SFOS 17.1.2 MR2 Released

Hi XG Community!

We've finished SFOS v17.1.2 MR2. This release is available in stages. In first stage it will be available at MySophos. We then start with a small amount of slots and will increase those over time. Later it will be available to all other installations as well.

Please see the following link for further information regarding upgrade - KBA 123285 Sophos Firewall: How to upgrade the firmware.

Issues Resolved

Code has been optimized for the internal CSC service.  Code optimizations have resulted in a reduced memory footprint.  The reduced memory consumption supports SFOS v17.1.2 MR2  on the XG85 series.

Important security issues have been resolved in this release and we strongly recommend our customers to upgrade. Please see the following link for further information regarding these issues - KBA 132637 Advisory: Sophos XG Firewall Vulnerabilities reported by Kaspersky Labs.

  • NC-31276 [Access] SFM Compatibility with v17.1 - Getting error messages in event viewer when clicking on Authentication - Users
  • NC-33640 [API] Unauthenticated shell escape vulnerability
  • NC-31701 [ATP] Clicking on ATP widgets doesn't redirect to ATP results when ATP widget doesn't have data
  • NC-30220 [Authentication] Auto-created Radius users are not live on first login
  • NC-30521 [Authentication] Not able to create eDirectory server with password
  • NC-32392 [Authentication] Properly handle Radius SSO requests that also contain the user domain
  • NC-29537 [Base System] Logviewer not working due to sqlite issues
  • NC-31573 [Base System] Empty values returned for certain SNMP queries
  • NC-32399 [Base System] Change of the XG Firewall login screen (again)
  • NC-32481 [Base System] XG85 got reboot due to memorydump
  • NC-32559 [Base System] u2d_client writes to /content/u2d/pattern multiple times with the same data
  • NC-33672 [Base System] On demand CSC worker execution
  • NC-34087 [Base System] Garner segfault - multiple modules being reported
  • NC-32491 [Clientless Access] HTML5 VPN portal connections periodically stop working until service restarted
  • NC-28034 [Email] Unable to block email with specific mime type
  • NC-29590 [Email] AV pattern updates are failing while service is restarting
  • NC-29761 [Email] Strict RDNS is not working as expected when a record has more then 10 IP addresses with specific scenario
  • NC-29994 [Email] Attachments with iso-2022-jp encoding are not getting filtered
  • NC-31664 [Email] MTA service getting DEAD state when reboot appliance after full configuration import
  • NC-32005 [Email] Awarrenmta sporadically lose connection
  • NC-27866 [Firewall] 802.1Q header is not forward while re-assemble packet in bridge mode
  • NC-29963 [Firewall] Appliance rebooting with kernel dump
  • NC-31027 [Firewall] HTTP to HTTPS conversion not working for CR backups imported to SF
  • NC-31043 [Firewall] DNAT rule is not working in case IP range is used as Destination Host for reflexive rule
  • NC-31268 [Firewall] DNAT rule is not saved when TCP and UDP combination services are created at the time of rule creation
  • NC-32239 [Firewall] Packet Capture: HEX/ASCII lines appear next to an existing line
  • NC-32686 [Firewall] Firewall rule showing "in 0B" and "out 0B" in Webadmin
  • NC-26446 [Hardware] 125/135 series - upper 4 port LED's at front and rear side not behaving as expected
  • NC-30689 [Hotspot] Custom hostname is not displayed when hotspot login through QR Scanning
  • NC-28813 [IPsec] Second PSK input form is not limited to 64 characters as the first one
  • NC-29322 [IPsec] VirtualIP tunnel with CiscoVPN configuration is failing at Phase 2 with PFS
  • NC-29365 [IPsec] IPSec tunnel fails when there is whitespaces at the begin or end of the PSK
  • NC-29436 [IPsec] Failover group cannot be deactivated
  • NC-29599 [IPsec] Disable DPD action check for "Respond Only" connection when IKEv1 IPSec profile has DPD disabled
  • NC-29702 [IPsec] Remote Access VPN does not connect with VPN Tracker when connected with PSK + XAUTH
  • NC-29760 [IPsec] Child SA not killed, if re-keying is disabled and key life time is reached
  • NC-29892 [IPsec] L2TP connection can't be activated if the CA name contains a space character
  • NC-30541 [IPsec] HA - charon hangs in shutdown on AUX when killed via signal
  • NC-30571 [IPsec] HA - Restart VPN Service from CLI menu doesn't start on AUX machine
  • NC-30752 [IPsec] HA - old primary takes the connection after shutdown received
  • NC-31361 [IPsec] IPSec connections are randomly sorted each time the page is refreshed
  • NC-31616 [IPsec] Cisco VPN client issue with iOS device
  • NC-32640 [Logging] Log viewer is not loading on some devices after adding any filter and read/write goes high after activity
  • NC-31277 [Network Services] Interface name mapping failed during backup-restore for DHCP server on Alias over VLAN Interface
  • NC-32265 [Network Services] XG doesn't use the same name for the FQDN Host Group as configured via SFM
  • NC-32434 [Networking] LAG Member shows different MAC Address after editing via GUI
  • NC-29112 [RED] RED tunnel is fluctuating randomly
  • NC-30520 [RED] HA: RED interfaces are not correctly shown on AUX UI
  • NC-31174 [RED] Loading a huge number of RED devices leads to failsafe mode on backup restore
  • NC-31273 [RED] Interfaces page take 2-3 minutes time to load
  • NC-28794 [Reporting] Even after removing the email address aux node is sending the scheduled executive report
  • NC-33638 [Reporting] Post authentication remote code execution via shell escape
  • NC-30767 [Routing] Policy route not applied on PPPoE connect/disconnect events
  • NC-30288 [SecurityHeartbeat] HA: Failing heartbeat service stops startup from other services after fail over
  • NC-31015 [SSLVPN] SSLVPN client connections always start after reboot
  • NC-31433 [SSLVPN] SSLVPN server config contains routes for disabled s2s server connections
  • NC-29373 [UI Framework] Mitigate possible XSS vulnerability - JQuery
  • NC-34142 [UI Framework] Authenticated remote command execution in WebAdmin
  • NC-29991 [WAF] Authentication templates: Not possible to delete images/stylesheets
  • NC-30130 [WAF] Variable expansion is missing in "path too long" error message
  • NC-28470 [Web] NTLM logon over HTTP not being passed
  • NC-28950 [Web] Empty tooltip in Policy Tester
  • NC-29295 [Web] Content Filter details are not displayed with languages other than English
  • NC-29297 [Web] Custom images show blanks on blockpage preview before saving
  • NC-29545 [Web] Captive Portal shows guest user link after logout although guest user registration is not enabled
  • NC-31208 [Web] Proxy sends the warn.html with the HA interface IP
  • NC-31908 [Web] Application filter policy rule does not apply on SF device through SFM group level
  • NC-27281 [Wireless] Violations of Qatar regulatory requirements regarding the permitted 5 GHz bands
  • NC-28812 [Wireless] Connected clients are not showing in clients page after backup restore
  • NC-29281 [Wireless] Localwifi update shows successful green status message twice
  • NC-30489 [Wireless] AP is not coming to active status after full configuration export and import
  • NC-30652 [Wireless] Permissions for wireless protection are not exported correctly
  • NC-32653 [Wireless] Backup import failed for WirelessLocalAP


You can find the firmware for your appliance from in MySophos portal.
  • I am always surprised at the amount of fixes in these updates. It seems like you have to fix everything every update. I know this tech is not easy to maintain, I commend you for all of your hard work, it still crazy.

  • Release not yet visible in the XG GUI

  • Just updated my Firewall.

    BTW, release to GUI will be a while. you can still update your XG appliance by downloading the file and uploading it to your device.

  • Downloaded and running on two firewalls.  So far so good.

  • Does this work on the XG-85?  I don't see any comments saying it doesn't.

  • Working Fine from Yesterday. Only Issue with L2TP not working and not fixed from MR1 for  Android PIxel2 version 8.01 and new 9 as well .

  • It is working fine on XG 85, the help isn't working though, because it's not available online for this version.

  • When are we going to get IPv6 PPPoE???

  • the design of the UI included in this version is AWESOME!!!!

  • After the reboot with 17.1 MR2, my firewall was not able to handle the PPPoE Authentication again automatically. Means, I was cut from the internet, until i Dis- and Reconnected my ISP Interface via Firewall GUI. I had this never before so far. This could be an issue for people who are doing Remote Upgrades... Be careful guys.

  • Furthermore: There have been some changes to the GUI (Especially to the start screen). In the Releasenotes above, I cant find any "fixed Bugs" or "new features" related to that. It would be nice to have complete and honest release notes.

  • Fine so far.  Run up on a 125w, 135w, and a 210.  

    Go SOPHOS MOPHOS!  :-) Keep up the good work.

  • I did an upgrade on the home firewall yesterday and it went fine. Since today the GUI seems to be a bit slow and unresponsive. I can login to the GUI fine (a bit slow and sometimes takes a few refreshes) but the performance indicator Icon is greyed out. I can't see the CPU utilisation and no system graphs come up.  I have restarted the tomcat service but no luck.  I check the CPU utilisation through the console and it looks ok (below 2%). Will see if someone else reports this before I try rebooting or try a memory and hard disk test.

  • E-mail scanning stops working after some time ( Outlook IMAP ), works again after reboot. Issue I thought was solved, came back again.

  • We upgraded from 16.0.5 to 17.1.2MR2 our XG310 with varios of VPN tunnel. We experienced immediatly a high CPU usage (normaly3 - 7%) after upgrade 40 - 70 %. later on it goes up to 90 the appliance is not responsable.

    After reboot it drops back to 40% but after some hours it goes very high again and then freezes.

    we had to revert back to 16...