Sophos Central Firewall Manager - CFM 17.0.0 GA Released

Hi XG Community!

We've finished CFM v17.0.0 GA. 

What's New

Synchronised Application Control

CFM now has a Synchronized Application Control global summary page showing Apps detected by each Firewalls.

Firewall Rule improvements

The Firewall Rule creation supports the Service widget in Business Rules. The Firewall Rules view page is in sync with new slim look with rule details shown up upon mouse hover.

IKEv2 for IPSec

IPSec VPN configuration now has IKEv2 key exchange in general settings. The VPN wizard in CFM is updated to include IKEv2.

IPS UX improvements

The SFOS v17 enhancement in IPS is adopted on the UI of CFM. Now one can add IPS Policy Rules using the new Smart Filter.

PUA

Potentially Unwanted Applications blocking can be enabled, and Authorized PUAs can be added under general settings of Web menu.

Application Filter UX improvements

All the SFOS v17 enhancement in Application Filter is adopted on the UI of CFM. Now one can add App filter policy using Smart Filter.

Policy Test Tool

CFM v17 allows one to test firewall rules or web policy at a device level.

Email improvements

CFM v17 now carries all Email UX improvements and configuration enhancements like Adding of Grey listing support for MTA, Recipient verification call out and Smart host for outbound mail forwarding.

WAF enhancement

CFM v17 now has the TLS version settings under Web server aiding in creating Web Application Firewall rules complying with the latest TLS v1.2 version.

Wild card FQDN

The SFOS v17 Wildcard FQDN support is extended to CFM, helping in creating new or existing pre-populated FQDN hosts and use it in Firewall and Policy Route.

Log viewer

Log viewer in CFM v17 now supports the Standard view of SFOS v17.

Issues Resolved

  • NCCC-5338 [SCFM] Username overlaps into entity column in event viewer
  • NCCC-5511 [SCFM] Device level dashboard does not open in CFM though device is synced
  • NCCC-5912 [SCFM] Unable to apply template through CFM
  • NCCC-5968 [SCFM] Unable to push a full modified default template
  • NCCC-6156 [SCFM] Firewalls not showing in CFM
  • NCCC-6199 [SCFM] Firewalls randomly disappear from CFM
  • NCCC-6214 [SCFM] Firewalls not showing in CFM though they are approved in SCPD
  • NCCC-6219 [SCFM] CFM doesn't show any change on connection status if more than 3 heartbeats are missed
  • NCCC-6279 [SCFM] Unable to open CFM - internal server error or service unavailable error
  • NCCC-6280 [SCFM] Primary admin unable to add one device and unable to access accounts page
  • NCCC-6285 [SCFM] Unable to push a template with a 'Country Group' that has ALL countries
  • NCCC-6308 [SCFM] When CFM is sending an alert, the email body records the event time but it is 1 hour ahead of the actual time
  • NCCC-5517 [SF Compatibility] Log Component "GUI" is not available in filter option
  • NCCC-5344 [SFM] GUI not accessible if password has "\"
  • NCCC-5498 [SFM] Firewall rules showing up "0" in template when importing configuration into template in SFM
  • NCCC-5858 [SFM] Import Template - missing configuration
  • NCCC-5241 [SFM-SCFM] Unable to create Custom Group if user select multiple firmware (more than 10) in group criteria
  • NCCC-5252 [SFM-SCFM] Labels on URL group's manage/edit page mismatched with SF URL group's page
  • NCCC-5253 [SFM-SCFM] Web Protection Exception: User cannot deselect 'Malware Scanning' action on the update event of any exception
  • NCCC-5254 [SFM-SCFM] Web Protection Exception: 'Selection Criteria' filter do not working properly
  • NCCC-5257 [SFM-SCFM] Traffic Shaping Default: UI differs between SFM and SF
  • NCCC-5261 [SFM-SCFM] Web Policy UI looks weird on device level
  • NCCC-5272 [SFM-SCFM] No validation message on UI for IPSec connections
  • NCCC-5273 [SFM-SCFM] Wireless Networks: Show warning message about reduced security when selecting 'TKIP encryption' as encryption method
  • NCCC-5279 [SFM-SCFM] Rogue AP Scan: Junk characters displayed as "Entity Name" for the update event of Rogue AP Scan > General Settings
  • NCCC-5284 [SFM-SCFM] SSL VPN authentication methods section is misplaced in SFM
  • NCCC-5291 [SFM-SCFM] SSL VPN Remote Access cannot be saved without override global timeout
  • NCCC-5322 [SFM-SCFM] Web Protection can not be updated
  • NCCC-5326 [SFM-SCFM] SMTP Policy: User have to select RBL service even if 'Spam Protection' section is disabled.
  • NCCC-5331 [SFM-SCFM] Default IPS Policy do not have rule details on CFM
  • NCCC-5345 [SFM-SCFM] Changing timezone of a SF device results in an internal server error and event viewer showing push operation in-progress
  • NCCC-5351 [SFM-SCFM] Unused event logs created when any manage page is refreshed of any SF devices level
  • NCCC-5426 [SFM-SCFM] Template is not imported when SF has a SMTP policy with "File Protection = On" and "Block File Types = None"
  • NCCC-5427 [SFM-SCFM] SFM template import will not work for SF v17.0 Beta-1 using template forward compatibility
  • NCCC-5433 [SFM-SCFM] User cannot update any new SMTP policy after adding 127 policies
  • NCCC-5493 [SFM-SCFM] Compatibility v17: Firewall rule page shows empty feature column
  • NCCC-5507 [SFM-SCFM] Compatibility v17: DNAT rule does not apply on firewall devices from global view when using IP range/IP list in forward type
  • NCCC-5510 [SFM-SCFM] Device monitor in SFM shows wrong RED status for RED tunnel interface
  • NCCC-5513 [SFM-SCFM] Compatibility v17: Template import is not working when using certificate in VPN IPSec connection
  • NCCC-5516 [SFM-SCFM] Monitoring Dashboard show ORANGE icon for "Conn. to Central Mgt." when expecting GREEN
  • NCCC-5525 [SFM-SCFM] Compatibility v17: DNAT rule cannot be updated in some combinations of forward type
  • NCCC-5815 [SFM-SCFM] Getting 'DUPLICATE ENTRY NOT ALLOWED' while creating user from group level page
  • NCCC-5906 [SFM-SCFM] Device Level: 'In and Out bytes' under Features' icon tooltip shows as 'undefined'
  • NCCC-5919 [SFM-SCFM] IPS: User cannot add IPS Policy Rule with 'Smart Filter' option in any IPS policy
  • NCCC-5969 [SFM-SCFM] IPS Policy with rule of 'Custom Signature' pushed successfully without selected custom signatures
  • NCCC-6098 [SFM-SCFM] 'Created Date' column is not available for 'Clientless Users'
  • NCCC-6202 [SFM-SCFM] User can not clear HB registration from multiple SFOS