823]: [Email] Scanner timeout or deadlock for all mails with a .scn attachment
 Fix [NUTM-5892]: [Email] SMTP Exception doesn't allow '&' sign within the email address
 Fix [NUTM-6135]: [Email] DLP custom expression doesn't get triggered if the email body contains certain strings
 Fix [NUTM-6355]: [Email] Email not blocked with expression list
 Fix [NUTM-6379]: [Email] Frequent cssd coredumps
 Fix [NUTM-6986]: [Email] Sender blacklist doesn't allow '&' sign within the email address
 Fix [NUTM-7220]: [Email] WAF reporting virus found when AV engine on the UTM is updating
 Fix [NUTM-7625]: [Email] SMTP DLP expressions do not trigger under specific condition
 Fix [NUTM-7722]: [Email] mailbox_size_limit is smaller than message_size_limit in notifier log
 Fix [NUTM-4474]: [Kernel] Kernel panic - not syncing: Fatal exception in interrupt
 Fix [NUTM-6358]: [Kernel] Kernel: unable to handle kernel NULL pointer dereference at 0000000000000018
 Fix [NUTM-3170]: [Network] Time-base access for wireless is dropping ipsec-routes and not creating them again
 Fix [NUTM-4969]: [Network] Uplink does not recover from error state
 Fix [NUTM-5314]: [Network] 10gb SFP+ flexi module interface fails when under load
 Fix [NUTM-6077]: [Network] Static route on bridge interface disappears after rebooting the UTM
 Fix [NUTM-6807]: [Network] SSL VPN not being redistributed into OSPF
 Fix [NUTM-6901]: [Network] Eth0 is removed while configuring bridge interface
 Fix [NUTM-6992]: [Network] OSPF re-announcing static routes
 Fix [NUTM-7044]: [Network] Disable a VLAN associated with the WAN interface breaks the complete communication
 Fix [NUTM-7439]: [Network] nf_ct_dns: dropping packet: DNS packet of insuffient length: 25
 Fix [NUTM-7395]: [RED] [RED] Split networks/domains fields not shown when editing RED10/15
 Fix [NUTM-7491]: [RED] WARNING: CPU: 0 PID: x at net/core/dst.c:293 dst_release+0x30/0x51()
 Fix [NUTM-7060]: [Reporting] Search in reports doesn't work if the username contains only numbers
 Fix [NUTM-6651]: [Sandboxd] All sandstorm tagged mails get stuck in "Sandstorm scan pending"
 Fix [NUTM-6930]: [WAF] WAF not responding after reboot of the AWS UTM
 Fix [NUTM-6522]: [WebAdmin] SMC Test failed after Settings are applied
 Fix [NUTM-6617]: [WebAdmin] Search for Network Definitions breaks in Chrome with over 1000 objects
 Fix [NUTM-7203]: [WebAdmin] Issue with password field UTM - SMC WebAdmin configuration
 Fix [NUTM-7652]: [WebAdmin] Not possible to download different SSL VPN User Profiles in one Firefox Session
 Fix [NUTM-7870]: [WebAdmin] Comment not displayed for Time Period definition
 Fix [NUTM-5794]: [Web] IPv6 fallback to IPv4 doesn't work
 Fix [NUTM-6467]: [Web] FTP connection fails when using transparent FTP Proxy
 Fix [NUTM-6502]: [Web] HTTP Proxy coredumping with EC CA certificate
 Fix [NUTM-6532]: [Web] AD Users are prefetched in lowercase letters
 Fix [NUTM-6809]: [Web] URL category name "Potiental Unwanted Programs" spelling mistake on sophostest.com
 Fix [NUTM-6848]: [Web] HTTPS warn behaviour when "Block all content, except..." is selected
 Fix [NUTM-6867]: [Web] New httpproxy coredumps after update to v9.411 - ReleaseToCentralCache
 Fix [NUTM-7076]: [Web] UTM not updating AD group definition
 Fix [NUTM-7167]: [Web] OTP Using AD Backend Membership - duplicates user when capital letters are used in the username
 Fix [NUTM-7321]: [Web] Non existent or non proxy users are able to create SSL webfilter exceptions
 Fix [NUTM-7367]: [Web] Difference between web_filter templates and default templates in web filter
 Fix [NUTM-5612]: [WiFi] Manual channel selection not possible in both bands for SG W appliances
 Fix [NUTM-5638]: [WiFi] RED15w - integrated AP isn't shown as pending in transparent / split mode
 Fix [NUTM-5786]: [WiFi] RED15w - if more then one SSID is configured only one is working correctly
 Fix [NUTM-6215]: [WiFi] Issue when roaming between wireless with some clients
 Fix [NUTM-6335]: [WiFi] VLAN fallback not working for integrated AP from RED15w
 Fix [NUTM-6448]: [WiFi] AP55 stuck as inactive
 Fix [NUTM-6511]: [WiFi] AP does not get IP address on 100 Mbit ethernet link

RPM packages contained:

  • Any feedback on this one before I schedule an upgrade?

  • In reply to rrosson:

    would also like to know before rolling the dice

  • In reply to rrosson:

    Don't upgrade!  We have 6 UTMs and after upgrading, Web Filtering authentication stopped working.  No one could get to the Internet.  I had to create a Web Filtering exception for everyone, to bypass Authentication and URL filtering.

    Very frustrating!

  • In reply to SteveLindley:

    We are in the same situation with our 2 UTMs. Could you tell me more about the exception you created because I have just disabled it completely for the time being. 

  • In reply to SteveLindley:

    Thanks for the info. Sad that this keeps happening after having this product for several years. can never trust updates.

  • In reply to ChrisP Chicken:

    Under Web Protection > Filtering Options, we created a rule called All Out (but call it what you want) and checked Authentication, URL Filtering and Content Removal (Authentication may be the only thing necessary, but we selected all 3, just in case).  We then selected "Coming from these networks" and added subnet for all of our internal networks.

    Hopefully Sophos will release a fix soon!

    Normally, I wait until they release 2 or 3 fixes before upgrading, but we've been having some weird issues with our phone system since the last set of upgrades (mostly around SMTP, even though our firewall rules all for all internal traffic to/from each other).  After exhausting all other options, I'm thinking the Sophos is the source of the problem, so I rolled the dice.  We use these as internal routers, as well as a firewall, proxy and URL filtering, but I'm now going to add a second internal router for internal WAN communication, and just use these as firewalls/proxy servers.

    Good luck!

  • In reply to SteveLindley:

    I would use a separate broadband line for VoIP altogether, that's what I do myself and treat main leased line as a failover only.

  • We have 2 UTMs and I upgraded last night and the only issue I had was the Single Sign-on for Active Directory was broken. I had to re-enter my credentials and the error message I was receiving went away ([WARN-531] Directory Services synchronization).


  • In reply to Eric Cowen:

    I'll give it a shot after hours.  Thanks, Eric!

  • In reply to SteveLindley:


    I have the same problem with my 2 UTM.

    Thanks to your solution...

  • In reply to SteveLindley:

    Just an FYI, per Eric's comments, I did the following:

    - Re-Joined the Sophos to the domain under SSO

    - Re-Entered the passwords for both DCs under Authentication Services (after the upgrade, I performed a Test of the servers, but didn't update the password and Save the settings...after reading Eric's comments, I updated the password, clicked Test and then Saved the settings)


    Doing one or both of the above seemed to solve the problem last night, but this morning, we're having the same issues again.  I went back and did the same thing and it worked again, but a number of employees also had to restart their PCs for it to work (some, but not all).

    It seems that updating the password under authentication services and/or re-joining the Sophos to the domain provides a temporary fix (about 12 hours), but then it stops working again.

    I have a ticket open with Sophos, so I'll repost once I talk with them.

  • We have an SG330 and an SG210. Same issue outlined by others: after updating to 9.414-2, SSO for HTTP proxy fails. Rejoining the devices to the domain works temporarily, but the issue returns. There is another thread talking about this for both 9.414-2 and 9.501-5:



  • In reply to Blake Hensley:

    Hi, Blake, and welcome to the UTM Community!

    A recent post reported success by simply rejoining with valid credentials - neither deleting the Account in AD nor un-joining in the UTM was needed.
    Also, note the command line trick.

    Cheers - Bob

  • Several SW-Versions from 9.411 -> 9.414: IPSec-VPN, SSL-VPN, Wireless Prot., WAF, SUM,  IPS/ATP,  no SSO/AD -> No issues

    SG310-Cluster from 9.411 -> 9.414: IPSec-VPN, SSL-VPN, Wireless Prot., RED, SUM, WAF, IPS/ATP, no SSO/AD -> No issues

    Also no cores

  • In reply to pebo:


    I've just one SG115 at 9.414: Web Protection without SSO: OK,  adirectory Auth-Server with AD-Users on WebAdmin, UserPortal, SSL-VPN: OK.

    keep on watchin.