SFOS 16.05.2 MR2 Released

Hi XG Community!

We've finished SFOS v16.05.2 MR2. This release is available from within your device for all SFOS v16.05 MR1 installations as of now and will increase the group in a few days.
The release is available to all SFOS version via MySophos portal.

Update: The release is available to all SF installations as of 17 March.

Issues Resolved

  • NC-15682 [API] Add migration support for CR 10.6.5 to SF 16.05
  • NC-13548 [Authentication] Not able to add STAS collector in new Group in IE 11
  • NC-16686 [Backup-Restore] Restoring of policy route fails
  • NC-6555 [Base System] Filter for WAF component is not available in Log Viewer
  • NC-16158 [CR-to-CN_Migration] Skip discover zone rules when migrating from CROS to SFOS
  • NC-16043 [Certificates] UI Label missing - Page System > Certificates > Certificate Authorities
  • NC-13711 [Documentation, Reporting] Adjust UI labels for reports
  • NC-13030 [Firewall] Improve firewall description for source and destination when using heartbeat
  • NC-14406 [Firewall] Unable to delete user if added to a firewall rule
  • NC-16269 [Firewall] Improve description of country group Africa
  • NC-16342 [Firewall] XG reboots whenever another XG that is connected via IPSec gets rebooted
  • NC-16159 [Galileo Heartbeat] Heartbeat service does not start automatically after HA failover
  • NC-11141 [HA] Clicking HA AUX configuration save button twice results in error message
  • NC-15699 [HA] HA A-A mode - AUX appliance is not passing traffic from bridge interface
  • NC-14992 [Hotspot] Hotspot stopped working due to missing chain "hotspot_filter_in"
  • NC-15768 [Hotspot] WLAN interface should be removed after deleting hotspot SSID
  • NC-15928 [Hotspot] Add support for TLS 1.1 and TLS 1.2
  • NC-15139 [IPS] Quality issues with VoIP calls when forwarded over XG
  • NC-16215 [Localization] Translation error on UI with traditional chinese
  • NC-15472 [Logging] Report SMTPs traffic when using secure communication over port 25
  • NC-14380 [Mail Proxy] Incorrect values shown for disk utilization for SMTP quarantine
  • NC-14539 [Mail Proxy] Legacy mode - improve notifiaction for delivery failure reason for SPX password requirement
  • NC-14822 [Mail Proxy] Email address should be displayed in log viewer for sandstorm email logs
  • NC-15201 [Mail Proxy] API Sample configuration missing for MTA
  • NC-15542 [Mail Proxy] Emails are rejected when service gets large number of IP reputation request
  • NC-15838 [Mail Proxy] Re-scan email for AV at time of release from quarantine in proxy mode
  • NC-16313 [Mail Proxy] Double dash in domain name not allowed in SMTP hostname
  • NC-16595 [Mail Proxy] MTA segfault in case of invalid content disposition header
  • NC-16608 [Mail Proxy] File is not blocked/filtered by MTA if file name contains i18n characters.
  • NC-16661 [Mail Proxy] Sandstorm scan is bypassed when attachment does not contain content-disposition
  • NC-17150 [Mail Proxy] Global SPX is not working in case of sender profile match and recipient profile does not match.
  • NC-16382 [Network Services] Cannot add non-hex values in DHCP server options
  • NC-15777 [Networking] Missing conntrack after migration of primary and backup gateway
  • NC-15476 [Qos] Wrong calculation of total guaranteed bandwidth
  • NC-15771 [RED] Cannot select network in RED netmask in RED network settings
  • NC-15864 [RED] CCL details should be shown for TLS
  • NC-15950 [RED] Useless error message when wrong unlock code is entered
  • NC-11037 [Reporting] Data usage bar wraps to new line
  • NC-13574 [Reporting] Character corruption in traffic reports in Japanese language
  • NC-14554 [Reporting] Report notification email does not contain pdf attachment for non-english languages
  • NC-15715 [Reporting] Custom web reports shows the report for wrong time
  • NC-15767 [Reporting] Report group 'Sandbox' is displayed twice
  • NC-15787 [Reporting] File size content should not be clickable in detail report of Sandstorm module (both mail and web)
  • NC-15813 [Reporting] Summary tab is disabled when we click on detail report and no data is available for current filter
  • NC-15832 [Reporting] Mail report shows wrong number of mails sent
  • NC-16270 [Reporting] HA active passive - garner does not start after upgrade to SF 16.05 due to wrong name in OutputPlugin
  • NC-16508 [Reporting] Mismatch between objectionable websites count on control center and in reports
  • NC-4739 [Reporting] IPv6 address should be displayed in SSL VPN Remote Access User and Site to Site Usage Report
  • NC-13142 [SSLVPN] Revoking user certificate more than 10 times breaks SSL VPN remote access for all users
  • NC-15637 [SSLVPN] SSL VPN connection not possible if UDP is used
  • NC-15210 [Sandstorm] XML Export/Import does not work because Sandstorm get/set uses ids/names
  • NC-15644 [Sandstorm] Trial evaluation link sends incorrectly encoded activation link
  • NC-16282 [UI] WebAdmin is not accessible if special characters are used in company name
  • NC-1933 [Up2date Client] Wrong error message is shown for up2date pattern action when internet connection down
  • NC-16079 [VPN] IPsec service hangs until "send_mail_for_vpn_updown" opcode completes when email notification is used for updown event
  • NC-15629 [WAF] Fix padding oracle attack in mod_session_crypto (CVE-2016-073)
  • NC-16035 [WAF] Make cookiesign_drop_unsigned default to 1
  • NC-16318 [WAF] Prefork: MaxRequestWorkers of 256 exceeds ServerLimit value of 16 servers
  • NC-13988 [Web] MIME type multipart/form-data does not trigger HTTP uploads dynamic category
  • NC-14558 [Web] Use original destination port 443 in transparent mode for https-over-http case
  • NC-14970 [Web] NTLM authentication not working with Web Proxy
  • NC-15853 [Web] Redirection page issue with Sandstorm
  • NC-16192 [Web] Web Proxy restarting automatically
  • NC-15792 [Wireless] CVE-2016-5696: Update AP firmware
  • NC-15937 [Wireless] Fix visibility of Fast Transition option in different security modes
  • NC-16296 [Wireless] AP does not get IP address on 100 Mbit ethernet link
  • NC-6183 [Wireless] AWEd goes in unregistered state after HA failover


You can find the firmware for your appliance from in MySophos portal.

  • Hı ı upgraded this version after upgrade Email protection Whıt MTA 1 mın worked 10 mın notworked after reboot devıce worked maıl after 10 mın notworkıng whıtout MTA emaıl protectıon worked.After Downgraded frımware that tıme good worked.

  • When trying to edit MTA policy on XG210 error message - Message from webpage TypeError:Unable to set property 'selected' of undefined or null reference. Any browser throws the error.

    Hvae to back out of page. Tried settings on my VM based SFW and no error.

  • When I upgrade to this version I get constant reboots every 30secs, a downgrade to the previous firmware also doesn't fix that problem - had to restore a backup. This is a complete messed up release!

  • A previous issue where if I delete an old policy from the firewall page, it doesnt display the rest of the policies. They work, but not visible. Last time this happened 2-3 versions ago this resulted in a site visit after a reboot and factory restore and recover from a nightly backup.........

  • No update to AP firmware in my version, still showing the Jan version. No mention of the fixing the home user memory size. APs take a long time to come back on line and the 5ghz even longer. I have an AP 55. will bring the AP 10 up and see what happens.

  • Why RAM limit from 6GB changed to 4GB?

  • After upgrade, most SMTP quarantined emails with no subject/sender.

    Without subject, I'm unable to view quarantined email.

  • Admin web interface completely broke with this version on both of my firewalls

  • Hi ,

    For the policy display issue, please share the configuration backup of the appliance facing the issue via PM ?

    Also share the rule id of the policy which you are trying to delete


    Prateek Singh

  • Hi ,

    The latest available version of AP Firmware is , also it is not necessary with new SF firmware update , a new AP firmware will be pushed.

    For APs taking long time to come up, we haven't faced such issue from elsewhere till now.

    For home license issue, we are working on it and will keep you posted


    Prateek Singh

  • Thanks for your feedback everyone, we're looking closely into each of these reports. Thus far, they each seem to be isolated instances, but we are looking seriously into each report. For the record, there is no official change in the memory limits for home users, and we are investigating the few reports of users seeing less after upgrading.

  • we also experience this, "Hı ı upgraded this version after upgrade Email protection Whıt MTA 1 mın worked 10 mın notworked after reboot devıce worked maıl after 10 mın notworkıng whıtout MTA emaıl protectıon worked.After Downgraded frımware that tıme good worked."

  • Upgrading from v16.05.1 MR1 to v16.05.2 MR2 broke STAS

    SSO was all working fine, but after the upgrade it stopped... I reverted back and it worked again.

  • facing the same issue; constants reboot. What was your cause?

  • I've installed this release today, and I must say that it feels like this release really slows down my firewall.