SFOS 17.5 MR6 Released

Hi XG Community!

We've released SFOS v17.5.6 MR6 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from your MySophos account. We then make the firmware available via auto-update to a number of customers, which will increase over time.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Guidance on recently discovered security vulnerability in Exim email server

Exim is used by XG Firewall v17.5, specifically if a customer has enabled Email Protection. On Friday 7 June 2019, Sophos released and automatically applied an over the air hotfix to all XG Firewalls with auto-updates enabled to address this issue. If your XG Firewall does not have auto-updates enabled, upgrading to 17.5 MR6 release could resolve the issue. Alternatively, you can review KB134199.

What's New in XG Firewall v17.5 MR6

Radius SSO authentication between XG and APX

Wireless users can be authenticated using Radius SSO between XG and APX. Now supports framed IP addresses in client accounting messages.

Issues Resolved in SF 17.5 MR6

  • NC-40785 [API Framework] Incorrect data types and values in API documentation
  • NC-44687 [API Framework] Unable to update webadmin settings when WAF rule with port 80 is configured
  • NC-43933 [Authentication] csd not cleaning up stale connections
  • NC-45077 [Authentication] Some LDAP users are not associated with the expected group
  • NC-45283 [Authentication] Memory leak in access server
  • NC-46024 [Authentication] Guest user registration is not working after upgrading to 17.5 MR4
  • NC-46572 [Authentication] Race condition in access server when setting authserverid
  • NC-44178 [Backup-Restore] Unnecessary selection button when downloading backup without encryption password
  • NC-45532 [Clientless Access] Clientless SMB Bookmark - Unable to upload files in a folder or share with an apostrophe
  • NC-39353 [Core Utils] Brazilian timezone and DST problem
  • NC-40924 [Core Utils] ATP patterns filling up /content/ folder
  • NC-43506 [DHCP] Established connection is destroyed when dynamic WAN interface gets configured
  • NC-46351 [DHCP] DHCP service dies on firmware upgrade
  • NC-43624 [Dynamic Routing (PIM)] Coredump from  pimd while applying interfaces in pim-sm in HA-AA case
  • NC-41225 [Email] Assertion while scanning mail with custom file mime type
  • NC-42752 [Email] Issues with certificate chain
  • NC-42986 [Email] Mail application usage reports shows 0bytes for POP and IMAP
  • NC-43179 [Email] Mails stuck in queue when email id contains '='
  • NC-43285 [Email] Filtering for bounced mails freezes mail log page
  • NC-43399 [Email] "DKIM: validation of body hash failed" when DKIM signed mail gets forwarded by XG
  • NC-43445 [Email] Mails are split in different header information and hang in spool
  • NC-43539 [Email] Unable to access appliance after restoring backup
  • NC-44131 [Email] Core dumps in smtpd while deleting mail from mail spool page
  • NC-44490 [Email] Unable to use CAs with ECC certificates
  • NC-44559 [Email] Conan engine does not get upgraded on migration
  • NC-44662 [Email] Mails with folded headers might not be processed correctly
  • NC-45144 [Email] Exim complaining about illegal header file
  • NC-45223 [Email] Unable to filter mail log with some special russian characters
  • NC-46145 [Email] Email notification using external mail server not working after upgrading to 17.5 MR4
  • NC-42902 [Firewall] IPsec traffic flows only after REKEY event
  • NC-44344 [Firewall] Not able to enable IP Spoofing on more than 18 zones
  • NC-46188 [Firewall] GUI icons broken in firewall rules
  • NC-44083 [Hotspot] Hotspot voucher created in HA setup is expired and has used data attached to it
  • NC-38688 [IPsec] Sporadic connection interruption to local XG after IPsec rekeying
  • NC-41631 [IPsec] Tunnel not established in HA setup
  • NC-43220 [IPsec] Unable to use "Reset" button on Sophos Connect settings page
  • NC-43898 [IPsec] Improve udp/500 firewall rule activation
  • NC-44072 [IPsec] Charon timeout while starting on small appliances with 20+ IPsec tunnels and auth type 'rsa'
  • NC-44240 [IPsec] XG not accepting MODP_1024 DH during IKE negotiations
  • NC-44016 [Logging Framework] Garner segfault in Central Management plugin of garner
  • NC-44693 [Logging Framework, SecurityHeartbeat] Reports are not being generated
  • NC-45339 [Logging Framework] Assertion fail in garner causing RED clients to disconnect
  • NC-46535 [Logging Framework] Memory leak in notification plugin
  • NC-44531 [nSXLd] nSXLd connection handling improvements
  • NC-46117 [Policy Routing] Traffic passing through IPSec link though policy route (MPLS) has high priority
  • NC-30294 [PPPoE] PPPoE interface graph is showing incorrect bandwidth information
  • NC-33657 [SFM-SCFM] API output shows "Configuration parameters validation failed"
  • NC-44007 [SFM-SCFM] Error message on GUI: SSOD is stopped
  • NC-44562 [SFM-SCFM] Backup snapshot has not been restored from SFM when SF having encrypted password for backup
  • NC-43684 [SNMP] libsnmp segfaults for "AVVERSION Get"
  • NC-44695 [SSLVPN] Unable to connect via SSL VPN after migrating from CROS
  • NC-46253 [SupportAccess] Backport: Cannot connect to WebAdmin via SupportAccess
  • NC-43936 [UI Framework] Guest Users page not loading after deleting the last page of available Guest Users
  • NC-44018 [UI Framework] Type of icon should be drop-down instead of icon of increase-decrease
  • NC-44283 [UI Framework] Cannot load Connection Details page of an IPsec VPN connection when Chinese characters are used in local/remote host configuration
  • NC-45358 [WAF] Privilege escalation from modules' scripts (CVE-2019-0211)
  • NC-45544 [WAF] Reduce memory footprint
  • NC-45974 [WAF] URL normalization inconsistency (CVE-2019-0220)
  • NC-46104 [WAF] HTML rewriting in large embedded CSS causes appliance to reboot due to OOM
  • NC-46810 [WAF] NULL pointer dereference in mod_proxy_html
  • NC-43970 [Web] Policy editor window doesn't close when new policy created
  • NC-44089 [Web] Backslashes not properly escaped on User Activities page
  • NC-44228 [Web] Web categorization fails randomly
  • NC-44609 [Web] Incorrect parsing of DNS responses leads to 502 errors
  • NC-45020 [Web] Memory leak in sandbox pending page
  • NC-45094 [Web] SSL scan not on in case of force_ntlm on transparent connection
  • NC-27524 [Wireless] Restoring backup of Cyberoam 10.6.5050 GA not working when WLAN is configured
  • NC-45088 [Wireless] Selective export of WirelessNetworks with dependencies does not contain any dependencies
  • NC-45405 [Wireless] Country field for AP shown empty while accepting it with multple pending APs
  • NC-46142 [Wireless] SSID deleted but WiFi interface remains


To manually install the upgrade, you can download the firmware from the MySophos portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

  • during the upgrade from 5.5 to 5.6 all went well. After the firewall was boot, it turned out the DHCP was completely broken.  I removed the old DHCP config and created a new one but it did not help. The symptoms were: Clients did get and IP bit were unable to to to the internet. Clients did not get DNS and gateway addresses from the DHCP (these were configured). Removing and adding the gateway address and DNS addresses from the CLI to the DHCP config did not help. Eventually I had to restore the config from a previous backup file. This resolved the issue.

  • observations thus far

    1. Firewall GUI rules still inconsistently display malformed

    2. All traffic shaping rules lost during upgrade from 17.5.5 to 17.5.6

    3. THIS IS THE BIGGY- Firewall stopped logging after a couple of days, once rebooted logging started working again. Reminisce of old 17.1.1 (or was is 17.0.x)  logging issues.

  • Waiting hopefully Active Directory backend authentication for Hotspot.

  • It's nearly there, just had a death in the family so everything has kinda been put on hold for now but i'll squeeze it out ASAP.

    , It's a v17.5.5 issue that came in: community.sophos.com/.../sophos-xg-firewall-17-5-logs-are-not-updating-on-the-gui-log-viewer

  • So sorry for you loss :-( - Don't stress anything with that guide, it's no near important for me anyway, just nice to have.

  • Lucar has just commented the KB article for it althought it's about as useful as a chocolate teapot because it is basically the exact same article as community.sophos.com/.../132912 but just has the RADIUS accounting delay start and the accounting switch enabled.

    Unfortunately, right now I am getting:

    MESSAGE   Jul 01 14:15:12 [4142770688]: handle_radius_account_req:  request received from radius client

    ERROR     Jul 01 14:15:12 [4142770688]: handle_radius_account_req: received radius accounting with status  1

    ERROR     Jul 01 14:15:12 [4142770688]: handle_radius_account_req: received radius accounting packet without login ip host

    The XG is not delivering the logged in IP address, case raised.

  • Actually  did you configure your NPS correctly? Because your KBA is only for Authentication, not Accounting. You have to specify a new Radius Server on Windows Server to redirect accounting Information back to XG.

  • , it's not the NPS responsible for sending the IP address, it's the XG on the APs behalf (well forwarded and natted). As far as i can tell all systems I've tested are configured correctly but it is the RADIUS accounting packets that are missing the IP address.

    Basically, NPS can never initiate Accounting packets because it has no acceas to monitor the APs so it relies on third parties to receive those details and forward them on.

    If you want the case number to look at my pcap, pop me a pm.


  • We have had major issues with CPU util and HTTP scanning since moving to this. We had that many users complain we had to switch off HTTP scanning outbound. Also dashboard consistently breaks and doesn't show any metrics.

  • since 17.5.6  on XG310 is no Web Browsing anymore possible.

    Surfing the web ist that much slow like Modem 56K  20 yars ago

    For me the 17.5.6 is extrem buggy and not useable.

    turned back to 17.5.3

    DNS and Proxy is not working correct anymore.

    still no upstrem Proxy is possible to set up with port 80

    while internal Sophos Proxy uses Port 8080.

    17.5.6 is still extrem full of Bugs...

  • HA seem to take longer than expected when fail-over after update to 17.5 MR6, before this used to be few ping to recover.

  • When i reed some comments it looks like the 15.5.6 is little buggy. Lost of DHCP, Performance Issues and lost of traffic shaping policy makes me not realy motivated to fo to 15.5.6. Are these problems realy confirmed ?