SFOS 17.0.5 MR5 Released

Hi XG Community!

We've finished SFOS v17.0.5 MR5. This release is available from within your device for all SFOS v17.0 installations as of now.

Besides that, the release is available to all SFOS version via MySophos portal.

Note: There are a few edge cases where some customers may still experience issues using multiple subnets with a single IPSec connection.  The team is working on those and all the last known issues should be addressed in MR6 which is expected to follow very soon. Please follow this Sophos XG Firewall: Cannot handle more than 2 concurrent Quick Mode exchanges per IKE_SA when using IKEv1

Issues Resolved

  • NC-23258 [API] System debug logs should not contain sensitive information
  • NC-21429 [Authentication] Users don't show the correct properties from their group after auto-creation
  • NC-21820 [Authentication] Make Access Server port (6060) use IP_PKTINFO
  • NC-22770 [Authentication] User role cannot change to Administrator for AD Users
  • NC-22935 [Authentication] Users are unable to login with CAA
  • NC-27199 [Authentication] Access Server crashes with eDirectory
  • NC-20765 [Base System] If several SNMP communities exist with same name in XG, all are deleted if you delete one
  • NC-22276 [Base System] SNMP Walk delivering inconsistent information
  • NC-22323 [Base System] Garner fails to log when multiple threads call gr_io simultaneously
  • NC-23073 [Base System] iView v3 doesn't display any email usage data
  • NC-26730 [API, Base System] Unable to change admin password through API
  • NC-25793 [Clientless Access] File browser does not load if directory contains a hardlink
  • NC-25852 [Clientless Access] UI dialog doesn't reset after closing and reopen
  • NC-21823 [Authentication, Firewall] Live users only displaying 8192 users
  • NC-22738 [Firewall, Performance] Firewall page load time increases after adding firewall groups
  • NC-22878 [Firewall] Allow user to edit rule while double clicking on the rule
  • NC-23254 [Firewall] In TAP mode, management interface doesn't respond when same traffic is seen on TAP and MGMT
  • NC-25628 [Firewall] Appliance inaccessible after restoring backup file from 16.5 MR8 to 17 MR1
  • NC-25724 [Firewall] Special character "|" allowed in firewall rule name but then does not allow moving firewall rule within the group
  • NC-25965 [Firewall] Unable to delete a proxy-arp entry
  • NC-25970 [Framework(UI)] Change React.js to production mode in SFOS release builds
  • NC-23212 [HA] Wrong Dedicated Link value is displayed after saving HA Auxiliary configuration
  • NC-23077 [Hotspot] Changing hotspot customization type from Full to Basic or Basic to full, removes default voucher template
  • NC-26137 [Hotspot] Interfaces not listed correctly for hotspot configuration
  • NC-22572 [IPS] "Status" value is empty for IPS logs in log viewer
  • NC-26882 [IPS] User can not add IPS Policy Rules to SF with 'Smart Filter' option enabled in any IPS policy using SFM
  • NC-27230 [IPS] IPS service is in dead state
  • NC-23016 [IPsec] RSA connection not working without remote ID and remote gateway '*'
  • NC-26152 [IPsec] IKEv2 initiator does not try forever if rekeying tries = 0
  • NC-26338 [IPsec] VPN failover timeout takes too long
  • NC-26339 [IPsec] Remote access with IPsec/PSK can't be established
  • NC-26354 [IPsec] IPsec UP notifications are being sent even though the tunnel is UP for IKEv2
  • NC-26582 [IPsec] IPSec tunnel not reinitiated after PPPoE reconnect
  • NC-26634 [IPsec] Add validation message for PSK connections with remote '*'
  • NC-26888 [IPsec] UI - Hostname beginning with a number for VPN remote gateway address is not accepted
  • NC-26988 [IPsec] VPN connection can't be established if the PSK is very long
  • NC-26998 [IPsec] Webadmin is very slow after update to SF v17 MR3
  • NC-27030 [IPsec] System unresponsive after enabling non-establishing IPsec connections
  • NC-27255 [IPsec] 64 characters PSK gets truncated to 57 characters
  • NC-26100 [Logging] Typo in "Missing Heartbeat" in log viewer
  • NC-19417 [Mail Proxy] Emails have the banner as an attachment instead of inline in the message
  • NC-22816 [Mail Proxy] Unable to release quarantined emails - 'Bad Request' received
  • NC-23049 [Mail Proxy] "Release" link in quarantine digest not obeying configuration settings when SF in HA (A-A)
  • NC-25705 [Mail Proxy] Antivirus fails to start after downgrade from v17.0 MR2 to v16
  • NC-25808 [Mail Proxy] AwarrenMTA: few mails appear on queue after delivery (DB query fails due to special character)
  • NC-26061 [Mail Proxy] IP reputation check is skipped when clubbed with 'recipient verification' policy
  • NC-26750 [Mail Proxy] RBL scan should be skipped if IP address is in Allowed IP address list
  • NC-26773 [Mail Proxy] Incorrect values shown for disk utilization for SMTP quarantine
  • NC-21877 [Networking] Remove limit for static IP-MAC mapping in DHCP
  • NC-22792 [Networking] Full import export is failing due to specific invalid dhcp config
  • NC-25395 [Networking] Wrong port OUT marked while using of primary and secondary gateway
  • NC-23178 [nSXLd] URL categorization look up fails
  • NC-23206 [nSXLd] Unable to save domain info in customized web categories
  • NC-26080 [Reporting] "Internal Server Error" while accessing Web Admin
  • NC-25589 [SSLVPN] Username with '@' is not displayed correctly in SSL VPN Client
  • NC-22961 [Synchronized App Control] Add customized apps to the "categorized" widget in control center
  • NC-25309 [Synchronized App Control] Timestamps for last occurrence should not show seconds
  • NC-25950 [Synchronized App Control] Endpoint name is shown wrong after upgrade to MR-2
  • NC-25953 [Synchronized App Control] Normalized path is shown instead of filename after upgrade to MR-2
  • NC-22750 [UI] Control Center - text wrapped and appears on two lines in Japanese language
  • NC-26242 [UI] Web Server Protection >> General Settings tab is not displayed in some languages
  • NC-26340 [Up2date Client] Message "New firmware available for AP" shown on dashboard although version is already installed
  • NC-21760 [WAF] Ruleid is not set in case of HTTPS host mismatch
  • NC-25461 [WAF] Additional cookie from WAF is added without HttpOnly detail
  • NC-25633 [WAF] Unable to edit/save WAF rule
  • NC-18732 [IPS, Web] Load average is going high on CR300iNG with SFOS v16.5 & v17.0 GA
  • NC-22030 [Web] Policy tester does not allow multicast addresses in the URL
  • NC-22752 [Web] Range requests cannot download files larger than 2GB
  • NC-22993 [Web] TeamViewer not working after upgrading to 16.5 MR7
  • NC-23061 [Web] Content Filter details are not displayed with languages other than English
  • NC-23082 [Web] Garner segfault occurred in feedback channel plug-in
  • NC-25356 [Web] High memory utilization increasing daily on XG430
  • NC-25370 [Web] Web Proxy does not work correctly when application filter is set to "Synchronized App Control"
  • NC-25397 [Web] Logout option disappears from Captive Portal page
  • NC-25582 [Web] Range header in requests should not be validated when AV scanning is not required
  • NC-25771 [Web] Gmail: Email attachment upload failed with HTTPS scanning
  • NC-26352 [Web] Outlook cert error in explicit mode on dns failures
  • NC-25687 [Wireless] Built-in AP is not broadcasting unless it is configured in a separate zone
  • NC-26380 [Wireless] Wrong wireless AP status displayed in Control Center

Downloads

You can find the firmware for your appliance from in MySophos portal.

  • Many fixes, bravo team. Thanks for the hard work!

    1) I'm wondering if there are any acknowledged issues with Ikev1 and strongswan at this point as of v17.0? And whether there are planned fixes? Me and several others are completely dead in the water, forum posts abundant. Had to downgrade to the latest v16 to resolve it.

    2) How do we find out more details about NC- issues? For example, I want to know if perhaps this issue effects me or not, and just if there are more details we can see about known issues? NC-26634 [IPsec] Add validation message for PSK connections with remote '*'

  • Edit: Somehow I missed this, or it was added after I read the article, but maybe you were speaking to my issue when you added this note above:

    Note: There are a few edge cases where some customers may still experience issues using multiple subnets with a single IPSec connection.  The team is working on those and all the last known issues should be addressed in MR6 which is expected to follow very soon.

  • When will this be supported by SFM?

  • Looking forward to IPSEC improvements :-)

    NC-26338 [IPsec] VPN failover timeout takes too long

    NC-26988 [IPsec] VPN connection can't be established if the PSK is very long

    NC-27030 [IPsec] System unresponsive after enabling non-establishing IPsec connections

  • Haven't fixed anything here.  VPN still freeze every so often.  Absolutely weird, I log from home  into our office's desktops with TeamViewer.  Once the VPN freezes - which is never too long before it happens - nothing internally can ping externally (or do whatever else).  And yet, I'm at home on a Teamviewer session in my Office network.  Hilarius !!!  We feel secured :)

    PJR

  • Port forwarding is still minimalistic (let's call it absent) and cannot allow transparent proxy.  Even if the WEB gateway is Sophos' own.

    Mail Gateway still requires Einstein, and an awfull amount of luck to make it run.  It it ever will.

    Not sure why, but the WEB gateway allowed Google Chrome to update this pm.  A first since a loooooong time.

    PJR

  • Hi ,

    As the note mentioned, there are more planned fixes to be included in the MR6 release. The team is actively working on this to address the rest of the known issues.

    Please contact support for more information and details regarding specific bug IDs.

  • Also here XG210 upgraded to 17.0.5 and VPN IPSec site-to-site still keeps disconnected.

    The disconnections happens every time when transfering data between offices.

    Data speed is 5MB/s

    Have tried different type of ipsec profiles

    Since SFOS 17 its with every build I try disconnections of VPN all the time when I transfer data.

  • My first tests are very encouraging, vpn goes up after a pppoe disconnection or unexpected disconnection of peer that i simulate.

    But there is one thing that is still not solved : my wan interfaces are vlans connected to a switch, so its never physically goes down. in this case, VPN are never saw as disconneted, so it never goes up...

  • In reply to SGH's comment,

    Do you have any VPN's without multiple subnets that are also not stable?  apalm123 reported a few edge cases where customers may still experience issues using multiple subnets with a single IPSec connection.

    It would be helpful to confirm if you are having this issue with single or multiple local and remote subnets configured.

  • Hmm...all went well until this evening, have 4 IPSEC VPNS all are showing up and down, also my SFM sends notifications about it :-(

  • Yeah, VPN's are horribly broken.

  • I'm still on v16 MR-8 because we are using ikev1 IPSEC VPN with multiple NATed subnets. Too many VPN bugs in v17.0.

  • Thanks for the update, applied a about a day ago to my PC and appears working.