SFOS 16.05.3 MR3 Released

Hi XG Community!

We've finished SFOS v16.05.3 MR3. This release is available from within your device for all SFOS v16.05 MR2 installations as of now and will increase the group in a few days.

The release is available to all SFOS version via MySophos portal.

Issues Resolved

NC-11178 [Access] Support Access Tunnel: JSON error at initialization
NC-15761 [Access] FQDN in configuration of AD Backend server is not working when using NTLM
NC-15881 [Access] Live user count shown in UI is wrong
NC-16818 [Access] Not able to download authentication clients from user portal
NC-16207 [Authentication] STAS users are not shown in live users view after HA failover
NC-16230 [Authentication] LDAP authentication with cyrillic user names doesn't work
NC-16899 [Authentication] STAS: Canceling "Add New Collector" doesn't reset the form
NC-16903 [Authentication] STAS: Missing green confirmation / message box when deleting a collector
NC-17034 [Authentication] Missing client type for edirectory in webconsole live user view
NC-17079 [Authentication] AD group import wizard fails with IPv6 address
NC-17339 [Base System, Hotspot] Hotspot with voucher and full customization can't be created
NC-11881 [Base System] Missing validation for threat exception in ATP protection
NC-15326 [Base System] Column filter is not working for all labels at sandstorm log viewer
NC-16902 [Base System] UI is not accessible when system host name contains "_"
NC-16727 [Firewall, FirewallDatapath] Port self test reboots appliance
NC-11908 [Firewall] Improve IPv4 and IPv6 validation
NC-12130 [Firewall] Memory Crunch: TCP out of memory
NC-13664 [Firewall] DNAT rule using email servers template is not working with multiple gateways
NC-15348 [Firewall] Appliance hangs when applying FQDN group which contains more then 600 FQDN hosts in firewall rule
NC-8928 [Firewall] Import-Export for Business Application Rule (Email Clients) not working with route through gateway configuration
NC-16808 [Galileo Heartbeat] Traffic will be blocked from red endpoints, even if heartbeat has been turned off
NC-17032 [Galileo Heartbeat] Delete firewall on cloud does not remove certs/db on firewall
NC-16002 [Hotspot] Zone changes are not saved in hotspot auto firewall rule
NC-16177 [Hotspot] Full customized login page doesn't work properly if filename is "default_style.css"
NC-14404 [IPS] Internet not working due to IPS(pkt_container)
NC-15866 [IPS] Evasion - US Mobile Xput failure and UTF-32
NC-15867 [IPS] Evasion - RDP Dos 1 byte evasion
NC-16029 [IPS] Remove debug log line from snort - dcerpc2: dce2_co.c(1886) Could not create DCE/RPC frag reassembled packet
NC-16234 [IPS] Evasion - TCP evasion bypass with malformed iframe and ie peer baseline
NC-16258 [IPS] Default general-ips-policy should attach all the "categorized" IPS rules to the policy
NC-16335 [IPS] IPS category, platform and target are changed in log viewer after signature upgrade
NC-16375 [IPS] Evasion - TCP evasion bypass for RPC baselines
NC-16456 [IPS] Evasion - URL fake param evasion bypass for phf baseline
NC-16458 [IPS] Decompress PDF & SWF file before scanning
NC-16534 [IPS] Evasion - Canvas level 2 to 10 bypass with NSS baseline CVE-2008-4250
NC-16550 [IPS] Issue with web surfing while ATP is enabled
NC-16655 [IPS] Enable snort http_inspect pre-processor options by default
NC-16747 [IPS] CLI command shows incorrect failclose status
NC-16876 [IPS] Evasion - URL directory insertion attack bypass when testing with Evader
NC-16982 [IPS] SNMP agent port is wrong
NC-14241 [Mail Proxy] Unable to send notifications via external mail server
NC-14948 [Mail Proxy] Sandbox pending/err mails are not released from sandstorm activity page on auxiliary node
NC-16013 [Mail Proxy] Display issue with iso-8859-1 and umlauts
NC-16285 [Mail Proxy] "Assertion" found in awarrensmtp log when sending to hotmail.com
NC-16549 [Mail Proxy] Certificate issue when POPs/IMAPs are used
NC-16608 [Mail Proxy] File is not blocked/filtered by MTA if file name contains i18n characters.
NC-15941 [Network Services] Preferred IP gets blank for type PPPoE when editing VLAN
NC-16359 [Network Services] Auto Negotiation display issue with 4 Port 10Gb SFP+ module
NC-16490 [Network Services] Allow to set the same values for preferred lifetime and valid lifetime (IPv6 SLAAC)
NC-16635 [Network Services] Unable to add Gateway Host if japanese language is used
NC-16962 [Network Services] NAT policy not applied except MASQ in WAN Link Manager in Japanese language
NC-11784 [Networking] VLAN on RED Interface not exported via Import-Export
NC-13471 [Networking] API import fail for LAG with VLAN interface configuration
NC-13490 [Networking] Bridge interface import is failing using import-export
NC-16126 [Networking] Unable to update WAN interface when GRE tunnel is configured on it
NC-16537 [Networking] Detail button on interface page not working for LAG interface when LAG is part of bridge interface
NC-16538 [Networking] Unable to change gw IP from WAN link manager page for DHCPv6 only interface
NC-16597 [Networking] VM: Error on console and GUI when Network>>Interface is updated
NC-17343 [Networking] Not able update VLAN interface in specific condition
NC-17085 [RED] RED service continuously restarts on HA(AP) after migration if branch name contains i18n characters
NC-4648 [RED] Handle disconnect logging correctly when RED gets deleted
NC-4832 [RED] Interface graph for RED interface is not shown in system interface graphs
NC-14554 [Reporting] Report notification email does not contain pdf attachment for non-english languages
NC-14912 [Reporting] Spelling errors in language file common.js
NC-15196 [Reporting] Sandstorm: inline graphs for detail reports are not properly aligned
NC-15786 [Reporting] Actual time should be displayed for events in detail reports
NC-16772 [Reporting] Paging does not work for interfaces in Executive Report
NC-16966 [Reporting] Detailed reports are not available for Sandstorm-Mail module
NC-16992 [Reporting] Sandstorm records disappear after some time
NC-17066 [Reporting] When traditional Chinese name is used for scheduled reports, pdf attachment is missing
NC-17244 [Reporting] Mail Application displayed as unknown number like 11 and 12 instead of SMTP & POP3
NC-17336 [Reporting] Records for Custom Mail Reports (Mail Usage, Spam & Virus) are not displayed
NC-16216 [Routing] Interface gets blank on editing unicast route
NC-16279 [Routing] Policy Route API validation issue with IP family and dscpmarking
NC-17247 [Routing] RED interface route is removed from back-end during HA migration
NC-10244 [SSLVPN] Guest user in Policy Members - Remote Access Policy 'vpn_remote' could not be updated
NC-11706 [SSLVPN] SSLVPN s2s fail to clone the status of the VPN
NC-16049 [SSLVPN] SSL VPN Connection status does not change via CCL revert
NC-16332 [SSLVPN] NullPointerException in tomcat when editing an AD user who is part of multiple groups and SSLVPN policies
NC-4888 [SSLVPN] Unable to update SSL settings in some conditions
NC-14670 [VPN] Prevent export of connections when remote certificate is set to external certificate
NC-16249 [VPN] Viewing connection detail for IPSec tunnel makes UI hang when Chinese characters are used in local/remote host configuration
NC-15202 [WAF] Can't disable "Rewrite cookies" if "Rewrite HTML" is enabled
NC-11515 [Web] Set default value for max scan size dependent on hardware type
NC-14247 [Web] API export problem leads to import fail
NC-14476 [Web] Uploading files larger 200MB via WebDAV fails
NC-14838 [Web] Awarrenhttp service using 99% CPU
NC-15206 [Web] Guest Portal doesn't display correctly
NC-15211 [Web] UI incorrectly saves the flags for max download size, google apps and youtube for schools
NC-15318 [Web] Dead end on Protection page for admin with read only permissions
NC-15568 [Web] Disable relay_invalid_http_traffic option for new installations
NC-5013 [Web] Improve handling of backslash and quotes in security policy name
NC-12020 [Wireless] AP removed after migration from CR to SF on CR25wING-6P
NC-13267 [Wireless] Some of the WPA2-PSK profiles are shown as "unknown" security in the rogue scan
NC-15929 [Wireless] The last transmission rate remains at 1 Mb/s for 2.4 GHz
NC-16288 [Wireless] Mesh doesn't work with AP100X
NC-16749 [Wireless] Hostapd fails to start after migrating from SF 16.01.2
NC-16915 [Wireless] Static channel configuration is not working in 5GHZ band (125w/135w - 802.11ac)
NC-4575 [Wireless] Created Bridge to AP LAN wireless network not able to edit from client type
NC-6194 [Wireless] DHCP service dies in AUX due to separate zone interface unbound while HA disable

Additional Notes

Due to security reasons, we disabled TLSv1.0 and TLSv1.1 already in SF 16.05 MR2. Unfortunately Internet Explorer 11 does not proceed with the SSL handshake when only TLSv1.2 is selected on the server and when MD5 is used as a hashing algorithm.

Regenerating the appliance certificate which is used for WebAdmin, User Portal and Captive Portal makes it work again.

If you are using the appliance certificate in SSL VPN then it's necessary to download the configuration again.


You can find the firmware for your appliance from in MySophos portal.


happy testing