SFOS 17.5 MR3 Released

Hi XG Community!

We've finished SFOS v17.5.3 MR3. This release is available in stages. In first stage it will be available at MySophos. We then start with a small amount of slots and will increase those over time. Later it will be available to all other installations as well.

Please see the following link for further information regarding upgrade - KBA 123285 Sophos Firewall: How to upgrade the firmware.

What's New in XG Firewall v17.5 MR3

Airgap Support

Enables updates to XG Firewalls deployed in environments that are physically isolated from the internet.  Protection patterns, licenses, and firmware updates can be applied from a USB storage device. Learn more.

Manual Protection Pattern Update

Enables security pattern updates, client software updates, and firmware updates for access point and RED devices to be uploaded from a file via the XG Firewall management console. Learn more.

APX Series Wireless Access Point Support

Support for our new APX 320, 530, and 740 wireless access points with 802.11ac Wave 2 with 2-3x the performance and added device density over our legacy AP Series models.  Learn more.

  • APX 740: Flagship 4x4:4 access point with high-density, high-capacity for the mid-market enterprise
  • APX 530: High performance 3x3:3 access point for typical office environments of all sizes
  • APX 320: 2x2:2 Dual 5 GHz based access point, perfect for tablets/phones, high-density environment in education, small retail scenarios

Broader Backup/Restore Support

Support for Migration to XG Series Hardware. Backups from XG Firewall running on SG Series devices can now be restored to XG Series devices.  In addition, backups from Cyberoam CROS and SFOS backups can be restored to XG Series devices without any manual conversion.

Improved Cyberoam Firewall Rule Migration Compatibility

Firewall rules will be automatically grouped based on source and destination zone when migrating to XG Firewall for consistency.

DHCP Client on Bridge Interface Support

Bridge interfaces can now receive IP4/IP6 IP address and DNS information via DHCP like standard Ethernet interfaces. 

Recipient verification using Active Directory lookup

Administrator can verify recipient email addresses against configured active directory and can reject emails to non-existent users.


Issues Resolved

  • NC-29354 [API] Response for xmlapi get for SyslogServer is missing some value
  • NC-29808 [API] API Authentication should be case insensitive
  • NC-35920 [API] Wrong XML is generated for client-less users when username added with capital letter
  • NC-30616 [Authentication] Guest username/id and passwords are changed after migration
  • NC-33449 [Authentication] Group name showing under “undefined” during AD group import
  • NC-35923 [Authentication] XML export of guest users contains wrong information of user validity
  • NC-38607 [Authentication] Provide a JSON config download for GSuite in the XG UI
  • NC-39026 [Authentication] Chromebook Support port is missing in port validation opcode
  • NC-39106 [Authentication] Access_server is restarted due to missing service heartbeat
  • NC-30365 [Base System] Fix error message for new firmware check on auxiliary device
  • NC-37824 [Base System] SFM/CFM - at device dashboard AV version shows as 0
  • NC-38546 [Base System] Fix log message for scheduled backup and update message
  • NC-39177 [Base System] Garner - sigsegv_dump: Segmentation Fault
  • NC-39179 [Base System] Customization of captive portal not working
  • NC-39688 [Base System] Virtual firewall reboots after applying license
  • NC-40157 [Base System] Garner service stopped with sigsegv_dump: Segmentation Fault
  • NC-40268 [Base System] Not able to access HA device via Central Management
  • NC-38469 [Email] Increase csc monitor time for avd service
  • NC-38521 [Email] Add support for recipient verification via AD using STARTTLS
  • NC-39827 [Email] Improve documentation for mail spool and SMTP policies
  • NC-35434 [Firewall] csc worker gets killed causing errors in port forwarding
  • NC-35521 [Firewall] Import of exported config does not recreate the device access permissions correctly
  • NC-38318 [Firewall] XML change and revert details are not generated for "firewall group" entity when create firewall rule from SFM device Level
  • NC-39316 [Firewall] Group edit fail when user edit existing group and new name have double space
  • NC-39605 [Firewall] Modifying one time schedules fails, if timer has already triggered
  • NC-40080 [Firewall] Improve UI and help for group creation based on EAP feedback
  • NC-29296 [IPsec] Charon doesn't reconnect in all cases
  • NC-29365 [IPsec] IPSec tunnel fails when there are whitespaces at the begin or end of the PSK
  • NC-30599 [IPsec] Checkboxes on IPSec UI pages do not work using Safari
  • NC-38824 [IPsec] Spelling error in message when IPSec cannot be established
  • NC-38946 [IPsec] Child SA going down randomly with Checkpoint IPSec connection
  • NC-38603 [nSXLd] Custom URL web category list stopped working after updating to v17.1MR2
  • NC-38958 [Reporting] Smart search filter is not working properly for "is not" filter in log viewer
  • NC-39530 [Reporting] Logo is too close to the name of the report page
  • NC-39770 [Reporting] 'Context' column getting removed after click on Reset to default for web content policy logs
  • NC-39479 [Sandstorm] Dashboard message not correct for Single Scan Avira with Sandstorm
  • NC-35750 [SecurityHeartbeat] Heartbeat widget not displayed on slave node when registered
  • NC-38778 [SNMP] Unable to fetch the value for particular OID in SNMP server
  • NC-35490 [Synchronized App Control] Application are not classified in Synchronized Application Control list
  • NC-32342 [UI Framework] Restrict number of connection from particular IP at a particular time
  • NC-39078 [UI Framework] Update Apache Commons Collections (CVE-2015-7501, CVE-2015-6420, CVE-2017-15708)
  • NC-39081 [UI Framework] Update Apache Commons FileUpload (CVE-2016-3092, CVE-2016-1000031)
  • NC-39910 [UI Framework] Policy Tester is not working via Central Management
  • NC-38295 [WAF] WAF Rules not working after HA takeover
  • NC-31388 [Web] URL Category Lookup doesn't allow punycode-encoded domain names
  • NC-31485 [Web] Skipping sandbox check is not being exported in the XML for WebFilterException
  • NC-35585 [Web] Only 10 cloud applications are listed if the screen resolution is 2560*1440 or higher
  • NC-36320 [Web] AppPolicy becomes DenyAll if all "characteristics" and any classification selected


To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA - Sophos Firewall: How to upgrade the firmware: KBA 123285.

  • Maybe you guys can give some further informations about taking a previous Cloud-Managed APX to the XG Firewall?

    So far I did tried:

    1. Check that the APX in Cloud is on

    2. Check that XG is upgraded to 17.5 MR 3

    3. Check that after Upgrade to 17.5 MR 3, the Latest AP-  Pattern is Downloaded to XG

    4. Removed APX from Cloud

    5. Rebooted APX.

    Now i was expecting to see the APX within XG Dashboard. That wasn't the case unless my XG is the DefaultGateway for APX.

  • Tested APX support with 3 APX530 today, I was not successful.

    What I did:

    - Upgraded firewall to SFOS 17.5.3 MR-3

    - Rebooted firewall.

    - Upgraded AP Firmware to 11.0.006

    - Rebooted firewall (just to go sure)

    - Connected APs

    APs get an IP with DCHP but then it's over. They do not appear in the wireless module. Do I miss something? APs are new and were not connected to the cloud.

  • Seeing the same thing with my APX530, which has never been connected to the cloud. Also running newest AP firmware...

  • Hi, I have struggled with this all days since the release of 17.5.3. I upgraded a couple of XG firewalls with the new firmware. Then i checked policys, wireless settings (enabled), Checked Device settings so that my Zones were active for Wireless. Then I installed the patternupdates for Wireless 11.0.006 and rebooted the units again. I have then Tried APX 320, APX 530 and APX 740 all with the same results. They get IP from DHCP services but it seems that they do not talk magic IP on port 2712? I see nothing in LogViewer (logcomp Wireless). None of the APX´s are connected to any Sophos Central account. I have submitted a supportcase and are waiting for some feedback. I will let you all know if I get a breakthrough in this case.

  • are we failing or was it quality department? :-D

  • Please see this KBA that has been published for this issue: community.sophos.com/.../133538

  • After upgrade from 17.5 mr1 to 17.5 mr3 I notice that the virtual appliance is slower then before. Nothing on the settings changed, and hardware is also the same. I run it on hyper-v 2016. Is there away to troubleshoot why its much slower now? Anyone else has the same experience ??

  • Not sure if this is related to the upgrade, when we upgraded one of our firewalls the SMTP service stopped. There's no way to restart this service via the gui. Dropping to the CLI and running  service -s nosync awarrenmta:restart seems to have done the trick.

  • Do not install MR3 if you have RED Tunnels. Did this last night and my remote firewalls (RED Clients) are constantly rebooting itself. Rolled back to MR1.

  •  Thanks for the data, I was thinking about updating, but seeing that detail with the red15. I better wait for you will there be information about why this happens with the red15?

  • I've just updated one xg in a branch office to 17.5.3.

    Now the ipsec vpn between this device and the xg in our headquarter running 17.5.1 doesn't come up.

    Will it work when both xg are running same firmware?

    I don't want to update the xg in our headquarter because there are also many aps and reds managed by the xg.

  • Not saying the RED issues aren't related to MR3, but we're running an 17.5MR3 internally with 5 RED 15Ws and haven't had any issues so far. However, based on the feedback of others, we're going to wait before we roll MR3 to our external clients.

  • I'm having a terrible time trying to get 17.5.3 to install on 3 XG85's.  I click on "Check for New Firmware" and it finds the update, HW-17.5.3_MR-3.SF110-372.  I click Download and it downloads the update.  Then I click on Install, and the spinning thing runs for about 30 seconds, and then I get an error message stating the update could not be installed and I should check on the online documentation for possible reasons why.  If I go through that process about 3 times it will eventually install.  At least that has worked on 1 of the 3 XG85's.  On another one it only installed if I clicked on install on the message you get about the update when you first login to the XG85.  Doing it through the "Backups and Firmware" page didn't work.

  • Be aware of the possible issue with this update and the workaround to avoid it - community.sophos.com/.../133799 (Device booting into safe mode after upgrade to v17.5)