We'd love to hear about it! Click here to go to the product suggestion community
Hi XG Community!
We've finished SFOS v16.05.0 RC1 and want to hand it to you as a soft-release.
Those of you who already used Sophos UTM might remember that we do soft-releases from time to time. For all others, let me quickly explain what it is:
We finish the release and think it's worth getting some feedback before shipping the release to all.
So we provide the links to the update packages to you via this forum and you can download the update package and upload it to your SFOS device.
We will monitor the feedback in this forum for some time and then ship the release to everyone.
For detailed list of features and changes , Please refer the attached Release Note : Sophos XG Firewall v16_5 RN_v3.3.pdf
NC-12759 [Authentication] Segmentation Fault of access server NC-13930 [Authentication] Access_server segmentation fault NC-14100 [Authentication] Appliance IP doesn't appear on general tab of STAS suite NC-14160 [Authentication] Netbios packages sent out via WAN port NC-13972 [Base System] Webadmin certificate is not updated when changing common name in ca certificate NC-14123 [Base System] No reconnect of ipsec tunnel when using IPv6 NC-14140 [Base System] If VPN profile name is matching an existing log file then the profile will log to this log file NC-14227 [Certificates] Improve error message for Certificate Revocation List NC-3820 [Certificates] The validation period To/From is not taken into account for CRL uploads NC-13394 [Clientless Access(HTTP/HTTPS)] Japanese character issue in HTTP bookmark of clientless access NC-13014 [FirewallDatapath] Not able to ping local machine located in DMZ zone from LAN zone with IPsec S2S tunnel setup NC-13665 [Firewall] Skipping load balancing for missing heartbeat drop traffic NC-13702 [Firewall] Block Page with captive portal link shown for users when webfilter + user based rules are used NC-13987 [Firewall] Wizard failed after configure DOS rule using src-zone NC-14137 [Firewall] 'Internet Scheme' page loading failed NC-11810 [Framework(UI)] Application List headings are removed after applying filter NC-13043 [Framework(UI)] Control Center - system graph initially renders without title NC-13858 [Framework(UI)] Improve XG Firewall dashboard diagrams NC-14649 [Framework(UI)] Possible SQL injection in EventViewerHelper NC-14671 [Framework(UI)] XSS in LiveConnectionDetail.jsp in SFOS NC-15101 [Framework(UI)] Apache service stop in case of certificate names contain space characters NC-8116 [Framework(UI)] Disable TLS1.0 and TLS1.1 support for Webadmin and Userportal NC-14995 [Galileo Heartbeat] Heartbeat - Service restarting automatically NC-14244 [Hotspot] Hotspot type POTD send extra mail while updating password creation time NC-13610 [IDS + AppControl] Psiphon Proxy application is not blocked NC-13496 [IPS] Wrong ip address shown in web filter logviewer when device configured in TAP-Mode NC-14231 [IPS] Internet traffic dropped by IPS if network subscription is missing NC-12228 [Mail Proxy] MIME whitelist box is not large enough to display the entire text NC-14093 [Mail Proxy] Proxy stops processing mails if IP reputation is enabled with action "Reject" NC-14098 [Mail Proxy] Delivery failure notification not sent if sender or recipient email address contains space character NC-14178 [Mail Proxy] SMTP proxy dies to due to specific characters in return path of delivery failure notification NC-14213 [Mail Proxy] Read only profile should be set in Email protection in HA mode NC-13448 [Network Services] DHCP service dies while binding custom option to DHCP Server NC-12214 [Networking] New warning message for unbinding interfaces trivialize effects NC-12966 [Networking] WWAN connectivity issue with Huawei E3372 NC-13449 [Networking] DHCP Option is deleted without removing it's binding. NC-13599 [RED] Transparent Split and 3G Failover should not be possible to configure NC-14164 [RED] [RED] implement "TLS 1.2 only" mode NC-11769 [Reporting] Event Type 'Not Available' seen in Reports of Admin Events NC-12472 [Reporting] PDF Report Export/On Demand: When records continue on 2nd page server time change NC-13257 [Reporting] Pagination is not working for "Interface" widget in executive report. NC-14337 [Reporting] Reports is not loading when language is spanish NC-6345 [Reporting] Custom Reports: Sometimes application/protocoll filter is not working properly NC-12969 [SSLVPN] SSLVPN Remote-Access to Apple iPhone: traffic cannot pass through tunnel NC-13945 [UI] Log Viewer link from widget window is not working NC-13995 [VPN] VPN failover group stops retrying after couple of minutes NC-6589 [VPN] DHCP_V6A_IPSec connection not re-connected when changing IPv4 address of the same WAN interface NC-14118 [WAF] SFM MR-2 can not push web server configuration to SFv16 device NC-11111 [Web] Captive Portal settings: unauthenticated users redirection does not work NC-10629 [Wireless] Wifiauth service dies NC-13207 [Wireless] hostapd dies state after updating radius server in wireless global settings NC-13326 [Wireless] High CPU usage of DHCPd NC-13340 [Wireless] Update organizationally unique identifier (OUI) library NC-13940 [Wireless] Red15w wireless is not detected NC-14000 [Wireless] DHCP option 234 code missing in "editreddevice" opcode NC-9469 [Wireless] WLAN interfaces are not shown in network configuration wizard if wireless network name contains 'WLAN'
There is an issue with the Sandstorm licensing if you try to initiate the 30 day evaluation via ControlCenter. After you clicked the 30 days trial button, you will be redirected to the MySophos portal where you finish the subscription process. At the end you will see a HTTP 404 error page, because the redirect URL is not correct. As a workaround, please redo the steps until you get to the license overview of your device. The license should be synced to your device at that time. This issue does not appear if you initiate the process via MySophos instead via ControlCenter
You can find the firmware for your appliance from in MySophos portal.
Thanks for fixing NC-14160 [Authentication] Netbios packages sent out via WAN port. I was about to throw out my windows 2012 R2 host till I realized it was XG. Had to route my traffic through UTM to control the netbios broadcasts on WAN
I see from the release notes that some XGs aren't going to support MTA mode:
o MTA mode will not be supported in lower end flash appliances.
Do you know which models that is, our smallest that we need MTA mode to operate on are XG210s
In reply to CMR:
XG210 definately supports MTA mode. Official Sophos Appliances have only XG85 as absolute low end device with flash card which restricts some features in SFOS. And there surely also are some lower end Cyberoam CR Appliances with limited resources - but not sure which ones....
After updating my SG125w to 16.05 RC1, I then enabled the Sandstorm functionality on the device.
After enabling the evaluation in the GUI, the menu Advanced Threat > Sandstorm Settings pages still showed that the service wasn't available.
Trying to enable it on the firewall rules also gave me a warning that a 'valid subscription' was needed.
I needed to REBOOT the SG125w again for the Sandstorm services to become usable, is this expected? A reboot being required after enabling Sandstorm?
This has happened on TWO XG devices that I use, an SG125w and an XG105.
Just a quick question.
Is this the pre release run for 17 or the next mile stone in 16 before 17?
In reply to Mark_D:
This is the release prior to v17. This release will become the 16.5 release once its gone through more public testing.
Hence the 16.05 RC1 naming convention.
This release provides numerous fixes and the major new functionality of adding Sophos Sandstorm to the XG's Web and Email protection.
In reply to AzRoN:
No, that's not correct. For XG Firewall products, the releases version scheme will be 16.01.x, 16.05.x, 17.01.x, 17.05.x ...
While 16 and 17 are the major versions, 01 and 05 are minor feature versions and the x indicates maintenance or security releases.
So this XG 16.05.0 RC1. Next release will most likely be XG 16.05.0 GA somewhere in January. Afterwards we will have XG 16.05 MR1 and so on.
In reply to talex:
I note the 5ghz wifi bandwidth reporting issue has not been fixed.
you are right, at the moment there is a reboot required first time after Sandstorm is enabled. This is due to a timing issues while syncing the licenses. The issue is fixed and will be part of the next update.
Is there any ETA for the NC-14468 fix?
In reply to MarekDalke:
The NC-14468 should be fixed in the next release .
In reply to Aditya Patel:
So sandstorm and other minor bug fixes are the only improvements in v16.5? Not discounting the work you guys are putting in, but I was hoping for some logging improvements and an actual live log like the UTM9. Do we really have to wait for another major release before the logging is improved in XG?
I understand that this is a soft release and didn't know that it will be called v16.5 until AzRoN explained it in the post above. Don't get me wrong, I am excited about the pace of development of v16 but I was hoping for a full v16.5 beta with ACTUAL improvements in some areas. While sandstorm is a great selling tool, there are other areas of XG that need improvement also. Some of these are outlined from the previous beta here https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/78908/v16-what-is-still-missing
With a release date of January, v16.5/16.05 is mostly a bug fix update
P.S. Sorry Aditya Patel, I just clicked on the reply button and it says that in reply to your post, my post is not aimed at you
Heartbeat service would not start after install.
Had to completely remove association with sophos central and re-add. Not a showstopper by any stretch, but something maybe to look into?
I did not open a support ticket as I was able to resolve it.
And this bug NC-15206?
My XG developed a strange application categorization problem this morning. I have rebooted it twice but the problem persists, I even tried moving the firmware back to 16.01.2 as a last ditch effort but the app categorization has died. I have a few application QoS rules that are very important for internet sanity specially with all the guests and family visiting at this time of the year. I will revert back to 16.01.2 and apply a recent backup and will pickup on the RC next year. Sorry guys for not being able to troubleshoot any further, but without layer7, it feels like ancient times