XG Firewall 17.5 MR14 Released

Hi XG Community!

We've released XG Firewall 17.5 MR14. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Note: The upgrade from version 17.5 MR14 to 18.0 will follow soon.

Maintenance Release

  • Provides CLI option to disable captcha authentication separately for the webadmin and user portal either globally (including WAN zone) or only on the VPN zone. Also resolves captcha authentication issue for IPv6 on LAN zone
  • Provides updated Geoip mapping database
  • Many issues resolved

Important Issues Resolved

  • NC-59129 [Authentication] Authentication Failed due to SSL VPN (MAC BINDING) - Logging does not carry any information for the cause.
  • NC-51919 [Firewall] Appliance is getting auto rebooted with Kernel dumps intermittently
  • NC-52429 [Firewall] Web admin access lost for 10+ minutes after HA fail-over in case of DNAT policy configured with FQDN
  • NC-58339 [Firewall] Local ACL Exception rule doesn't work if Any-Any drop firewall rule is created
  • NC-59063 [Firmware Management] Remove expired CAs from SFOS
  • NC-53173 [IPsec] Intermittent connection interruption to local XG IP after IPsec rekeying, when we have conflicting left and right subnets
  • NC-58091 [IPsec] Sporadically unable to connect SA's on IKEv2 S2S Tunnel
  • NC-58983 [IPsec] Intermittently incorrect IKE_SA proposal combination is being sent by XG during IKE_SA rekeying.
  • NC-59440 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
  • NC-46109 [RED] No proper forwarding if bridging 3 or more RED s2s tunnels on an XG
  • NC-60854 [RED] Red S2S tunnel static routes disappear on firmware update
  • NC-60162 [Reporting] Internal Server Error for Web admin or user portal on XEN virtual platform
  • NC-30728 [SSLVPN] Compression settings not applied for IPv4 and IPv6 (SSLVPN remote access). Basically configuration settings for comp-lzo attribute are incorrect in the ovpn file.
  • NC-59080 [SSLVPN] Performance improvements in SSLVPN (Site to Site)
  • NC-59626 [SSLVPN] SSLVPN in busy state : HA
  • NC-59970 [SSLVPN] All the SSL VPN Live connected users get disconnected when admin change the group of one SSL VPN connected user
  • NC-58165 [Static Routing] Geoip db update
  • NC-59932 [UI Framework] Unable to login to user portal or web admin console using Internet Explorer 11
  • NC-61956 [UI Framework] WebAdmin Console/User Portal not accessible after 17.5 MR13 upgrade because space in certificate name
  • NC-56821 [Up2Date Client] SSLVPN client downloading with the 0KB in HA
  • NC-50274 [Web] Unable to block .bat files
  • NC-50710 [Web] Username is not showing up in the captive portal when the user logged in while using custom HTML template

 

Download

To manually install the upgrade, you can download the firmware from the Licensing Portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

  • Hello ,

    thanks for the update, when can we expect the XG v18 MR 2/3 release?

  • I am on 17.5.1 MR13 currently, should I upgrade to this and then go to version 18 or just go directly to 18.0.1 MR1?  

  • Where can we find more details about the resolved issues? I'm specifically looking for more details on:

    NC-30728 [SSLVPN] Compression settings not applied for IPv4 and IPv6 (SSLVPN remote access). Basically configuration settings for comp-lzo attribute are incorrect in the ovpn file.

    NC-59080 [SSLVPN] Performance improvements in SSLVPN (Site to Site)

  • If you have problems with the webfilter after upgrade to MR-14: In my case loads of websites did not load correctly. This is because in MR-14 the file types group “executeables” have been modified:

    MR-14

    application/bat,application/textedit,application/x-bat,application/x-dosexec,application/x-msdos-program,text/x-msdos-batch,text/x-shellscript

    MR-13

    application/bat,application/x-bat,application/x-msdos-program,application/textedit,application/x-dosexec

    Create a clone of the group and use the setting from MR-13 - this resolves the problem.

  • XG Firewall updates are now like Microsoft Cumulative Updates - poorly tested and often broken.

    Sophos, collate your excrement and raise the quality bar.

  • This update is broken. Workaround for the brokenness is documented here - community.sophos.com/.../135799

  • we also have a problem with several site2site vpn connections to a unifi. these worked fine up to mr13. yesterday i tested all day the different settings with mr14 but no chance. back to mr13 and immediately the vpns were connected again.