SFOS 17.0.3 MR3 Released

Hi XG Community!

We've finished SFOS v17.0.3 MR3. This release is available from within your device for all SFOS v17.0 installations as of now.

Besides that, the release is available to all SFOS version via MySophos portal.

Issues Resolved

  • NC-25584 [IPsec] IPsec tunnel frequently gets disconnected after migration to v17
  • NC-25597 [IPsec] Disabling DPD has no effect
  • NC-25641 [IPsec] Improve IPsec failover behavior
  • NC-26024 [IPsec] Change default "Policy Keying Tries" to unlimited
  • NC-26032 [IPsec] Too many email notifications on connection retry
  • NC-25986 [Logging] Fixed CVE-2017-18014
  • NC-23214 [Wireless] XG105w failed to update channel width 80 MHz for 5Ghz band


You can find the firmware for your appliance from in MySophos portal.

  • There are no informations in the Release Notes about this: twitter.com/.../941032414838710273

    Please provide complete and true Release Notes!

  • Yes. Unfortunately there were some changes after the communication went out via Twitter.

    17.0 MR3 contains the above fixes.

    New hardware support will be in MR4 and the original planned fixes for MR3 will be in MR5.

  • When will there be a fix for the blocking of apple updates, microsoft updates and everything else broken in v17 with web protection enabled?

  • Just upgraded from MR-2 with no issues. I've had no issues with Apple updates since V17. I haven't added any additional web exceptions, just running the ones that come with the default install called 'Apple Update'.

  • me 2, just upgrade my 3 firewalls with site-to-site from 17mr2 to 17mr3

    big NASTY  bug

    every 10 seconds I got an email message about IPSec connection being "UP"

    This is a bug or a feature?

    "NC-26032 [IPsec] Too many email notifications on connection retry"

    Maybe a newbe question but where can i find more info about NC-25986 or NC-26032

    There is NO info of  NC-????? on "Glosserary of Technical terms" community.sophos.com/.../118500 or Google

    And it is also difficult to find any info on CVE-2017-XXXX     NC-25986 [Logging] Fixed CVE-2017-XXXX (TBD)

    At this moment I will revert back to 17MR2 and advise everybody else to do not upgrade for the experience I just had with MR3

  • I had to change vpn policy from AES256 to AES128 to get ipsec vpn Site to site  to connect between XG firewall both upgraded from MR2 to MR3

  • Upgraded 2 firewalls for testing a XG85 and a XG 105.... at XG85 everything went well, but at XG 105 the CPU use rise from 10% at MR2 to 80% at MR3, roled back to MR2....

  • since V17 Ip sec site to site is not stable(MR2 or MR3) , i back to V16 all are working fine, if there new upfate it should be more stable, and sophos should inform if there setting require to change for the new firmeware upate

  • I upgraded two of my XG-125s and am experiencing high CPU utilization. My CPU utilization before the upgrade was less than 5%, now it's consistently at 60-80% with 3 network firewall rules and no web/content filtering. Also receiving tons of IPSec UP notifications.

  • MR3 still has site-to-site issue IPSEC vpn. Regularly disconnects and no reasons as to why it comes back on maybe 10-15 minutes later.

  • Hi All,

    Email Protection using MTA mode is still full of bugs. Not usable in production, and for sure not at the same level of UTM.

    I'm talking about 17 MR3 (three).

    Some of the most scaring points:

    - SMTP send 550 random errors

    - Quarantine manager random release errors

    - Quarantine manager shows only IP instead of XG FQDN (certificate error, and only LAN access)

    - Real SMTP logging via WebAdmin still missing

    Don't use it.


  • I was so stupid to upgrade to SFOS17 and so I upgraded to SFOS 17.0.3.

    My mailbox is fulling up with email notifications of ipsec site to site tunnels that are down and up and down and ..

    I found out that changing to aes256/sha256 with dh5 was more stable.

    The reflex should be to create a support ticket, but when does guys tried to gave support, it's only irritated me the slowness and lake of knowledge of the product.

    I already contact my account person with Sophos, will see if I get a response.

    Also other issues like sandstorm test isn't working (www.sophos.com/.../sandstorm-test.aspx) and that when sandstorm is processing, the end user is getting an insecure https://ip-fw screen that still not can been replaced by https://fqdn + valid cert.

    I think the quarantine has the same problem.

    Isn't it time to act for a security company to make the security products stable and secure?

  • Just upgraded from 16.5.8-MR8 via 17.0.2-MR2 to 17.0.3-MR3. Seems like everything is working fine. Except of course VPN.

    IPsec-VPN with Cyberoam-Firewalls won't work unless you have activated 'SHA2 with 96-bit truncation' within the IPsec-profile.  Otherwise phase-1 will establish a connection perfectly but phase-2 obviously won't let any transfer go through. Logviewer wasn't very helpful to find this one; we had to contact our partner to solve this issue.

  • We have still issues with ipsec-VPN in active/passive cluster. no connection possible. When I disable the cluster it is working.

    With MR3 a lot of basic issues were solved with ipsec VPN, which is stable on our side now.

  • Looks like sophos couldn't fix the bugs, instead they created more bugs in this firmware, and my 8 devices i have to manually restart on daily basis to get my vpn connection up, Very disappointing