Hi XG Community!
We've released SFOS v17.5.7 MR7 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from your MySophos account. We then make the firmware available via auto-update to a number of customers, which will increase over time.
Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.
NC-41262 [Authentication] Users randomly getting disconnected with CAA
NC-46466 [CaptivePortal] Connection security configuration options for Captive Portal and HTTP Proxy
NC-46787 [CM (Zero Touch)] Some USB pen drives fails to mount
NC-46750 [Dynamic Routing (PIM)] Camera recordings are missing at NVR
NC-46707 [Email] Exception for IP reputation and RBL works incorrectly
NC-43902 [Firewall] API export of service objects has the incorrect order
NC-45322 [Firewall] NMI backtraces
NC-45603 [Firewall] Legacy Mode SMTP rule with IPlist not working
NC-47632 [Firewall] TCP SACK PANIC - Kernel vulnerabilities
NC-45720 [Firmware Management] Device rebooting continuously while boot with SFOS firmware version after migration from CROS
NC-46658 [RED] Typo in Popup message after RED creation in German language setting
NC-43414 [Authentication, SSLVPN] Login restriction feature on user accounts for SSL VPN not working correctly
NC-45258 [SSLVPN] Wrong route is added while using static virtual IP address in SSL-VPN Site-to-Site tunnel
NC-46579 [Web] Unable to add sub-domain when sub-domain contains single value
NC-47906 [Wireless] TCP SACK PANIC - Kernel vulnerabilities on XG managed AP
To manually install the upgrade, you can download the firmware from the MySophos portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.
Was it 6 or was it 7 :-)
MR7 is not avail for download yet...
Probably you have to correct article content and replace MR6 with MR7
you wrote in your advisory, that Sophos AP's was not affected with TCP SACK PANIC, was it vulnerable anyway?
Thanks for the hint. Corrected to MR7 ;)
Do I see anything related to DHCP bugs and logs not updating bugs ?
This release caused again that DHCP Clients were no longer served with a DefaultGateway... Had to apply the DHCP Settings again to get this work. This issue happened allready on a previous MR release in my environment... So this issue seems to be specific to my environment for any unknown reason...
Thanks for letting us know, I had this issue too with the last release. Also had to apply a backup file to get it fixed the fastest way. I will not run this MR. talex is this recurring issue being looked at?
talex also I found this in my download list SW-17.5.7_MR-7.SFW-511. What version is this? As this is not the regular update.
I have been experiencing the missing default gateway IP address issue since v17.5.5, when using XG as a DHCP server. Currently working around the issue with a few sites until it's resolved. When will this bug be resolved?
MR7 has broken some of my exception rules around streaming services.
This release entirely broke site to site routing over SSL VPN. I had to downgrade to 17.5 MR-6. Release notes state:
I need to use static virtual IP addresses. Obviously it wasn't the wrong route that was added in previous builds.
chotaire , yes SSL VPN completely broken. I had to regenerate RSA keys to get it working again, which is unbelievably annoying. Sophos is getting worse with FW updates every time, so much that it became impossible to maintain. I have no words to describe my frustration with the updates. Shame on you Sophos. :(
You right Miroslav,
We are still at MR3 and can not believe it how bad the quality of the firmware update has become.
Similar to Windows 10, you now have to be afraid with every update / upgrade that the system works without a problem afterwards.
We came from Astaro v3 on Netscreen / Palo Alto to XG and have to realize that the XG is currently not really suitable for enterprise use.
Finally after installing MR7 i'm affected by this DHCP bug. Devices get an IP from XG DHCP, but there is no gateway. I had to edit DHCP settings and turning off "use interface IP as gateway" to get this base service work again.