Hi XG Community!
We've finished SFOS v17.5.0 GA. This release is available in stages. In first stage it will be available at MySophos. We then start with a small amount of slots and will increase those over time. Later it will be available to all other installations as well.
Please see the following link for further information regarding upgrade - KBA 123285 Sophos Firewall: How to upgrade the firmware.
Here's a quick overview of the key new features in v17.5. For a more detailed description please refer to: Sophos-XG-firewall-v17.5-whats-new.pdf
Coming in a following Maintenance Release we have:
Wireless APX Access Point Support provides support for the new Wave 2 access points providing faster connectivity and added scalability.
Airgap Support for deployments where XG Firewall can’t get updates automatically via an internet connection (due to an “airgap” or physical isolation) – Patterns and Licenses can now be updated manually.
Sophos Central Management of XG Firewall With v17.5, XG Firewall is also joining Sophos Central. The Early Access Program for Sophos Central Management of XG Firewall is expected to start soon.
You will be able to manage XG Firewall from within Sophos Central along with all your other Sophos Central products. And there’s a few great new features coming along with Sophos Central Management of XG Firewall:
Secure access and management with single-sign-on through Sophos Central from anywhere
Backup management and storage for your regularly scheduled firewall backups
Firmware update management to make multiple firewall updates easy
Light-touch deployment to enable easy remote setup of a new Firewall
NC-39029 [Authentication] Show proper error message in UI if you enter an used port in Chromebook SSO configuration
NC-39212 [Authentication] CSD: make sure the userSessions map is not overwritten
NC-39532 [Authentication] Migration from 17.1 fails if host definition for "*.gstatic.com" exists
NC-39677 [Authentication] Success message shown in ui even though deleting a user fails
NC-37683 [Base System] cURL (libcurl) NTLM Authentication Code Buffer Overrun Vulnerability (CVE-2018-14618)
NC-39192 [CM-Join-to-cloud] Appropriate status should update on SF and Sophos Central once FW is remove from Central and register again
NC-36497 [Email] POP3 mails reach the proxy empty
NC-38052 [Email] Subject not displayed properly in mail log with sender generated password method
NC-38282 [Email] mail_sender opcode stuck in CSC
NC-38470 [Email] Some reason filters on mail log page are not working as expected
NC-38571 [Email] Port validation not working when adding new port in SMTP via CLI
NC-39233 [Email] Email delivery failed for some recipients when email containing 512 recipients
NC-39280 [Email] Error message 'Relay not permitted' when sending an inbound mail to email address base profile
NC-39379 [Email] Bad (malformed syntax) mails should be displayed separately from network failed emails on UI
NC-39454 [Email] Mail doesn't get formatted properly when file filter protection applied
NC-39513 [Email] Network type IP host should not allowed to add in exception policy
NC-39668 [Email] RDNS check should be applied to inbound emails only
NC-39737 [Email] Mail from header changed when wrong "Return-Path" used in smart host deployment
NC-39953 [Email] Email attachments get corrupted with BDAT
NC-40387 [Email] Avira update might fail on HA systems after upgrade to v17.5
NC-38505 [IPS] IPS policy backup is not created while applying signature upgrade
NC-39687 [IPS] IPS log filling up with entries and causing problems for legitimate traffic
NC-39083 [IPsec] IPsec: charon starts parsing fragmented messages before they are reassembled
NC-38832 [Network Services] Issue with wildcard FQDN based rule
NC-37817 [UI Framework] SAC tab not loaded because of OutOfMemory error
NC-39310 [UI Framework] Control Center: Icons for VPN and Connections have been switched
NC-38184 [Web] Check settings functionality is not working from device level of firewall manager(SFM)
NC-38844 [Web] Web Policy Override not working in HA(A-A) mode if traffic served from Aux appliance
NC-39039 [Web] When "Drop connection" feature is enabled, blocked/warned events are not logged correctly
NC-32763 [Authentication] Importing users with .csv file having usernames with Thai characters creates junk character
NC-34340 [Authentication] Users not getting authenticated via Radius SSO
NC-37091 [Authentication] Show error when Chromebook SSO is not configured correctly
NC-37300 [Authentication] Create FQDN Hosts and Groups for Chromebook
NC-38381 [Authentication] "Record does not exist" error when trying to open created LDAP server
NC-36185 [Azure] Upgrade Linux VM Agent
NC-38176 [Base System] garner memory corruption affecting RED
NC-38471 [Base System] EULA not shown on GUI on Azure
NC-38473 [Base System] Reading of /proc/timer_list file leads to NMI watchdog soft lockups
NC-31499 [Email] Unable to send .eml attachments to specific domain
NC-32682 [Email] SPX generates password for same email recipient in different case
NC-32690 [Email] SPX encryption corrupting attachments by adding line breaks
NC-32754 [Email] XG not able to insert spool query
NC-33360 [Email] Add missing header fields in notification emails
NC-33391 [Email] Quarantine digest and released emails not sent
NC-33977 [Email] Unable to release unscannable quarantined emails
NC-34450 [Email] Fail to send email notifications
NC-35494 [Email] UI hangs when user selects specific date on SMTP quarantine page
NC-36612 [Email] Cross version import/export not working for exception policy
NC-37849 [Email] Console command 'subsystem-info' shows awarrensmtp and smtpd service with same name
NC-37945 [Email] Scanner crash on low end devices due to high number of forwarders
NC-38005 [Email] Improper IP reputation reject status message in mail log
NC-38013 [Email] Typo in Authentication Relay drop message
NC-38015 [Email] Emails moved to error queue when header part is big
NC-38021 [Email] Return-Path/Reply-To header ignored while sending failure notifications
NC-38252 [Email] Add support of email based routing and RBL scanning
NC-38257 [Email] No reason logged in mail logs for mails dropped due to file filter
NC-38297 [Email] Improper label in exception policy at device level from SFM
NC-38312 [Email] SFM pushes exception policy to firewalls even in legacy mode
NC-38391 [Email] Core dump in mail scanner
NC-38392 [Email] Notifications are logged with '0 bytes' in MailLogs
NC-38501 [Email] SPX fails to encrypt on hardware appliances when SPX reply portal is enabled template
NC-39024 [Email] Do not allow multi use for port 587
NC-32530 [Firewall] Post-Authentication SQL injection in Firewall User Interface
NC-34612 [Firewall] Appliance frequently rebooting when having IPv6 permitted networks for remote access SSLVPN
NC-34675 [Firewall] Live connections page not showing connection list
NC-35656 [Firewall] Internet access being lost, SFOS consuming all memory.
NC-35660 [Firewall] MAC address missing in export of MAC list having only one list member
NC-37274 [Firewall] SMTP MTA mode does not support TCP port 587
NC-37760 [Firewall] Misleading message when adding rule using automatic grouping and group has already 200 rules
NC-37992 [Firewall] Transferred data not shown in firewall rules when reaching tera bytes
NC-36318 [IPS, SFM-SCFM] Application filter policy rule not containing any application being pushed from SFM is not applied on SF
NC-36565 [IPS] Category replacement not working on export/import
NC-38347 [IPS] Category based IPS policy import not mapping to Talos categories
NC-30016 [IPsec] Merged IKE gets deleted when one connection is disabled in UI
NC-32269 [IPsec] GRE traffic forwarded through WAN interface after HA failover event
NC-34131 [IPsec] L2TP still connects after user was disabled
NC-38310 [IPsec] IPsec site-to-site tunnel not established with Cisco ASA and gateway type "Initiate the connection"
NC-39059 [Localization] Using "state" causes mistranslations
NC-36455 [Networking] WWAN is not connected automatically at boot time if the primary WAN link is disconnected/down
NC-36720 [Networking] Traffic might flow via backup gateway even hard gateway failback configured
NC-34149 [nSXLd] Keywords are not deleted when custom web category is deleted
NC-37809 [nSXLd] Proxy authentication is not cleared after config reload
NC-38125 [SSLVPN] Unable to edit SSLVPN (remote access) page
NC-35500 [UI Framework] Apache service start fails if webadmin certificate passphrase having single quote character
NC-35682 [WAF] Unable to edit and load business app rule for WAF
NC-37178 [Web] Name should not be pre-filled while creating new overrides
NC-37179 [Web] Improve UI for adding website domains to an Application Override
NC-29648 [Base System] If Default CA is not configured, Generate CSR option should be disabled
NC-29906 [Base System] Unable to edit NTP server when 10 servers are configured
NC-30497 [Base System] [VMware] SFOS Guest OS detail shows wrong/missing
NC-30635 [Base System] Missing focus after closing dialog when editing default certificate
NC-31010 [Base System] Configuration import running into timeout on SG/XG 100 series appliances
NC-31100 [Base System] Upgrade notification pop-up does not work in some cases
NC-35536 [Base System] OpenSSL - Denial of service during forward secrecy setup (CVE-2018-0732)
NC-34154 [Clientless Access] Unable to connect RDP type bookmark with NLA
NC-34803 [Email] Possible denial-of-service due to secure client-initiated renegotiation
NC-35175 [Email] Sophos XG is not adding received-by header as per RFC 5321
NC-35256 [Email] Invalid XML is generated for Email -> General Settings -> Blocked Senders
NC-35915 [Email] "POP-IMAP Scanning" policy generated XML does not contain information of filter criteria "Source IP/Network Address"
NC-26440 [Firewall] Firewall rule dropping traffic when there is no user identity attached to the rule
NC-30989 [Firewall] CVE-2018-8897: Don't use IST entry for #BP stack
NC-31282 [Firewall] Firewall rule group entity name not sent to SFM upon insert/update/delete
NC-22889 [Hardware] XG85: poweroff command reboots the device instead of shutting it down
NC-21909 [IPsec] Do not show empty-value-warning on page entry
NC-30319 [IPsec] Backup fails import when containing IPv6 remotes
NC-30462 [IPsec] Site-to-Site connection not initiated after DHCPv6 interface update
NC-30618 [IPsec] New virtual IP on every Phase 1 rekey even though client requests same IP
NC-30794 [IPsec] NAT checkbox is always enabled in IE11
NC-30796 [IPsec] Local gateway selection shows invalid interface in IE11
NC-33410 [IPsec] VPN Connection Status shows 'Any' on both sides even when configured only on one side
NC-22604 [Logging] GUI alignment issue when sender name or subject is longer
NC-25714 [Logging] Firewall rule ID in log viewer not linking to actual rule anymore
NC-29974 [Network Services] Disconnect PPPoE interface doesn't update corresponding interface based DNS static entry
NC-30753 [Network Services] DGD service in stopped state and segmentation fault
NC-33876 [Network Services] IPset command shows wrong information for wildcard and FQDN Host
NC-30483 [Networking] Port and IP address may show "undefined" in WAN Link Manager "Failover Rules"
NC-30493 [Networking] Link status not updated in WAN Link Manager when RA client has no IP address
NC-30544 [Networking] Full and selective configuration import fails when bridge innterface configured in WAN zone
NC-31399 [Networking] Full backup import fails when bridge member interface is LAG
NC-33628 [Networking] LAG mode related configuration missing on configuration export
NC-34573 [Networking] Configuration changes of CFM not propagated to XG
NC-20785 [Reporting] PDF export of reports taking much time or failing completely
NC-26459 [Reporting, UI Framework] Reports for "Traffic Insight" not shown on dashboard
NC-29573 [Reporting] Sending of scheduled reports does not consider changes of daylight saving time
NC-31243 [Reporting] Table headers in reports span two lines and cannot be seen
NC-32490 [Reporting] Unable to click "PDF", "CSV", "Bookmark" or "Schedule" under "Report > Applicazioni & Web" when WebAdmin language is Italian
NC-28206 [SecurityHeartbeat] Heartbeat deamon does not handle all allowed MAC address formats correctly
NC-32459 [SecurityHeartbeat] Endpoint name in StoneWall message
NC-32580 [SecurityHeartbeat] Extend StoneWall protocols/messages
NC-34169 [SSLVPN] Fail to access SSLVPN (site-to-site) page after any tunnel modification
NC-30984 [Synchronized App Control] [SAC] improve usability
NC-30987 [Synchronized App Control] [SAC] no action "acknowledge" for acknowledged apps
NC-30988 [Synchronized App Control] [SAC] filter with deleted apps should be last in the dropdown field
NC-28064 [WAF] Form hardening sets block-reason only in case of GET requests
NC-25805 [Web] Handle non-compliant HTTP status code 999
NC-27519 [Web] Proxy continues to download files in batch mode even if client closes connection
NC-28851 [Web] Default Web policies contain duplicate rules
NC-29305 [Web] "Expect" header not handled correctly
NC-31837 [Web] Add "alert.hitmanpro.com" to proxy bypass list
NC-33650 [Web] Enabling web content cache for Sophos Updates blocks further updates
To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA - Sophos Firewall: How to upgrade the firmware: KBA 123285.
I have upgraded two appliances ( both vmware virtual ) and both appliances lost licenses !!!
The Synchronize button does not solve the problem.
Do you ave any idea for this ?! Restart did not solve the problem too ...
Up and running....
Does this replace STAS?
I have updated Beta 2 on Vmaware VM and it is working fine
It's UP and Running but where is the High Availability menu ??
Updated from beta 2, process took less than 5min.
No issues with licensing. Everything appears to be fine.
NTP appears to be working correctly.
talex , the KB of Cisco IPS does not work for public users:
"IPS now with Cisco Talos IPS library and more granular IPS categories KBA 133197"
Can you check it? Thanks
Use this URL Link regarding Cisco Talos IPS
lferrara thanks for the hint, I updated the link.
I have upgraded three appliance. But one of the the UTM(XG135)have some issues. I cannot use the all in one printer between inter intra-zone communication, and check with open policy, its not working. I degrade the OS to 17.1.3 MR3(Currently installed), that's working..
Issue with Sophos Endpoint Updates - "Always cache Sophos endpoint updates" option is causing the problem if its checked. Endpoints are not getting updated until we uncheck the option.
batcox Mine is still under "System Services" ;)
Any info on how to implement the new features like chromebook auth and the new client authentication? Does this replace STAS and if so, is there a how to "retire stats and replace with...." guide?
Updated a test device - doesn't seem to fix, update, or replace the mess that is STAS.
ken9000 - could you explain your problem with STAS, because I am also experiencing some problems