SFOS 16.01.0 Released!

We've just launched XG v16, moving it into staged release! I want to say a special thank you to the MANY testers who put a great deal of effort into this beta, and helped shape this release. We will post a more detailed feature announcement on the main sophos blog later today. 

With over 120 new features added, we've worked hard to close the major feature gaps with Sophos UTM 9, improve the navigation and user experience, and innovate with new and powerful synchronized security capabilities. Here are a few of the major features added:

  • Improved Navigation
  • Redesigned and More Powerful Web Policy
  • Many Email Enhancements 
  • Logging and Troubleshooting Improvements
  • Two-factor authentication 
  • Synchronized Security
    • Missing Heartbeat
    • Destination Heartbeat
    • Real-time app visibility
  • Microsoft Azure Support

As of today, you can download and install firmware manually, and over the coming weeks, we will begin automatically distributing the option to install this update to your XGv15 firewalls, allowing you to download and install the firmware from within the updates section of your firewall UI. 

Bugfixes (from beta releases)

NC-12811  [AVD]              When http scanning is enabled the users are not able to browse to any URLs

NC-12374  [Base System]      Improve error message on HA auxiliary appliance after clicking on "Check for new Firmware" button

NC-13180  [Base System]      Certificate is not accepted in IE due to SHA1 while using Clientless VPN

NC-10135  [Certificates]     Default CA is generated with wrong value if any certificate field contains apostrophe “ ‘ ”

NC-11278  [Certificates]     Self-singed certificate generated with name with “Key” shows numeric value when applying it on Hotspot page

NC-1958   [Certificates]     Unable to upload PEM or DER type certificate if there is no .der or .pem at end of file name

NC-6628   [Certificates]     Unable to upload PFX Certificate if passphrase has special character

NC-11694  [Firewall]         IPv6 family host showing up in create new NAT policy list in business application rule

NC-11841  [Firewall]         Unable to disable firewall rule using API

NC-12714  [Firewall]         CVE-2016-5696 - TCP Vulnerability

NC-13261  [Firewall]         After migration from CR 10.6.3 to SFOS v15 to SFOS v16, local zone is visible in zone page

NC-4544   [Firewall]         Invalid IP Range host can be created

NC-8079   [Firewall]         Unable to update business application rule if rule name ends with space

NC-11432  [Framework(UI)]    GUI hangs if we try to do URL Category Lookup with space in domain name

NC-11628  [Framework(UI)]    IPS Policy Rule "Migrate_def_filter_2" could not be updated In V16

NC-11645  [Framework(UI)]    Log viewer page doesn’t contain help link

NC-11779  [Framework(UI)]    Email journaling page gets scrolled up automatically after canceling filter on recipient

NC-11803  [Framework(UI)]    No validation in validity column in guest user under authentication and any value can be used

NC-11871  [Framework(UI)]    Gateway page freezes while adding gateway and space bar is pressed

NC-12404  [Framework(UI)]    Web filter logs in log viewer fail to load if POST request contains file name in utf-8 encoded header

NC-12595  [Framework(UI)]    Pop-up is not showing in log viewer for de-anonymization

NC-12663  [Framework(UI)]    User Portal link is shown in the captive portal if you use custom HTML layout

NC-12697  [Framework(UI)]    Authentication title is missing on Authentication -> STAS page

NC-12844  [Framework(UI)]    Importing local users through exported CSV doesn’t respect groups

NC-8333   [HA]               IPv6 address is not visible in aux appliance after HA (A-A) is disabled and peer administration interface is in WAN zone

NC-13271  [Hotspot]          Users are not able to connect to SSID unless hotspot is disabled

NC-13377  [IPS]              IPS dies on rollback from SFOS v16 Beta-5 to SFOS v16 Beta-3

NC-13447  [IPS]              "Bypass Session" not working as expected

NC-12306  [License]          Control center page is shown to de-registered appliance while login in after logout session

NC-11338  [Mail Proxy]       E-mail gets scrambled with iOS 9.3.3 and inbuilt iOS E-mail client if scanned by IMAP

NC-12739  [Mail Proxy]       issue with smtp connection stability

NC-12973  [Mail Proxy]       Emails quarantined due to 'Unscannable content quarantined ' (avd fails to scan) are never allowed to release again from quarantine in MTA

NC-13007  [Mail Proxy]       No E-mail is listed in SMTP Quarantine if user is having more than one E-mail address

NC-13275  [Mail Proxy]       Clear Button in SMTP Quarantine page under user portal is not working

NC-13295  [Mail Proxy]       MTA stops intermittently

NC-13320  [Mail Proxy]       MTA service is taking high cpu in HA Cluster

NC-6740   [Mail Proxy]       MTA service dies when all mime types are selected in white list

NC-6847   [Mail Proxy]       SQL Injection vulnerability in User Portal

NC-6857   [Mail Proxy]       Quarantine mails page in user portal does not properly enforce authorization checks

NC-12417  [RED]              API import of red_server device types fails

NC-11843  [UI]               Unable to clear filter in Application -> Traffic shaping defaults unless page is refreshed

NC-11867  [UI]               Authentication Policies UI display issues for pop-ups

NC-11874  [UI]               Improvements in alert message on dashboard in case of scheduled local backup is failed

NC-11896  [UI]               Control Center visible to user with profile which has no access for any entity

NC-12128  [UI]               UTQ is not accessible from control center

NC-12712  [UI]               UTQ link not opening from Control Center in V16

NC-12713  [UI]               Admin type user not able to login in User Portal in specific situation

NC-5064   [UI]               Multiple blank pop up appears and UI getting distorted on pressing space bar

NC-11117  [Up2date Client]   U2D should run on first boot

NC-13024  [VPN]              Improvemed text on IPSec Site-to-Site VPN page

NC-12372  [WAF]              Unable to publish sites via WAF due to incorrect path to WAF signature files

NC-12621  [Web]              Web Proxy stops due to segfault in libc.so.6

NC-12884  [Web]              Web Proxy restarts due to segfault

NC-13216  [Web]              Duplicate entries observed in DB after saving Default Policy for activity rules

NC-13376  [Web]              Websites are categorized as "IP address" and therefore web filter is not correctly applied

NC-13397  [Web]              Downloading files through FTP in direct proxy deployment changes files

NC-13374  [Wireless]         Wireless Controller service has high CPU usage

Also fixed in Build 202

NC-13707 [Base System] Do not regenerate certificates when migration from SFOS v15
NC-13543 [Firewall] DNAT rule using Email Servers Template is not working
NC-13356 [Reporting] Bing,Rediff and eBay Search engine logs are not displayingFixed in Build 202

 

 

Known Issues

NC-6315   [Clientless Access(HTTP/HTTPS)] Script based web forms of Web Server is not accessible with Clientless VPN

NC-12079  [Galileo Heartbeat] No heartbeat status displayed on control center with MAC End point

NC-13480  [Galileo Heartbeat] Heartbeat service taking High CPU due to same multiple UUID of End Point

NC-8238   [IPS]              IPS Service drops legitimate traffic in very high load average conditions

NC-13538  [UI]               Control center page is not properly displayed with IE 11

NC-13282  [Wireless]         AP Deployment over IPsec VPN is not working

 

Behavior Changes

Currently, the CA certificate will be upgraded to a more secure hash size. This will cause disruption to SSL VPN connections, until a new configuration is installed on client workstations. This can be worked around by making a backup before the upgrade, then restoring it again after. More information is available here: https://community.sophos.com/kb/en-us/125267  Fixed in build 202

This release supports up to 128 rules in a single policy. If you are migrating policies from a previous release that contain more than 128 rules, only the first 128 rules will be used. Web policy rules now support combined activities. These include user activities, categories, URL groups, file types, and dynamic categories. To maintain the overall functionality of the policy, replace blocks of adjacent rules for different activities with a single rule that contains a group of activities. Please delete or consolidate rules as required

Downloads

You can find the firmware for your appliance from in MySophos portal.

XG Release 16.01.1.zip
  • Where can we find a full list of changes from v15 MR-3 to this release?

  • It would be helpful to have steps to work around NC-13543 BAP SMTP Rules not working. I know I can figure it out but if I am firefighting another unexpected change I don't want emails to stop working for an extended period.

  • Wo finde ich die HCL für SFOS 16.01?

    Meine Hardware HP DL 360p GEN8 - P420i - 4 x LAN 1 GB + 2 x10GB X550-T2 (not WORK)

  • @DevonNoonan, the release has been updated, and the links now point to build 202, which resolves NC-13543

  • Please clarify in the behavior changes "supports up to 128 rules in a single policy". Does this means a firewall only can support 128 policy rules?

  • @Harry, no. it means that within a web policy, only the first 128 rule lines will be evaluated. If you happen to have a policy large enough to be affected, it should now be trivial to condense it, as each rule line can reference multiple web categories.

  • Hi,

    NC-6264 :  S/W ISO installation on Hardware appliances is now supported

    Can you explain how it works to install S/W ISO on SG/XG appliances ?

    thanks

  • @dynaMIPS this Is meant to allow the software is iso to succeed on modified appliance hardware (cpu,ram,or hdd changed).  It would allow you to turn a hardware appliance into a software appliance, and use a regular software or home license. This isn't something you would commonly need to do.