SFOS 17.1.0 GA Released

Hi XG Community!

We now have SFOS v17.1.0 GA available. Here's everything you need to know.

Right now, the release is available as manual upgrade to all SFOS versions via MySophos portal.

Please see the following KBA - Sophos Firewall: How to upgrade the firmware: KBA 123285

On-the-box upgrade (new firmware available pop-up & Check for new Firmware) will be made available a little later. Also, On-the-box upgrade will be released in a staged manner i.e. increasing the staged count incrementally over time.

What's New

Check out all the enhancements in XG Firewall v17.1 including the new Cloud Application Visibility feature in our XG Firewall v17.1 demo video.

  • Cloud App Visibility - brings the visibility pillar of CASB to XG Firewall, providing quick and easy Shadow IT discovery and visibility into data that may be at risk in cloud applications with great reporting on users and volume of data being uploaded and downloaded from cloud services.
  • Synchronized App Control - gets further enhancements in managing newly discovered applications, including options to search, filter, and delete applications.  You’ll also see the category assigned to the discovered app in the list for easy reference.
  • Email Security - adds user management over individual SMTP block and allow lists via the User Portal.  Domains or email addresses added to the Allow list will bypass policies (except for malware or sandboxing enforcement) and adding domains or addresses to the block list will automatically quarantine emails from those senders.  In addition, more flexible SMTP policy exceptions are supported to provide parity with Sophos SG UTM.
  • SSL VPN Port Option - one of the most requested features on XG Firewall is the option to customize the SSL VPN listening port.
  • Firewall Enhancements - Enhancements have been made to the firewall and rule management to improve flexibility and streamline management even further.  You can now double-click a firewall rule in the list to open it for editing.  There's a new option to block Google QUIC's HTTPS over UDP forcing a fallback to TCP enabling full SSL inspection of the traffic.  And there is now added flexibility in defining ACL exceptions to restrict access to services like the User Portal from a single alias, for example.
  • Wireless Enhancements - XG Firewall v17.1 provides wireless networking enhancements including the option to set the channel width for wireless radios in the GUI as well as Radius Accounting.
  • IPSec VPN IKEv2 Enhancements - XG Firewall v17 introduced new IKEv2 support for IPSec VPN connections and all stability and reliability enhancements, included in subsequent maintenance releases, are included with v17.1.
  • New Hardware Support - Support for the latest XG Series desktop hardware connectivity and features, unveiled in an earlier maintenance release, is also included in XG Firewall v17.1

You can find the PDF of what's new here: Sophos XG Firewall v17.1 Whats New.pdf.

Notes

In case you are managing your Firewalls using SFM/CFM, Firewalls running SFOS 17.1 GA won’t accept application filter rules when applied from a device group or template. You can manage application rules from the device-level view in SFM/CFM until this limitation is addressed in SFOS 17.1 MR-1.

Issues Resolved

  • NC-31554 [Base System] Missing color indication for ATP widget
  • NC-31662 [Base System] Change of the XG Firewall login screen
  • NC-31484 [Email] Emails are not removed from spool after update to SF 17.0 MR8
  • NC-31514 [Firewall] Editing IPv6 host is not possible
  • NC-31030 [SSLVPN] Remove misleading message "Port 443 is already in use by User Portal"
  • NC-31615 [Web] Remove file type data columns in cloud application dashboard

Issues Resolved in Beta3 build

  • NC-30212 [Base System] Device displays fail message for SFM/CFM heartbeat
  • NC-29075 [Email] Unable to update mail spool if mail address contains special character (')
  • NC-29757 [Email] CVE-2011-1473: POP/IMAP - Secure Client-Initiated Renegotiation vulnerability
  • NC-30160 [Email] Option "Skip mails (for malware scan) greater than" is not working for outbound traffic
  • NC-30183 [Email] Notification test email fails with authentication when mail send without saving configuration
  • NC-30303 [Email] Possible authenticated remote code execution in mail_sender
  • NC-30649 [Email] Permissions for Email protection are not exported correctly
  • NC-29216 [Firewall] Separate out filter and NAT table chains for IPsec in two different services
  • NC-29505 [Firewall] Traffic shaping rule for firewall has wrong default policy association
  • NC-29776 [Firewall] After migrating from CR to SF DNAT rules stop working after every reboot
  • NC-29990 [Firewall] Import/Export of destination local acl always set to "any" if any port is selected before
  • NC-30037 [Firewall] Validation missing if IPv4 is selected as IP version
  • NC-30197 [Firewall] Firewall rule filter is not working from second page onwards
  • NC-30588 [Firewall] Policy Tester ignores IP host groups in the firewall rule
  • NC-30766 [Firewall] Unauthenticated XSS in diagnostics component
  • NC-30871 [Firewall] Japanese column header not displayed in the right place in Protect -> Firewall
  • NC-19980 [Framework(UI)] Filter search containing backslash char will not find the match
  • NC-30575 [Framework(UI)] VPN FO Group selection widget doesn't display correctly in Chrome
  • NC-28826 [HA] HA migration does not complete if dedicated link goes down during migration process
  • NC-29572 [IPsec] GUI allows admin to select external certificate for Remote Certificate for IPsec Connection for Remote Access
  • NC-30830 [IPsec] CVE-2018-10811 & memleak: Import upstream strongswan patches
  • NC-30979 [IPsec] IPsec route can disappear if two connections use the same
  • NC-29889 [Network Services] Unable to lease the IP to some users
  • NC-31017 [RED] RED S2S client does not work with routed server address
  • NC-29733 [Reporting] Showing unknown character for Current HA status under reports with HA
  • NC-29846 [Reporting] Sort by Users/Byte is not working on Cloud Applications page
  • NC-30155 [Reporting] Wrong label displayed for widget of Cloud Application
  • NC-30190 [Reporting] Records are not displaying in HTML export for "Records Per Chart 25 and more" for some widget of Cloud application
  • NC-28789 [Sandstorm] ExcludeSandstormFileTypes is not available in SandboxSettings XMLAPI data
  • NC-27461 [SFM-SCFM] Compatibility v17: Firewall UI issues at device level
  • NC-28913 [SFM-SCFM] Compatibility v17: Appliance unsync when applying L2TP (Remote Access) or IPSEC configuration
  • NC-29907 [SSLVPN] Not able to edit SSL VPN (Remote Access) policy
  • NC-30847 [SSLVPN] Unable to set user portal port to SSL VPN port
  • NC-29278 [Synchronized App Control] Renaming an Endpoint does not update SAC table
  • NC-29820 [Synchronized App Control] No new logs since 2 days - /tmp is full on XG85
  • NC-31020 [Synchronized App Control] Synchronized Application Control page is taking too long to load
  • NC-31229 [Synchronized App Control] SAC data table not loaded after migration to v17.1 Beta1
  • NC-30054 [UI] Device Access page showing error on Auxiliary machine
  • NC-29602 [WAF] API Get for SecurityPolicy does not return Traffic Shaping settings for the policy
  • NC-29876 [WAF] Website hosted over WAF taking more time to load when Common Threat Filter enabled
  • NC-30448 [WAF] Rewrite HTML for site path with special characters leads to memory allocation failure
  • NC-28699 [Web] Cloud Applications Control center widget - spacing issue
  • NC-28762 [Web] After power failure, Android devices captive portal does not disappear after logging in
  • NC-29002 [Web] API Import for WebFilterPolicy with dependent entities failed
  • NC-29164 [Web] Proxy drops HTTP Response when 100 and 200 in same packet
  • NC-29166 [Web] AV files served from cache are not scanned if 'scan av' flag enabled after file was cached
  • NC-29385 [Web] Data mismatch for Control Center and reporting widget for Cloud Application
  • NC-29479 [Web] Usercache is not updated when classification set through AppClassificationBatchAssignment
  • NC-29504 [Web] Captive Portal customization Reset to Defaults does not work
  • NC-29601 [Web] Policy Test Tool not working
  • NC-29809 [Web] When cloud dash board page contains more than 10 apps, some apps will not show app-icon warning exclamation triangle mark when changing app classification
  • NC-29984 [Web] WebFilterURLGroup API Doc is misleading
  • NC-30606 [Web] Fail to change application classification when changing to other languages
  • NC-30682 [Web] Cloud Applications page loading failed in XG85 appliance
  • NC-31042 [Web] Cloud Applications dashboard column names have overlapping text in French
  • NC-27033 [Wireless] Pending text is wrapping to next line for Wireless APs counter
  • NC-27535 [Wireless] UI is not displaying WiFi client's IP when multiple clients are connected to AP
  • NC-28763 [Wireless] UI displays AP as inactive even if AP was active
  • NC-28765 [Wireless] AP goes in inactive mode when used "2.4 Ghz and 5 Ghz" Frequency band
  • NC-29419 [Wireless] Not able to configure channel 12 and channel 13 on Desktop refresh devices
  • NC-29988 [Wireless] Wireless network update is not reflecting when it is assigned to LocalWiFi1(OptionalWiFi)

Issues Resolved in Beta2 build

  • NC-29977 [WAF] Reverse authentication: Access possible for empty protection profile

Issues Resolved in Beta1 build

  • NC-28797 [Access] User Edit page doesn't load for some users who are part of multiple groups
  • NC-26797 [API] HA devices update from MR2 to MR3 result in primary unit being factory reset
  • NC-22530 [Authentication] Webfilter policy is not working for auto-created AD user
  • NC-28175 [Authentication] Customer from NC-21823 has updated and getting segfault for access_server
  • NC-16090 [Base System] Source port changes to random over IPSec VPN
  • NC-25783 [Base System] Import certificate option is missing for CSR
  • NC-26328 [Base System] Additional CPU cores not detected in v17 after license upgrade
  • NC-27022 [Base System] Import from configuration failed due to too long certificate name
  • NC-27076 [Base System] Ping utility not working
  • NC-27263 [Base System] Incorrect interface speed is shown via SNMP
  • NC-28033 [Base System] Packet capture and connection list issue
  • NC-28220 [Base System] Garner active.db file size is too big in /tmp/eventlogs due to LogViewer output plug-in
  • NC-28566 [Base System] Garner service restarts
  • NC-27087 [Certificates] Default CA regeneration fails
  • NC-27853 [DDNS] DynDNS update does not happen in the configured time range
  • NC-28177 [DNS] Unable to resolve DNS of services.vip.symantec.com when registering it in Services/FQDN Host
  • NC-22864 [Firewall] Quick QUIC block
  • NC-22878 [Firewall] Allow user to edit rule while double clicking on the rule
  • NC-22927 [Firewall] NATPolicy API export fails when it contains NAT profile created on network
  • NC-26433 [Firewall] Captive Portal access issue for Android devices
  • NC-26560 [Firewall] One time schedule in firewall rule for VPN traffic doesn't block traffic when schedule expires
  • NC-27004 [Firewall] Unable to send email due to Default Internet Scheme Policy
  • NC-27164 [Firewall, Performance] LAN interface become unresponsive
  • NC-28025 [Firewall] Policy Tester ignores service groups in the firewall rule
  • NC-28710 [Firewall] Display of firewall rule in Firewall Group overlaps with display of action
  • NC-28756 [Firewall] Appliance inaccessible after the backup restore
  • NC-28785 [Firewall] Packet capture log is empty when opened via hyperlink in log viewer for IPv6
  • NC-28791 [Firewall] Sometimes VPN is not working when bridge has WAN interface
  • NC-28800 [Firewall] Firewall Rule ID is shown with an incorrect ID
  • NC-29379 [Firewall] HA Aux appliance goes in failsafe mode when failed to load LBS module (occurs only in specific IPv6 condition)
  • NC-29243 [Framework(UI)] Subnet creation is broken for IE11
  • NC-25854 [HA] Disable HA fails on auxiliary appliance when LAG interface is used as peer admin port and a bridge interface is also configured in SFOS
  • NC-29040 [Hotspot] File name containing space is not working for images/stylesheets and logos of hotspots
  • NC-26514 [IPS] IPS core dumps with appliances in HA (A-A)
  • NC-27549 [IPS] ATP Exception is getting removed automatically
  • NC-28602 [IPS] Filter alignments in Application Filter Policy Rule are displayed incorrect
  • NC-29174 [IPS] IPS Policies are not being pushed out via SFM template
  • NC-25380 [IPsec] Add an option to auto create a Firewall rule
  • NC-22604 [Logging] GUI alignment issue when sender name or subject is longer
  • NC-26357 [Logging] Log viewer is not loading after adding any filter and read/write goes high after activity
  • NC-21745 [Mail Proxy] i18n file name is not displayed in log viewer and on sandstorm activity page for sandstorm module
  • NC-25746 [Mail Proxy] CVE-2012-4929: SSL/TLS CRIME Vulnerability on port 8094
  • NC-26472 [Mail Proxy] AwarrenMTA: few mails appear on queue after delivery (DB connect fail)
  • NC-26930 [Mail Proxy] XG not able to update spool due to special characters in failure reason
  • NC-27240 [Mail Proxy] Unable to send emails due to auto routing to rcpt DNS in case of greylisting reply for MX
  • NC-27365 [Mail Proxy] Display issues with german umlauts in SPX Template
  • NC-28081 [Mail Proxy] Unable to save the SMTP policy when some MIME types are selected
  • NC-28364 [Mail Proxy] Email should be quarantined if scanning fails due to unscannable file
  • NC-28819 [Mail Proxy] Quarantined emails are not visible on SMTP Quarantine
  • NC-29018 [Mail Proxy] XG is unable to block email attachments when sent via Powershell v5.1
  • NC-29103 [Mail Proxy] Unable to release quarantine mails with special characters from spam digest
  • NC-29315 [Mail Proxy] CTIPD service should be stopped if Email or WAF subscription is not activated
  • NC-29319 [Mail Proxy] Unable to release false positive outbound spam emails
  • NC-29339 [Mail Proxy] CVE-2013-0169: Multiple SSL/TLS vulnerabilities - POP/IMAP
  • NC-29437 [Mail Proxy] Multi-level subdomain getting 501 syntax error while “Reject invalid HELO or missing RDNS” enabled
  • NC-29671 [Mail Proxy] AwarrenMTA restarts when used with high CCLs on certain mails
  • NC-21993 [Network Services] Static MAC-IP binding issue
  • NC-28815 [Network Services] CVE-2018-5732 and CVE-2018-5733: DHCP vulnerabilities
  • NC-27874 [Networking] IP address in static DHCP leases is shown incompletely
  • NC-28029 [Networking] Firewall configured as DHCP relay agent is generating flood on internal DHCP server
  • NC-28564 [Networking] Backup-Restore failed for different interface name devices when VDSL interface is configured
  • NC-29721 [Networking] HA failover is taking 10 minutes in v17.0 MR5
  • NC-28320 [nSXLd] URL Category Lookup provides different results for UI and command line
  • NC-27556 [PPTP] PPTP Remote Access fails when user name is not in lower case
  • NC-27881 [Qos] Unit for bandwidth parameter is incorrect on the Dashboard
  • NC-27942 [RED] XG red to XG red not connecting over MPLS network
  • NC-22787 [Reporting] Dashboard uses incorrect design for ATP and UTQ widgets
  • NC-22829 [Reporting] Reports section in Control Center gets stucked when "None" is configured as Admin Profile for "Reports Access"
  • NC-25786 [Reporting] Logo is not displayed properly in SAR report
  • NC-27046 [Reporting] "Search Key" filter not working for Google Search Engine
  • NC-28918 [Reporting] Unable to view Objectionable websites in Control Center and Reports
  • NC-29465 [Reporting] Not able to send mail digest - due to PG connections full
  • NC-26575 [SecurityHeartbeat] Heartbeat DB opcode sync command gets stuck
  • NC-27258 [SecurityHeartbeat] Ipset opcode stucks in HA setup
  • NC-28065 [SSLVPN] Port 8443 should be useable at any time when not used somewhere else
  • NC-28219 [SSLVPN] Site-Site SSLVPN: Routes aren't added with IP HOST Group in remote network
  • NC-23106 [Synchronized App Control] [SAC] Extended Filter/Search function in app Lists
  • NC-22122 [UI] CVE-2007-6750: Apache Partial HTTP Request Denial of Service Vulnerability for port 8443, 443, 4444
  • NC-26436 [WAF] Common Threat Filter should be disabled in default Outlook Anywhere Web Protection Policy
  • NC-28405 [WAF] Content gets lost when using form-hardening
  • NC-28944 [WAF] HTTPS Certificate Error when editing a Business Application Rule
  • NC-29483 [WAF] Creating IP host object inline leads to hanging SlowHTTP UI
  • NC-29650 [WAF] CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request
  • NC-18038 [Web] Page redirections for authentication (and others) should use hostname not IP
  • NC-25617 [Web] Log virus name for unscannable content as "Unscannable" in the Web Virus report
  • NC-25745 [Web] CVE-2016-2183, CVE-2016-6329: SWEET32 SSL/TLS Vulnerability and Triple DES on port 8090
  • NC-26136 [Web] Change link of Guest User Registration on Captive Portal page into https
  • NC-27893 [Web] Unable to use apostrophe character in Captive Portal settings
  • NC-28457 [Web] No response when clicking on Captive Portal login button
  • NC-28601 [Web] Dynamic app filter rules which do not contain any applications is enforced for all applications
  • NC-28695 [Web] Block and warnpage previews use wrong template
  • NC-28759 [Web] Awarrenhttp segfaults when killed while scanning
  • NC-28792 [Web] IPS fails to close connections which are blocked by an app filter (causing proxy to timeout after 60 sec)
  • NC-28899 [Web] 'Block HTTP' option disappears if switching from a dynamic category to a non-dynamic one for an activity
  • NC-29124 [Web] Possible buffer overflow in Web Proxy's warn-proceed transformer
  • NC-5395 [Wireless] Wrong interface status shown on auxiliary appliance for wireless network
  • NC-19851 [Wireless] Support Radius Accounting on Remote APs & Local Wifi models
  • NC-26278 [Wireless] IP addresses not visible in Wireless Client List
  • NC-27261 [Wireless] Wizard is failing in XG85W(old model) after configuring SSID from wireless config page of wizard

Download

To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA - Sophos Firewall: How to upgrade the firmware: KBA 123285.

 

Check out all the enhancements in XG Firewall v17.1 including the new Cloud Application Visibility feature in our XG Firewall v17.1 demo video.

  • Can you guys comment on NC-30979  (in update three)?    Such as if this bug existed in 7.0 MR-8 or if it was only in 17.1  and if it is also found in 17.0 MR-8 give more details other than "IPsec route can disappear if two connections use the same"  ..... same what???

  • I guess I should of just just asked...  is there any IPSEC fixes that were not already in 17.0 MR-8 ?

  • I just want to have IPV6 working out of the box in my Sophos XG Home Edition.... :(

  • is it just me? I can't seem to find the download following the instructions above.

  • @Scot_D_L the IPsec fixes mentioned for this release are not part of 17.0 MR8.

    Regarding NC-30979, IPsec route can disappear if two connections use the same ipsec_route set via cli, which leads to the route being removed in case of one of the connection going down.

  • the first KBA is a bit confusing, I'll check to improve it. Once you logged in to MySophos, go to Network protection >  Firmware updates and enter your serial number (which you can find in the XG control center).

  • Talex thank you for this. I installed the 17.1 without a problem on my Hyper-V server. My AP is not coming back online. The status stays inactive on my AP55c.

  • I have upgraded the v17.1  on 6 Jun and system is working fine. The  Cloud Application improvement is cool, giving lot of insight.

  • On XG135, upgraded to v17.1 from v16.05.9 and broke my site-to-site VPN.

    Will there be an upgrade path to v17.x that does break VPN connections?

    Or I must concede and rebuild my VPN connection?

    I have not tried remote access VPN's made in v16.05.9, any idea if they will have the same fate in v17.1 (e.g. break)?

    Thanks

  • After boot it tries to start MTA and after some time it says MTA DEAD

    theres topic... community.sophos.com/.../xg-17-1-0-ga-firmware-upgrade-breaks-mta

  • Theres is problem on our SG310 with every firmware after 17.0. Awaren kinda breaks and it takes up to a day to deliver some of emails (usualy it takes just few hours or reboot), also the mail log is somehow not a tool that I can believe to. But those are things that are mentioned in 17.1 GA, but 17.1 GA breaks mail agent totally. Isnt there a chance to have a XG firmware that actually can be used as a working solution for a company? Also theres a problem with RED 15W, which cannot be used with XG, because XG doesnt see any AP (worked with UTM alright). I have just renew my licence, but I am getting deeply disapointed with fixes. Dont get me wrong, but I am wasting a lot of time into trying to use your software (and hardware) and it fails me seriously bad.

  • I heard the UTM 9.6 has lets encrypt support will this be added to SophosXG aswell?