Hi UTM Community!

Welcome to the UTM 9.5 Beta. We are excited to announce the availability of our next UTM beta and look forward to your feedback on this release!

What’s new in UTM 9.5?

• WAF Enhancements

WAF URL Redirection gives you the ability to redirect traffic for a WAF protected URL to a different backend system or URL.

Configure minimum allowed TLS version to improve security.

WAF protection and authentication policy templates were added for common Microsoft services for protection and authentication.

True File Type Scanning to be able to block uploads based on MIME type.

WAF Proxy Protocol Support to use the client IP info inside the ProxyProtocol header to make policy decisions and improve logging.

• Sophos Sandstorm

Datacenter location selection for Sophos Sandstorm without relying on DNS based location detection.

Scan exceptions for Sophos Sandstorm to exclude specific filetypes from being sent to Sophos Sandstorm analysis.

• REST API

RESTful API to configure Sophos UTM 9.

• Base System

Certificate Expiration Notification 30 days before expiration date via WebAdmin and e-Mail to be able to react early on certificate renewal.

Support Access with SSH is extending the existing Support Access feature.

64-bit PostgreSQL Database to generate reports with big datasets faster. Existing database will be migrated without loosing any data.

SNMP Monitoring of full filesystem to integrate UTM filesystem monitoring in regular SNMP based monitoring solutions.

Download all UTM logs in a single archive.

Issues Resolved

NUTM-6646 [AWS] REST API panic when unlocking unlocked mutex
NUTM-6708 [AWS] Cloud update not working with conversion deployments
NUTM-6814 [AWS] Rest API is accessible with default password if basic setup has not completed
NUTM-6887 [AWS] REST API panic when inserting into node which is not of type array
NUTM-7032 [AWS] SignalException not handled for SecurityGroupsManagement#update
NUTM-7055 [AWS] queen_configuration_management / aws_resource_management SIGUSR1 handling
NUTM-7056 [AWS] LocalJumpError
NUTM-7057 [AWS] aws_set_sd_check AWS::EC2::Errors::RequestLimitExceeded
NUTM-7061 [AWS] Connection refused - connect(2) for "localhost" port 4472
NUTM-3194 [Access & Identity] incorrect SSH logins trigger backend authentication requests
NUTM-3222 [Access & Identity] RED10/50: DNS port open on WAN interfaces
NUTM-3260 [Access & Identity] User Portal - IPsec Windows Support
NUTM-4149 [Access & Identity] [RED] Use Sophos NTP pool servers
NUTM-4323 [Access & Identity] NULL pointer deref in red_nl_cmd_tunnel_dump
NUTM-4705 [Access & Identity] Don't use DNS server from the RED branch as an ISP forwarder
NUTM-4852 [Access & Identity] [RED] flock() on closed filehandle $fhi at /Object/itfhw/red_server.pm line 563.
NUTM-4994 [Access & Identity] STAS creates users even if automatic user creation is disabled
NUTM-5134 [Access & Identity] [OTP] User Portal should recommend Sophos Authenticator
NUTM-5925 [Access & Identity] [RED] prevent configuration for VLAN for Split modes
NUTM-6387 [Access & Identity] HTML5 VNC connection not disconnecting
NUTM-6641 [Access & Identity] [OTP] user can select algorithm for automatic tokens
NUTM-6668 [Access & Identity] [IPsec] L2TP/Cisco policy changes do not update ipsec.conf
NUTM-6749 [Access & Identity] RED15w does not send split DNS traffic over RED tunnel
NUTM-5965 [Basesystem] Sensors command on SG125w doesn't show hardware fan RPM
NUTM-6468 [Basesystem] BIND Security update (CVE-2016-9131, CVE-2016-9147, CVE-2016-9444)
NUTM-6718 [Basesystem] Update NTP to 4.2.8p9
NUTM-6846 [Basesystem] Linux kernel: ip6_gre: invalid reads in ip6gre_err() (CVE-2017-5897)
NUTM-6847 [Basesystem] BIND Security update (CVE-2017-3135)
NUTM-6902 [Basesystem] Linux kernel: ipv4 keep skb->dst around in presence of IP options (CVE-2017-5970)
NUTM-5658 [Confd] Stripped restore unaccessable if default internal interface is removed
NUTM-3062 [Email] Mails From mail spool gets quarantined because of "500 Max connection limit reached" in cssd
NUTM-4753 [Email] Support recipient verification with multiple AD servers
NUTM-5350 [Email] Per user blacklist does not apply until smtp service restarts
NUTM-5823 [Email] Scanner timeout or deadlock for all mails with a .scn attachment
NUTM-5892 [Email] SMTP Exception doesn't allow '&' sign within the email address
NUTM-6135 [Email] DLP custom expression doesn't get triggered if the email body contains certain strings
NUTM-6355 [Email] Email not blocked with expression list
NUTM-4474 [Kernel] Kernel panic - not syncing: Fatal exception in interrupt
NUTM-6358 [Kernel] Kernel: unable to handle kernel NULL pointer dereference at 0000000000000018
NUTM-4969 [Network] Uplink does not recover from error state
NUTM-5314 [Network] 10gb SFP+ flexi module interface fails when under load
NUTM-5428 [Network] Bridge interface can not acquire Dynamic IPv6 address correctly. This interface repeats up/down.
NUTM-5831 [Network] Changing static IP on interface does not take effect immediately
NUTM-5861 [Network] IPv4 static address gets deleted from confd (and WebAdmin) once IPv6 on the same interface fails to obtain dynamic address
NUTM-6077 [Network] Static route on bridge interface disappears after rebooting the UTM
NUTM-6116 [Network] service_monitor sets wrong IP address for availability group
NUTM-6901 [Network] Eth0 is removed while configuring bridge interface
NUTM-2420 [WAF] Remove session management from basic authentication
NUTM-5603 [WAF] Issue with expired lifetime of WAF connections without any hint
NUTM-5628 [WAF] WAF - Provide import and export options for HTTPS domain list
NUTM-5640 [WAF] GUI issue when adding wildcard certificate into Virtual Webservers
NUTM-6156 [WAF] UTM still fails scan for CVE-2016-2183 (SWEET32) after update to 9.408
NUTM-6294 [WAF] WAF - Naming collisions for default profiles
NUTM-6788 [WebAdmin] Add support for SG105W, SG135W and SG230 in WebAdmin
NUTM-7337 [WebAdmin] Fix appliance picture for SG105w N9
NUTM-6467 [Web] FTP connection fails when using transparent FTP Proxy
NUTM-6732 [Web] Certificate issue with transparent Web Proxy - "unable to get local issuer certificate"
NUTM-5638 [WiFi] RED15w - integrated AP isn't shown as pending in transparent / split mode
NUTM-5786 [WiFi] RED15w - if more then one SSID is configured only one is working correctly
NUTM-6215 [WiFi] Issue when roaming between wireless with some clients
NUTM-6335 [WiFi] VLAN fallback not working for integrated AP from RED15w
NUTM-6448 [WiFi] AP55 stuck as inactive
NUTM-6511 [WiFi] AP does not get IP address on 100 Mbit ethernet link

Download

You can use the license below for the beta phase: Sophos UTM 9.5 Beta License

Happy Beta Testing and looking forward to your feedback!