SFOS 16.05.4 MR4 Released

Hi XG Community!

We've finished SFOS v16.05.4 MR4. This release is available from within your device for all SFOS v16.05 installations as of now and will increase the group in a few days.

The release is available to all SFOS version via MySophos portal.

Issues Resolved

NC-12352 [Authentication] It should not possible to change the password of backend user
NC-16959 [Authentication] SATC client is not differentiating between users
NC-17300 [Base System, Certificates, License] During the first license sync sometimes the wrong certificate is stored
NC-17701 [Base System, License] License activation screen improvements
NC-14028 [Base System] RED site-to-site tunnel disconnects permanently when quick assist is used
NC-15911 [Base System] XG not listening on port 9922 used for SAA
NC-16164 [Base System] Garner dies due to memory corruption
NC-16742 [Base System] Installation not possible on HP DL380G5 / DL360G5
NC-16743 [Base System] Awarrenhttp, Awarrenmta, Warren services die after upgrade
NC-17035 [Base System] Migration from CR 10.06.4020 to SF 16.05 MR1 failed
NC-18049 [Base System] Not able to upgrade firmware from loader as 2 GB memory check fails
NC-17432 [Certificates] Certificate with ID email has wrong ID after import
NC-17246 [Clientless Access(HTTP/HTTPS)] URL rewrite inside HTML document not working
NC-15855 [Firewall] Adding a zone without any service fails
NC-16090 [Firewall] Source port changes to random over IPSec VPN
NC-16695 [Firewall] Protect > Intrusion Prevention - column name text wrapped several times in Japanese language
NC-16728 [Firewall] Display issues when editing firewall rules in Traditional and Simplified Chinese
NC-17068 [Firewall] XG not forwarding IPv6 echo request which has no next header (next header=59) in IPv6 header or in extension header
NC-17069 [Firewall] No ICMPv6 parameter problem sent when receiving unrecognized/unassigned next header in IPv6 header or in extension header
NC-17350 [Firewall] IP family wise network/host validation is not done while adding local ACL rule via API
NC-17459 [Firewall] App Filter (microapp enabled) causes port 443 traffic to be forwarded to proxy
NC-17463 [Firewall] Upgrade from SF 15.01 MR3 to SF 16.05 GA results in factory reset
NC-17519 [Firewall] Wrong country classification for IP address
NC-17730 [Firewall] "HTTP service" message displays even HTTP service not there after saving the zone
NC-17731 [Firewall] HTTPS service can be removed from zone, when accessing UI from bridge IP bound to same zone
NC-17732 [Firewall] Duplicate entry of members are seen, when editing the default zones if members are associated with it
NC-16712 [Framework part of Base] HA node in failsafe mode after software upgrade
NC-17259 [Framework part of Base] Unable to see live graph from WAN zone and interface info
NC-11687 [Framework(UI)] Changing system time requires relogin
NC-15270 [Framework(UI)] Not able to select start date and end date for wireless time-based access
NC-1701 [Framework(UI)] TAB focus is not visible in Chrome
NC-17488 [Framework(UI)] Tooltips behave strange and point to a wrong element
NC-18071 [Framework(UI)] Cannot filter for 'Rule Type' in Log Viewer
NC-3965 [Framework(UI)] Cookie not reset after auto logout in userportal
NC-16470 [Galileo Heartbeat] Traffic will be dropped due to Heartbeat if the client is connected to the same Network over LAN and Wifi at the same time
NC-16599 [Galileo Heartbeat] Crash of heartbeatd after "Broken Pipe"
NC-15319 [HA] IPsec VPN not connecting after HA fail over through monitoring port
NC-16832 [Hotspot] Minor UI inconsistency when trying to delete multiple hotspots
NC-17440 [Hotspot] Two mail notifications sent when using "Password of the day" in HA
NC-16639 [IDS + AppControl] Wrong risk level for Facebook Graph API and App is missing in "Very High Risk (Risk Level 5)" apps group
NC-17796 [IDS + AppControl] Not able to configure QoS policy to application category 'IM+ Android'
NC-13255 [IPS] Service stopped/unregistered state after disabling firewall-acceleration in HA mode
NC-15636 [IPS] Unable to start IPS service on SW/VM appliances
NC-15710 [IPS] DHCP option 67 is not working properly
NC-17245 [IPS] IPS engine is not getting reply packets in TAP mode
NC-18368 [IPS] WINGc categorization not working in TAP mode
NC-5474 [IPS] IRQs not set correctly with appropriate CPU for given port-affinity
NC-18197 [License] Administration part of the webadmin page is inaccessible
NC-13375 [Mail Proxy] Email Quarantine only shows first part of day
NC-17346 [Mail Proxy] SPX - after registering it takes time before first message is sent
NC-17804 [Mail Proxy] Incorrect total utilization value shown in SMTP quarantine
NC-17920 [Mail Proxy] Network can also be selected in host list while creating SMTP policy in MTA mode
NC-18044 [Mail Proxy] SMTP service restarts sometimes on high load
NC-18296 [Mail Proxy] Email address is truncated in notifications if sender address contains special chars
NC-4480 [Mail Proxy] MIME filter,SMTP/S: Attachment name with i18n character is not proper in mail body
NC-16898 [Network Services] Unable to add FQDN host using double dash (--)
NC-17276 [Network Services] IPv6 SLAAC does not work according to RFCs
NC-17699 [Network Services] Unable to delete bridge interface when bridge host used in SSL VPN Remote Access
NC-16275 [Networking] IPSec S2S - DHCP reply packet is not forwarded to LAN when PPPOE is enabled on WAN interface
NC-16837 [Networking] WWAN name should be updated to cellular WAN
NC-6943 [Networking] PIM - Interface update from DHCP to PPPoE sets Candidate RP IP to undefined
NC-17375 [RED] DHCP server settings will be reset to default if you change anything in the RED interface
NC-17515 [RED] Monitoring Avaibility->Display wrong colour code and tooltip status for RED status
NC-18017 [RED] RED Tunnel unstable via PPPOE
NC-16690 [Reporting] Double byte caracters in PDF are corrupt
NC-16729 [Reporting] Junk character in report PDF in Traditional Chinese language
NC-16992 [Reporting] Sandstorm records disappear after some time
NC-17330 [Reporting] Unable generate custom report with around 50000 records
NC-17360 [Reporting] Daily report scheduling doesn't work correctly with "Send email at 24 Hours"
NC-17433 [Reporting] Long title runs off at the end of the PDF page for custom reports
NC-17765 [Reporting] VPN traffic in executive repoprt shows no data
NC-16257 [Routing] OSPF multicast group limit reached
NC-17847 [SSLVPN] Wrong info message when saving global SSL VPN settings
NC-6580 [SSLVPN] Disconnecting SSL VPN connections has to take remote port into account
NC-17469 [SupportAccess] Service warning on deactivated SupportAccess
NC-11118 [UI] Improve browser console for long syntax
NC-17965 [UI] Language Selection on login doesn't change the labels in the login mask
NC-15815 [VPN] Incorrect IPSec configuration pushed by SFM
NC-17260 [VPN] Import of configuration files not working
NC-17768 [VPN] Cannot enable Cisco VPN if last remaining user stated on VPN screen is removed from the user's screen
NC-17863 [WAF] XG85 /tmp Partition is filling up
NC-18010 [WAF] Fix segmentation fault in mod_xml2enc for multi-byte charsets
NC-18047 [WAF] Special characters are encoded when HTML rewrite is enabled
NC-13221 [Web] Extra parameters pushed from SFM to SFOS for web settings
NC-13909 [Web] HTTPS traffic is proxied but Web Proxy is turned off
NC-13960 [Web] SFOS breaks auto-update on SAV for Mac
NC-16693 [Web] Protect > Web some strings are cut off
NC-16730 [Web] No captive portal redirection for new requested URL configured in exception with "Skip Policy Checks" action
NC-17398 [Web] Unauthenticated user is able to access the Whatsapp/Facebook application
NC-17481 [Web] Captive Portal redirecting to empty IP address
NC-17740 [Wireless] Rogue AP scan failed in log viewer
NC-18006 [Wireless] LocalWiFi - failed to configure IP address on WiFi interface
NC-18025 [Wireless] Rogue AP Scan failed when click on "Scan Now"


You can find the firmware for your appliance from in MySophos portal.

  • For me every new release the manual excpetions that I have added inside Web \ Exceptions \ Microsoft Windows Update are deleted.

    Please check.

  • Hi FabioTerrone,

    Are you modifying the built-in 'Microsoft Windows Update' exception, or adding a new exception completely? If you're modifying the existing built-in exception, how are you modifying it?

    This isn't something I have heard reported before, so I want to better understanding what the issue is.



  • When I access the IPS signature selection screen the process postgres is starting to use one CPU at 100% for some minutes. The signatures won't be displayed at all.

    Any suggestions?



  • Update: The problems seems to occur with custom selections in Platforms. After a reboot the list will be displayed after some minutes of waiting while postgres is running at 100%.

  • Update 2 after 1 day: The IPS upate2date package 3.13.55 solved the issue for me.

    Basically I had the same problem as described here: community.sophos.com/.../ips-policy-slow-after-update-to-mr2

  • ,

    is the Subject Alternative Name fixed in this MR? Nothing is reported about it in the RN.


  • Looking forward to testing these items, as I had all three:

    NC-17740 [Wireless] Rogue AP scan failed in log viewer (in MR1 I had this turned off)

    NC-18006 [Wireless] LocalWiFi - failed to configure IP address on WiFi interface (in MR 1 I had to restart the device)

    NC-18025 [Wireless] Rogue AP Scan failed when click on "Scan Now" (as above)

    Looks good so far.....  :-)