SFOS 16.05.8 MR8 Released

Hi XG Community!

We've finished SFOS v16.05.8 MR8. This release is available from within your device for all SFOS v16.05 installations as of now.

The release is available to all SFOS version via MySophos portal.

NOTE: The upgrade from SFOS v16.05.8 MR8 to v17.0 Beta is currently not supported.

Update: The upgrade from SFOS v16.05.8 MR8 to v17.0 RC-1 and v17.0 GA is supported.

Issues Resolved

  • NC-21404 [Authentication] Authentication Agent - getting logged out automatically at random time
  • NC-21538 [Authentication] STAS user login getting failed because access_server is assigning existing liveuserid to new login user
  • NC-19642 [Base System] Apache httpd vulnerabilties (CVE-2017-3169, CVE-2017-7679)
  • NC-19915 [Base System] Add support for newer SG210,SG230,SG310,SG330,SG430,SG450,SG550 and SG650 models in SFOS
  • NC-21583 [Base System] Up2date patterns status is shown as "Failed" in 16.05 MR7
  • NC-22018 [Base System] Openssl update for v16.05
  • NC-22059 [Firewall] SSL decryption should not be enabled by the wizard
  • NC-19646 [IPS] i40e driver version 1.1.23 doesn't work properly with 4x10G ports
  • NC-21712 [IPS] IPS service not starting in v16.05 MR7
  • NC-21566 [Mail Proxy] Inbound emails stopped in legacy mode after upgrade to 16.05 MR-7
  • NC-18875 [Networking] USB devices not reconnecting after reboot
  • NC-20763 [RED] RED15w does not send split DNS traffic over RED tunnel
  • NC-20531 [SecurityHeartbeat] Server certificate expired - all clients will be marked as RED
  • NC-22152 [Web] NTLM channel re-initiated repeatedly on booting the appliance
  • NC-21548 [Wireless] API for Wireless Network Enable/Disable
All issues resolved in this release are also addressed in SFOS v17.0.


You can find the firmware for your appliance from in MySophos portal.

  • Talex, finally users have release notes directly from the XG. Good job!

  • Has anyone tested the solution within STAS ?


  • We're running on a patched MR7 for authentication issues. It would be good to hear if anyone can confirm that auth issues have truly been resolved.  This plus the "drop packet learning mode" caused havoc and this was a new purchase, so we just thought that this is the way it ran.  Four different support people and not one mentioned the "drop packet learning mode" that is set to 2 minutes by default.  It was the third who finally found that we were using STAS and I found the learning mode document when reading about STAS.  Our support person said that he didn't even know that the FW functioned this way.  I'll install the MR8 at home, but I'm holding off on our production unit.


  • Mark J, the same thing happened to us! We tweaked it down to 20 seconds using the CLI and users get a better experience, but not perfect. I'd love to know if this has finally been addressed!

  • After the initial panic that did not work anything .. I had to remove the Collector's IP in Authentiation-> STAS-> Collector and re-insert it. Now it seems to work fine. I keep you up to date

  • DaveHamer, we're set to 21 seconds, due to the documentation stating that anything under 20 could interrupt the authentication process.  They need to allow the FW admin choose how to handle un-authenticated users during the auth process.  Flat out dropping packets is a really poor way to handle it.  Another user PMed me and stated that he's set to 1 second.  I asked him to let me know how that's been working.  He's been working with Sophos support as well and they never patched his XG.  He's just been dealing with the drops.  I was 1 day away from shipping mine back, it's a tad pricey to not have it work for the first 2.5 months. I guess I didn't realize hat we were paying to participate in a beta program.  Right now, things are working well, but I don't have much confidence in the product or the support due to the "out of the box" experience.  I will say that the person I've been working with recently has been good and he's been up front about the issues.  Prior to him, they tried to blame the issues we were having on everything but their product.  Random auth drops + 2 minutes of dropped packets each time = a really bad experience for all users.  Hopefully things will move in the right direction from here.


  • Hi,

    we have some customers on MR7 with patched auth and some others not.

    Do I have to expect a different behavior between them?

    Thank you.

  • did anybody update MR8? any issues?

  • Downloaded and installed MR8 without issues, my installation is simple other than having 4 WAN's.

    Starting from MR6 (but could be earlier). I have noticed an improved management of WAN's, to the point that it looks more like bonding than simple round robin.

    For instance, I have been able to get 50+ Mbps from two 30 Mbps WAN's (only during low traffic periods): impressive.

    Previously, I had skipped MR7 based on issues by others.


  • Where can I find the HW installer? The portal still only has the MR7 installer. I need to re-image a new SG230 Rev2 device.

  • Hi Bart Hunik, the website is updated and the installer files are available for MR8.