XG Firewall v18 MR-1-Build396

Hi XG Community!

We've released a new build of XG Firewall v18 MR1 (Build 396).


  • Supports new SD-RED 20 and SD-RED 60 devices
  • Previously released security hotfixes have been included in v18 MR-1-Build396
  • XG Firewall web console now shows granular reasons for firmware upload failure
  • Quarantined emails can only be released from the User Portal only
  • More than 50 issues resolved in this release (see Issues Resolved section below)
  • With the tremendous need for VPN connectivity during this challenging time, we have put together some important information here for you to achieve your networking needs
    1. To configure VPN Remote Access on your Sophos XG Firewall. Check out this useful Community post!
    2. To substitute XG for RED devices via Light-Touch deployment from Sophos Central. Check out this useful Community post!

Note: Upgrading from SF 17.5 MR11/ MR12 to v18 MR-1-Build396 is now supported.


More on XG Firewall v18

Please refer XG Firewall v18 highlights for more details on all-new Xstream Architecture delivering extreme new levels of visibility, protection and performance. Also, check out our XG Firewall v18 playlist on YouTube to find out what's new in XG Firewall v18!


Get it now!

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.

For fresh installations, please find the following files:


Things to know before upgrading

You can upgrade from SFOS 17.5 (MR6 to MR12) to v18 MR-1-Build396. Check out the relevant sections of the XG v18 release notes for details on:


Issues Resolved 

Issues Resolved in v18 MR1 (Build 396)

  • NC-60108 [API Framework] Preauth SQLi in apiInterface OPCODE
  • NC-59156 [CSC] Traffic not passing after upgrade to SF 18.0 MR1
  • NC-59300 [Email] Blind pre-auth SQLi in spxd on port 8094
  • NC-23160 [Firewall] LAN test failed in Port3 in SFLoader for 125/135 desktop model
  • NC-59586 [Network Utils] Remove MD5 remnant
  • NC-46109 [RED] No proper forwarding if bridging 3 or more RED s2s tunnels on an XG
  • NC-50796 [RED] All RED site to site tunnel restart when configuring one RED interface
  • NC-60162 [Reporting] Error 500 displayed for WebAdmin and UserPortal after HF4.1 applied on virtual XG
  • NC-60171 [Security, UI Framework] Admin to Superadmin privilege escalation
  • NC-59427 [SFM-SCFM] SQLi in User Portal
  • NC-59932 [UI Framework] Unable to login to user portal or admin using IE after HF4.1

Issues Resolved in the older release of v18 MR1 (Build 367)

  • NC-30903 [Authentication] STAS configuration is editable via GUI on AUX machine
  • NC-50703 [Authentication] Access server restarted with coredump using STAS and Chrome SSO
  • NC-50716 [Authentication] Cannot import LDAP server via XMLAPI if client cert is "None"
  • NC-54689 [Authentication] Support download certificate for iOS 13 and above
  • NC-55277 [Authentication] Service "Chromebook SSO" is missing on Zone page
  • NC-51660 [Backup-Restore] Restore failed using a backup of XG135 on SG230 appliance
  • NC-55015 [Bridge] Wifi zone is not displayed while creating bridge
  • NC-55356 [Bridge] TCP connection fails for VLAN on bridge with HA Active-Active when source_client IP address is odd
  • NC-52616 [Certificates] Add support for uploading of CRLs in DER format
  • NC-55739 [Certificates] EC certificate shows up as "RSA" in SSLx CA cert dropdowns
  • NC-55305 [CM (Zero Touch)] System don't restart on changing time zone while configured through ZeroTouch
  • NC-55617 [CM (Zero Touch)] Getting wrong error message in log viewer after ZeroTouch process
  • NC-55909 [Core Utils] Unable to see application object page on SFM
  • NC-30452 [CSC] Dynamic interface addresses not showing on Aux after failover
  • NC-55386 [Dynamic Routing (PIM)] PIM-SM import fails with LAG as dependent entity
  • NC-55625 [Dynamic Routing (PIM)] In HA with multicast interface, routes are not getting updated in the Aux routing table
  • NC-55461 [Email] After adding/edit FQDN host with smarthost, it is not displayed on the list until refresh the page
  • NC-58898 [Email] Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)
  • NC-55635 [Firewall] Display filter for forwarded is not working properly on packet capture page
  • NC-55657 [Firewall] HA backup restore fails when port name is different in backup and appliance
  • NC-55884 [Firewall] IPS policy id and appfilter id not displaying in firewall allow log in logviewer
  • NC-55943 [Firewall] Failed to resume existing connection after removal of heartbeat from firewall configuration
  • NC-57084 [Firewall] Custom DMZ not listed in dedicated link HA configuration
  • NC-44938 [Firmware Management, UX] Web UI does not surface reasons for firmware upload failure
  • NC-55756 [Gateway Management] Gateway isn't deleted from SFM UI after deleting it from SFM
  • NC-55552 [HA] WWAN interface showing in HA monitoring ports
  • NC-55281 [Import-Export Framework] Full configuration import fails when using third party certificate for webadmin setting
  • NC-55171 [Interface Management] VLAN Interface IP is not assigned via DHCP when gateway name uses some special characters
  • NC-55442 [Interface Management] DNS name lookup showing incorrect message
  • NC-55462 [Interface Management] Import fails on configuring Alias over VLAN
  • NC-55659 [Interface Management] Invalid gateway IP and network IP configured using API for IPv6
  • NC-56733 [Interface Management] Patch PPPd (CVE-2020-8597)
  • NC-51776 [IPS Engine] Edit IPS custom rule protocol doesn't work after creation
  • NC-51558 [IPsec] Add warning message before deleting xfrm ipsec tunnel
  • NC-55309 [Logging] Local acl rule not created through log viewer for IPv4 and IPv6
  • NC-50413 [Logging Framework] Gateway up event log for PPPoE interface not always shown in logviewer
  • NC-55346 [Logging Framework] Clear All for "Content filtering" does not clear SSL/TLS filter option
  • NC-56831 [Policy Routing] SIP traffic sometimes not working with SDWAN policy route
  • NC-46009 [SecurityHeartbeat] Spontaneous reconnects of many endpoints
  • NC-51562 [SecurityHeartbeat] Heartbeat service not started after HA failover
  • NC-52225 [Synchronized App Control] SAC page loading issues as the list of apps increases
  • NC-54078 [UI Framework] Internet Explorer UI issue on certain rules and policies pages
  • NC-56821 [Up2Date Client] SSL VPN downloading with the 0KB
  • NC-54007 [Web] File type block messages sometimes contain mimetype rather than file type


Making the most of your new XG Firewall features

Free Online Training

  • Available for free for all XG Firewall customers, our delta training program will help you make the most of the new features in XG Firewall v18.
  • This online program walks you through the key enhancements since v17.5 and takes about 90 minutes to complete.

Customer Resources and How-To Videos

  • Also be sure to visit the Customer Resource Center for the latest How-To Videos and links to documentation, the community forums, training and other resources.

Take advantage of Partner and Sophos Professional Services

  • To augment your local Sophos partner’s services, we offer services to help you getting up and running and make the most of your XG Firewall, including the latest capabilities in v18.
  • While Sophos Professional Services can help with any task, here are the most common services they provide:
    • XG Firewall deployment and setup
    • XG Firewall v18 DPI, FastPath and SSL Engine Optimization
    • XG Firewall Health Checks

Here are some direct links to helpful resources:


New to XG Firewall?

If you’re new to XG Firewall, see how it provides the world’s best network visibility, protection and response on the new XG Firewall website.    

  • Hi ,

    Thanks for the feedback. We would like to investigate this feedback and for that  i have given message in PM.

  • Thanks for all your hard work, I was so excited to see Wireguard after long waiting but maybe in the next update.

  • Thanks for the update!, It's been four hours since I've updated it, and It's been working flawless on my Home XG.

  • Hi,

    i can't install it on an XG125 (SFOS 18.0.0 GA-Build379.HF052220.1)


    Firmware installation failed. Firmware is invalid for this appliance model.


    Any known ?

  • Hi ,

    Thanks for your quick and supportive response over PM chat  and finally we got to know the failure reason and same updating here

    You have hardware device - XG125 and trying to upload Software firmware update so that is the reason of failure

    Reference link has been given to download hardware firmware update

      - community.sophos.com/.../132229

      - docs.sophos.com/.../DownloadingFirmware.html


  • Bug in DNAT Rules:

    When creating a DNAT - rule to map incoming IP-Ports to a destination behind an outgoing NAT-device (like Mail- or WEB-servers in a DMZ zone), I like to define even the incoming- and outgoing-interfaces of the XG in the form to dedicate the traffic to these interfaces only.

    Defining incoming interface works, but when even defining outgoing (internal)  interface, the connection stops working.

    From my point of view this is a bug in the firmware.

  • Is anybody running this and can report if it is save for production?

  • My XG86 was alerting me to performing this update for a few days and now it's not available. I take it something is not right with this release and we should be holding off?

  • Also curious where the upgrade notification went. Still on 17.5 MR12 and am not willing to manually upgrade all our customer firewalls with something that has a concern for instability. Please let us know.

  • Hi Sophos Community,

    yesterday I installed this firmware on our XG210. Today we had problems with external connections. Our phone system (3CX) was not running correctly, FQDN was not reachable from outside and external SFTP connections were not working. DNS Resolution problem. So I did a rollback to the Version 17.5.12 MR12 and everything is working fine again.

    What is the fix for this problem?

  • Hello, release notes says "Quarantined emails can only be released from the User Portal only Refer to KBA135515 for details" this means now admin will not able to release quarantine email??

  •  - updating non-HA xg's from sfos 17.5 mr12 to this version has been fine in our environment so far but attempting to update a couple HA pairs also on sfos 17.5 mr12 resulted in HA breaking on both.  The standalone xg is then found to be stuck on 17 and not taking the update even after disabling HA and reboots.  The problem is still being looked into.

  • So I upgraded to 18.0.1 build 396 but all my VPN users could not connect with OTP so I revert back to 17.5.12 but had to delete OTP to get them in on user portal and had them download the configuration to get it working again.

  • following up on my previous post - HA breaking in our environment is concluded to have been caused by disks failing rather than a problem with the sfos update itself so the hardware issue is being addressed through rma.