SFOS 17.5 MR7 Released

Hi XG Community!

We've released SFOS v17.5.7 MR7 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from your MySophos account. We then make the firmware available via auto-update to a number of customers, which will increase over time.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Issues Resolved in SF 17.5 MR7

  • NC-41262 [Authentication] Users randomly getting disconnected with CAA

  • NC-46466 [CaptivePortal] Connection security configuration options for Captive Portal and HTTP Proxy

  • NC-46787 [CM (Zero Touch)] Some USB pen drives fails to mount

  • NC-46750 [Dynamic Routing (PIM)] Camera recordings are missing at NVR

  • NC-46707 [Email] Exception for IP reputation and RBL works incorrectly

  • NC-43902 [Firewall] API export of service objects has the incorrect order

  • NC-45322 [Firewall] NMI backtraces

  • NC-45603 [Firewall] Legacy Mode SMTP rule with IPlist not working

  • NC-47632 [Firewall] TCP SACK PANIC - Kernel vulnerabilities

  • NC-45720 [Firmware Management] Device rebooting continuously while boot with SFOS firmware version after migration from CROS

  • NC-46658 [RED] Typo in Popup message after RED creation in German language setting

  • NC-43414 [Authentication, SSLVPN] Login restriction feature on user accounts for SSL VPN not working correctly

  • NC-45258 [SSLVPN] Wrong route is added while using static virtual IP address in SSL-VPN Site-to-Site tunnel

  • NC-46579 [Web] Unable to add sub-domain when sub-domain contains single value

  • NC-47906 [Wireless] TCP SACK PANIC - Kernel vulnerabilities on XG managed AP

Download

To manually install the upgrade, you can download the firmware from the MySophos portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

  • Was it 6 or was it 7 :-)

    MR7 is not avail for download yet...

  • Hi,

    Probably you have to correct article content and replace MR6 with MR7

  • NC-47906 [Wireless] TCP SACK PANIC - Kernel vulnerabilities on XG managed AP

    you wrote in your advisory, that Sophos AP's was not affected with TCP SACK PANIC, was it vulnerable anyway?

  • Thanks for the hint. Corrected to MR7 ;)

  • Do I see anything related to DHCP bugs and logs not updating bugs ?

  • This release caused again that DHCP Clients were no longer served with a DefaultGateway... Had to apply the DHCP Settings again to get this work. This issue happened allready on a previous MR release in my environment... So this issue seems to be specific to my environment for any unknown reason...

  • @HuberChristian

    Thanks for letting us know, I had this issue too with the last release. Also had to apply a backup file to get it fixed the fastest way. I will not run this MR. is this recurring issue being looked at?

  • also I found this in my download list SW-17.5.7_MR-7.SFW-511. What version is this? As this is not the regular update.

  • I have been experiencing the missing default gateway IP address issue since v17.5.5, when using XG as a DHCP server. Currently working around the issue with a few sites until it's resolved. When will this bug be resolved?

  • MR7 has broken some of my exception rules around streaming services.

  • This release entirely broke site to site routing over SSL VPN. I had to downgrade to 17.5 MR-6. Release notes state:

    NC-45258 [SSLVPN] Wrong route is added while using static virtual IP address in SSL-VPN Site-to-Site tunnel

    I need to use static virtual IP addresses. Obviously it wasn't the wrong route that was added in previous builds.

  • , yes SSL VPN completely broken. I had to regenerate RSA keys to get it working again, which is unbelievably annoying. Sophos is getting worse with FW updates every time, so much that it became impossible to maintain. I have no words to describe my frustration with the updates. Shame on you Sophos. :(

  • You right Miroslav,

    We are still at MR3 and can not believe it how bad the quality of the firmware update has become.

    Similar to Windows 10, you now have to be afraid with every update / upgrade that the system works without a problem afterwards.

    We came from Astaro v3 on Netscreen / Palo Alto to XG and have to realize that the XG is currently not really suitable for enterprise use.

  • Finally after installing MR7 i'm affected by this DHCP bug. Devices get an IP from XG DHCP, but there is no gateway. I had to edit DHCP settings and turning off "use interface IP as gateway" to get this base service work again.