XG Firewall 16.05 RC1

Hi XG Community!

We've finished SFOS v16.05.0 RC1 and want to hand it to you as a soft-release.

Those of you who already used Sophos UTM might remember that we do soft-releases from time to time. For all others, let me quickly explain what it is:


We finish the release and think it's worth getting some feedback before shipping the release to all.

So we provide the links to the update packages to you via this forum and you can download the update package and upload it to your SFOS device.

We will monitor the feedback in this forum for some time and then ship the release to everyone.

For detailed list of features and changes , Please refer the attached Release Note : Sophos XG Firewall v16_5 RN_v3.3.pdf


Issues Resolved

NC-12759 [Authentication] Segmentation Fault of access server
NC-13930 [Authentication] Access_server segmentation fault
NC-14100 [Authentication] Appliance IP doesn't appear on general tab of STAS suite
NC-14160 [Authentication] Netbios packages sent out via WAN port
NC-13972 [Base System] Webadmin certificate is not updated when changing common name in ca certificate
NC-14123 [Base System] No reconnect of ipsec tunnel when using IPv6
NC-14140 [Base System] If VPN profile name is matching an existing log file then the profile will log to this log file
NC-14227 [Certificates] Improve error message for Certificate Revocation List
NC-3820 [Certificates] The validation period To/From is not taken into account for CRL uploads
NC-13394 [Clientless Access(HTTP/HTTPS)] Japanese character issue in HTTP bookmark of clientless access
NC-13014 [FirewallDatapath] Not able to ping local machine located in DMZ zone from LAN zone with IPsec S2S tunnel setup
NC-13665 [Firewall] Skipping load balancing for missing heartbeat drop traffic
NC-13702 [Firewall] Block Page with captive portal link shown for users when webfilter + user based rules are used
NC-13987 [Firewall] Wizard failed after configure DOS rule using src-zone
NC-14137 [Firewall] 'Internet Scheme' page loading failed
NC-11810 [Framework(UI)] Application List headings are removed after applying filter
NC-13043 [Framework(UI)] Control Center - system graph initially renders without title
NC-13858 [Framework(UI)] Improve XG Firewall dashboard diagrams
NC-14649 [Framework(UI)] Possible SQL injection in EventViewerHelper
NC-14671 [Framework(UI)] XSS in LiveConnectionDetail.jsp in SFOS
NC-15101 [Framework(UI)] Apache service stop in case of certificate names contain space characters
NC-8116 [Framework(UI)] Disable TLS1.0 and TLS1.1 support for Webadmin and Userportal
NC-14995 [Galileo Heartbeat] Heartbeat - Service restarting automatically
NC-14244 [Hotspot] Hotspot type POTD send extra mail while updating password creation time
NC-13610 [IDS + AppControl] Psiphon Proxy application is not blocked
NC-13496 [IPS] Wrong ip address shown in web filter logviewer when device configured in TAP-Mode
NC-14231 [IPS] Internet traffic dropped by IPS if network subscription is missing
NC-12228 [Mail Proxy] MIME whitelist box is not large enough to display the entire text
NC-14093 [Mail Proxy] Proxy stops processing mails if IP reputation is enabled with action "Reject"
NC-14098 [Mail Proxy] Delivery failure notification not sent if sender or recipient email address contains space character
NC-14178 [Mail Proxy] SMTP proxy dies to due to specific characters in return path of delivery failure notification
NC-14213 [Mail Proxy] Read only profile should be set in Email protection in HA mode
NC-13448 [Network Services] DHCP service dies while binding custom option to DHCP Server
NC-12214 [Networking] New warning message for unbinding interfaces trivialize effects
NC-12966 [Networking] WWAN connectivity issue with Huawei E3372
NC-13449 [Networking] DHCP Option is deleted without removing it's binding.
NC-13599 [RED] Transparent Split and 3G Failover should not be possible to configure
NC-14164 [RED] [RED] implement "TLS 1.2 only" mode
NC-11769 [Reporting] Event Type 'Not Available' seen in Reports of Admin Events
NC-12472 [Reporting] PDF Report Export/On Demand: When records continue on 2nd page server time change
NC-13257 [Reporting] Pagination is not working for "Interface" widget in executive report.
NC-14337 [Reporting] Reports is not loading when language is spanish
NC-6345 [Reporting] Custom Reports: Sometimes application/protocoll filter is not working properly
NC-12969 [SSLVPN] SSLVPN Remote-Access to Apple iPhone: traffic cannot pass through tunnel
NC-13945 [UI] Log Viewer link from widget window is not working
NC-13995 [VPN] VPN failover group stops retrying after couple of minutes
NC-6589 [VPN] DHCP_V6A_IPSec connection not re-connected when changing IPv4 address of the same WAN interface
NC-14118 [WAF] SFM MR-2 can not push web server configuration to SFv16 device
NC-11111 [Web] Captive Portal settings: unauthenticated users redirection does not work
NC-10629 [Wireless] Wifiauth service dies
NC-13207 [Wireless] hostapd dies state after updating radius server in wireless global settings
NC-13326 [Wireless] High CPU usage of DHCPd
NC-13340 [Wireless] Update organizationally unique identifier (OUI) library
NC-13940 [Wireless] Red15w wireless is not detected
NC-14000 [Wireless] DHCP option 234 code missing in "editreddevice" opcode
NC-9469 [Wireless] WLAN interfaces are not shown in network configuration wizard if wireless network name contains 'WLAN'

Known Issues

There is an issue with the Sandstorm licensing if you try to initiate the 30 day evaluation via ControlCenter.
After you clicked the 30 days trial button, you will be redirected to the MySophos portal where you finish the subscription process. At the end you will see a HTTP 404 error page, because the redirect URL is not correct.
As a workaround, please redo the steps until you get to the license overview of your device. The license should be synced to your device at that time.
This issue does not appear if you initiate the process via MySophos instead via ControlCenter


You can find the firmware for your appliance from in MySophos portal.


happy testing

  • Thanks for fixing NC-14160 [Authentication] Netbios packages sent out via WAN port. I was about to throw out my windows 2012 R2 host till I realized it was XG. Had to route my traffic through UTM to control the netbios broadcasts on WANZip it!

  • I see from the release notes that some XGs aren't going to support MTA mode:

     E-Mail Protection

    o MTA mode will not be supported in lower end flash appliances.

    Do you know which models that is, our smallest that we need MTA mode to operate on are XG210s

    Cheers, Charles

  • In reply to CMR:

    XG210 definately supports MTA mode. Official Sophos Appliances have only XG85 as absolute low end device with flash card which restricts some features in SFOS. And there surely also are some lower end Cyberoam CR Appliances with limited resources - but not sure which ones....

  • After updating my SG125w to 16.05 RC1, I then enabled the Sandstorm functionality on the device.  

    After enabling the evaluation in the GUI, the menu Advanced Threat > Sandstorm Settings pages still showed that the service wasn't available.

    Trying to enable it on the firewall rules also gave me a warning that a 'valid subscription' was needed.

    I needed to REBOOT the SG125w again for the Sandstorm services to become usable, is this expected?  A reboot being required after enabling Sandstorm?

    This has happened on TWO XG devices that I use, an SG125w and an XG105.


  • Just a quick question.

    Is this the pre release run for 17 or the next mile stone in 16 before 17?



  • In reply to Mark_D:

    Hey Mark

    This is the release prior to v17.  This release will become the 16.5 release once its gone through more public testing.

    Hence the 16.05 RC1 naming convention.

    This release provides numerous fixes and the major new functionality of adding Sophos Sandstorm to the XG's Web and Email protection.

  • In reply to AzRoN:


    No, that's not correct. For XG Firewall products, the releases version scheme will be 16.01.x, 16.05.x, 17.01.x, 17.05.x ...

    While 16 and 17 are the major versions, 01 and 05 are minor feature versions and the x indicates maintenance or security releases.

    So this XG 16.05.0 RC1. Next release will most likely be XG 16.05.0 GA somewhere in January. Afterwards we will have XG 16.05 MR1 and so on.



  • In reply to talex:

    I note the 5ghz wifi bandwidth reporting issue has not been fixed.

  • In reply to AzRoN:

    Hi Azron,

    you are right, at the moment there is a reboot required first time after Sandstorm is enabled. This is due to a timing issues while syncing the licenses. The issue is fixed and will be part of the next update.



  • Is there any ETA for the NC-14468 fix?

  • In reply to MarekDalke:

    HI MarekDalke, 

    The NC-14468 should be fixed in the next release .

  • In reply to Aditya Patel:

    So sandstorm and other minor bug fixes are the only improvements in v16.5? Not discounting the work you guys are putting in, but I was hoping for some logging improvements and an actual live log like the UTM9. Do we really have to wait for another major release before the logging is improved in XG?

    I understand that this is a soft release and didn't know that it will be called v16.5 until  explained it in the post above. Don't get me wrong, I am excited about the pace of development of v16 but I was hoping for a full v16.5 beta with ACTUAL improvements in some areas. While sandstorm is a great selling tool, there are other areas of XG that need improvement also. Some of these are outlined from the previous beta here https://community.sophos.com/products/xg-firewall/v16beta/f/sfos-v16-beta-feedback/78908/v16-what-is-still-missing 

    With a release date of January, v16.5/16.05 is mostly a bug fix updateSad


    P.S. Sorry , I just clicked on the reply button and it says that in reply to your post, my post is not aimed at youWink

  • Heartbeat service would not start after install.

    Had to completely remove association with sophos central and re-add.  Not a showstopper by any stretch, but something maybe to look into?

    I did not open a support ticket as I was able to resolve it.

  • Hi,

    And this bug NC-15206?

    Valentin GUEGNARD

  • My XG developed a strange application categorization problem this morning. I have rebooted it twice but the problem persists, I even tried moving the firmware back to 16.01.2 as a last ditch effort but the app categorization has died. I have a few application QoS rules that are very important for internet sanity specially with all the guests and family visiting at this time of the year. I will revert back to 16.01.2 and apply a recent backup and will pickup on the RC next year. Sorry guys for not being able to troubleshoot any further, but without layer7, it feels like ancient timesBig Smile