SFOS 17.0.8 MR8 Released

Hi XG Community!

We've finished SFOS v17.0.8 MR8. This release is available in stages. In first stage it will be available at MySophos. We then start with a small amount of slots for v17.0 and will increase those over time. Later it will be available to v16.05 installations as well.

Update: SFOS v17.0.8 MR8 is now available to all SFOS installations. It's also available via SFM/CFM.


Issues Resolved

  • NC-27996 [Authentication] access_server coredump results in users getting logged out
  • NC-29485 [Authentication] access_server coredumps and restartings
  • NC-28033 [Base System] Packet capture and connection list issue
  • NC-28566 [Base System] Garner service restarts
  • NC-27214 [Firewall] IPsec NAT chain for all VPN tunnels gets removed if only one tunnel goes down
  • NC-29243 [Framework(UI)] Subnet creation is broken for IE11
  • NC-26151 [IPsec] IPsec connections can't always be disabled on first try
  • NC-27034 [IPsec] IKE packets lost when routed over the HA link
  • NC-28076 [IPsec] IPsec detail view has a mismatch for tunnel status
  • NC-28558 [IPsec] 'UP' Email notifications are not sent when the IPsec tunnels come up again within 1 second
  • NC-28577 [IPsec] Two IKEs for the same connections leads to a lot REKEYED connection on responder
  • NC-28795 [IPsec] Strongswan service is stuck in CSC for HA pair
  • NC-28850 [IPsec] IPsec Connection UI page hangs
  • NC-28857 [IPsec] PFS is shown as enabled in GUI although it is disabled in policy
  • NC-28909 [IPsec] Coredump generated for charon due to segmentation fault
  • NC-29043 [IPsec] CSC hangs - system becomes unresponsive
  • NC-29129 [IPsec] IPsec connection is not reestablished after PPPoE reconnect
  • NC-29242 [IPsec] Cannot configure VPNs using IE11
  • NC-29254 [IPsec] Random route deletion in IPsec with DGD
  • NC-29378 [IPsec] vpnconn_all_status_update takes continuously high cpu when IPsec VPN manage page stays open
  • NC-29834 [IPsec] Multiple IKE_SAs in CONNECTING state for the same config when peer does not respond
  • NC-29936 [IPsec] vpnconn_all_status_update can overload the system
  • NC-29995 [IPsec] IPsec paketfilter rules missing after DGD failback
  • NC-30192 [IPsec] IPsec S2S connection not initiated after DHCP interface update
  • NC-28106 [RED] RED tunnel disconnects every 24h
  • NC-29465 [Reporting] Not able to send mail digest - due to PG connections full


You can find the firmware for your appliance from in MySophos portal.

  • "NC-28033 [Base System] Packet capture and connection list issue"  Still a problem :(

  • Only a few fixes when can we expect new features to be added ?

  • i think that new features are not included in Maintenance Release. They are going to be present in 17.1, but there is no official release date yet.

    i'm going to install mr8 on a x330 cluster in a few hours

  • Why is this release not pushed to the XG its self? Anyone got some experience with this release yet?

  • hi JeffreyJaspers, MR8 is in soft-release, it is going to be available from XG itself in a few days. i've updated my test XG with no problems.

  • Has anyone got SNMP working since MR3? Pretty frustrating stuff here..

  • We need features like quarantine specific file extensions like xlsx instead only haveing the ability to rejekt the whole mail...

    There is a lot of work to do until the quality of the UTM is reached. Think we go back to UTM. Very disappointing so far

  • @Herzi: totally agree with you, so many basic features missing, you canìt even call them "feature" as some are basic services, like email notification.

  • Is SFOS 17.0.8-209 compatible with SFMV5 (SFMOS 17.0.0 GA) ?

  • Hi XG Admins, i have updated my XG HA Cluster from 16.05.7 to 17.0.6 last week.

    SMTP Mode: Transparent Proxy is working fine. Quarantine is working now.

    I had some problems witch bussines rules, during upgrading the configuration the Services in the rules was wrong converted. Support and i solve the problem. Case ID 8026624.

    Yeserday i have updated from 17.0.6 to 17.0.8 because of IPSEC problems. Case ID: 8094634

    I can confirm that in our case everything is working after update.

    So, dont be afraid to update :)

    kr Fabian

  • I still miss the feature to have an fqdn / hostname in the quarantine report instead of ip address

  • When will this become available to download from the XG Firmware page?

  • My recommendation for mail filtering is to buy the 10IP software license for UTM9.  You might get your sales contact to give that to you for free.  The mail filter product on the XG is abysmal and from what I understand they can't simply port everything the UTM9 does over to it.  Do not go down that road.  I tried twice and got burned both times.  The annual cost for the UTM9 Software License for 10IP Email filter only is retail like $80.  You don't need it to have full guard, network protection, or anything else.  Let the XG handle that.  But after I've done this for 5 email implementations, I've been relieved on a stress level you might imagine.

  • I still don't see the update available on any of the XGs I manage. When will it be available for direct download and install?

  • I'm trying to upload the new firmware on a CR15iNG, but the message occurs: new firmware could not be uploaded. please refer to online help for possible reasons

    anyone else with this problem?