Hi XG Community!
We've finished SFOS v16.05.3 MR3. This release is available from within your device for all SFOS v16.05 MR2 installations as of now and will increase the group in a few days.
The release is available to all SFOS version via MySophos portal.
NC-11178 [Access] Support Access Tunnel: JSON error at initialization NC-15761 [Access] FQDN in configuration of AD Backend server is not working when using NTLM NC-15881 [Access] Live user count shown in UI is wrong NC-16818 [Access] Not able to download authentication clients from user portal NC-16207 [Authentication] STAS users are not shown in live users view after HA failover NC-16230 [Authentication] LDAP authentication with cyrillic user names doesn't work NC-16899 [Authentication] STAS: Canceling "Add New Collector" doesn't reset the form NC-16903 [Authentication] STAS: Missing green confirmation / message box when deleting a collector NC-17034 [Authentication] Missing client type for edirectory in webconsole live user view NC-17079 [Authentication] AD group import wizard fails with IPv6 address NC-17339 [Base System, Hotspot] Hotspot with voucher and full customization can't be created NC-11881 [Base System] Missing validation for threat exception in ATP protection NC-15326 [Base System] Column filter is not working for all labels at sandstorm log viewer NC-16902 [Base System] UI is not accessible when system host name contains "_" NC-16727 [Firewall, FirewallDatapath] Port self test reboots appliance NC-11908 [Firewall] Improve IPv4 and IPv6 validation NC-12130 [Firewall] Memory Crunch: TCP out of memory NC-13664 [Firewall] DNAT rule using email servers template is not working with multiple gateways NC-15348 [Firewall] Appliance hangs when applying FQDN group which contains more then 600 FQDN hosts in firewall rule NC-8928 [Firewall] Import-Export for Business Application Rule (Email Clients) not working with route through gateway configuration NC-16808 [Galileo Heartbeat] Traffic will be blocked from red endpoints, even if heartbeat has been turned off NC-17032 [Galileo Heartbeat] Delete firewall on cloud does not remove certs/db on firewall NC-16002 [Hotspot] Zone changes are not saved in hotspot auto firewall rule NC-16177 [Hotspot] Full customized login page doesn't work properly if filename is "default_style.css" NC-14404 [IPS] Internet not working due to IPS(pkt_container) NC-15866 [IPS] Evasion - US Mobile Xput failure and UTF-32 NC-15867 [IPS] Evasion - RDP Dos 1 byte evasion NC-16029 [IPS] Remove debug log line from snort - dcerpc2: dce2_co.c(1886) Could not create DCE/RPC frag reassembled packet NC-16234 [IPS] Evasion - TCP evasion bypass with malformed iframe and ie peer baseline NC-16258 [IPS] Default general-ips-policy should attach all the "categorized" IPS rules to the policy NC-16335 [IPS] IPS category, platform and target are changed in log viewer after signature upgrade NC-16375 [IPS] Evasion - TCP evasion bypass for RPC baselines NC-16456 [IPS] Evasion - URL fake param evasion bypass for phf baseline NC-16458 [IPS] Decompress PDF & SWF file before scanning NC-16534 [IPS] Evasion - Canvas level 2 to 10 bypass with NSS baseline CVE-2008-4250 NC-16550 [IPS] Issue with web surfing while ATP is enabled NC-16655 [IPS] Enable snort http_inspect pre-processor options by default NC-16747 [IPS] CLI command shows incorrect failclose status NC-16876 [IPS] Evasion - URL directory insertion attack bypass when testing with Evader NC-16982 [IPS] SNMP agent port is wrong NC-14241 [Mail Proxy] Unable to send notifications via external mail server NC-14948 [Mail Proxy] Sandbox pending/err mails are not released from sandstorm activity page on auxiliary node NC-16013 [Mail Proxy] Display issue with iso-8859-1 and umlauts NC-16285 [Mail Proxy] "Assertion" found in awarrensmtp log when sending to hotmail.com NC-16549 [Mail Proxy] Certificate issue when POPs/IMAPs are used NC-16608 [Mail Proxy] File is not blocked/filtered by MTA if file name contains i18n characters. NC-15941 [Network Services] Preferred IP gets blank for type PPPoE when editing VLAN NC-16359 [Network Services] Auto Negotiation display issue with 4 Port 10Gb SFP+ module NC-16490 [Network Services] Allow to set the same values for preferred lifetime and valid lifetime (IPv6 SLAAC) NC-16635 [Network Services] Unable to add Gateway Host if japanese language is used NC-16962 [Network Services] NAT policy not applied except MASQ in WAN Link Manager in Japanese language NC-11784 [Networking] VLAN on RED Interface not exported via Import-Export NC-13471 [Networking] API import fail for LAG with VLAN interface configuration NC-13490 [Networking] Bridge interface import is failing using import-export NC-16126 [Networking] Unable to update WAN interface when GRE tunnel is configured on it NC-16537 [Networking] Detail button on interface page not working for LAG interface when LAG is part of bridge interface NC-16538 [Networking] Unable to change gw IP from WAN link manager page for DHCPv6 only interface NC-16597 [Networking] VM: Error on console and GUI when Network>>Interface is updated NC-17343 [Networking] Not able update VLAN interface in specific condition NC-17085 [RED] RED service continuously restarts on HA(AP) after migration if branch name contains i18n characters NC-4648 [RED] Handle disconnect logging correctly when RED gets deleted NC-4832 [RED] Interface graph for RED interface is not shown in system interface graphs NC-14554 [Reporting] Report notification email does not contain pdf attachment for non-english languages NC-14912 [Reporting] Spelling errors in language file common.js NC-15196 [Reporting] Sandstorm: inline graphs for detail reports are not properly aligned NC-15786 [Reporting] Actual time should be displayed for events in detail reports NC-16772 [Reporting] Paging does not work for interfaces in Executive Report NC-16966 [Reporting] Detailed reports are not available for Sandstorm-Mail module NC-16992 [Reporting] Sandstorm records disappear after some time NC-17066 [Reporting] When traditional Chinese name is used for scheduled reports, pdf attachment is missing NC-17244 [Reporting] Mail Application displayed as unknown number like 11 and 12 instead of SMTP & POP3 NC-17336 [Reporting] Records for Custom Mail Reports (Mail Usage, Spam & Virus) are not displayed NC-16216 [Routing] Interface gets blank on editing unicast route NC-16279 [Routing] Policy Route API validation issue with IP family and dscpmarking NC-17247 [Routing] RED interface route is removed from back-end during HA migration NC-10244 [SSLVPN] Guest user in Policy Members - Remote Access Policy 'vpn_remote' could not be updated NC-11706 [SSLVPN] SSLVPN s2s fail to clone the status of the VPN NC-16049 [SSLVPN] SSL VPN Connection status does not change via CCL revert NC-16332 [SSLVPN] NullPointerException in tomcat when editing an AD user who is part of multiple groups and SSLVPN policies NC-4888 [SSLVPN] Unable to update SSL settings in some conditions NC-14670 [VPN] Prevent export of connections when remote certificate is set to external certificate NC-16249 [VPN] Viewing connection detail for IPSec tunnel makes UI hang when Chinese characters are used in local/remote host configuration NC-15202 [WAF] Can't disable "Rewrite cookies" if "Rewrite HTML" is enabled NC-11515 [Web] Set default value for max scan size dependent on hardware type NC-14247 [Web] API export problem leads to import fail NC-14476 [Web] Uploading files larger 200MB via WebDAV fails NC-14838 [Web] Awarrenhttp service using 99% CPU NC-15206 [Web] Guest Portal doesn't display correctly NC-15211 [Web] UI incorrectly saves the flags for max download size, google apps and youtube for schools NC-15318 [Web] Dead end on Protection page for admin with read only permissions NC-15568 [Web] Disable relay_invalid_http_traffic option for new installations NC-5013 [Web] Improve handling of backslash and quotes in security policy name NC-12020 [Wireless] AP removed after migration from CR to SF on CR25wING-6P NC-13267 [Wireless] Some of the WPA2-PSK profiles are shown as "unknown" security in the rogue scan NC-15929 [Wireless] The last transmission rate remains at 1 Mb/s for 2.4 GHz NC-16288 [Wireless] Mesh doesn't work with AP100X NC-16749 [Wireless] Hostapd fails to start after migrating from SF 16.01.2 NC-16915 [Wireless] Static channel configuration is not working in 5GHZ band (125w/135w - 802.11ac) NC-4575 [Wireless] Created Bridge to AP LAN wireless network not able to edit from client type NC-6194 [Wireless] DHCP service dies in AUX due to separate zone interface unbound while HA disable
Due to security reasons, we disabled TLSv1.0 and TLSv1.1 already in SF 16.05 MR2. Unfortunately Internet Explorer 11 does not proceed with the SSL handshake when only TLSv1.2 is selected on the server and when MD5 is used as a hashing algorithm.
Regenerating the appliance certificate which is used for WebAdmin, User Portal and Captive Portal makes it work again.
If you are using the appliance certificate in SSL VPN then it's necessary to download the configuration again.
You can find the firmware for your appliance from in MySophos portal.
happy testing /talex
Does the Cloud Firewall Manager support any version of 16.05 yet? Or, what is the latest version of the firewall OS that the cloud firewall manager supports?
Does this also fix the 4GB Issue on the Home Edition Versions?
Thanks Talex for sharing it. We need also release notes for RED firmware and AP. I guess you are not responsible for that but after a year RN for those devices are needed.
Does not appear so. Just upgraded and same situation.
Installed MR3 and still less than 4G of ram, so looks like the fix is NOT in this MR
IPS service crashing on AMD based systems STILL NOT FIXED!
lferrara : AP firmware fixes are included in the [Wireless] section and RED firmware fixes in the [RED] section. For both firmware changes are just part of the feature so we don't see the need to distinguish.
The MR3 release feels a lot faster om my system. No problems with installation on Hyper-V.
When entering an Outlook General rule for https, it would be nice if it would give the error saying you couldn't set this up on 443 because of the user portal being enabled when you select port 443 instead of waiting until after you configure your rule and then apply it. Let me know about any conflicts as I'm configuring instead of after I'm already done configuring. When configuring the paths for the protected servers in the rule, there is a whole lot of scrolling down and up. This firmware does seem faster navigating the admin UI.
A Install image is while being old.
When is the ISO version released?
RED and AP are part of the XG and they are HW pieces that customers use. I have an installation with more than 10 RED (they are on UTM) and when I update the firmware on UTM, we perfectly know what is fixed on the RED and AP. Immagine you update the RED pattern on XG and RED stops working, because of the pattern, How can we go back? What is changed on RED Patterns? I am not the only one who is asking for this information details. community.sophos.com/.../328568
lferrara good point. I haven't thought of the pattern situation. I will forward that to PM and check what we can do.
NoboyaSumiyoshi SF 16.05 MR3 is currently in a staged roll-out phase. Once that's done, we will update the ISO images as well.
pl. look at
E-mail scanning stops when using gmail account configured in Outlook as IMAP
Is it due to this firmware update??
We had to rollback to SFOS16.05.1, as in MR2 we had a problem whith MTA scanning, it stopped working after a few hours and couldn't see any logging or activity in spool. Also spam % in disk space it is not working it shows 0%.
I think that UTM9.x is less buggy than XG.