XG Firewall 16.05 RC1

Hi XG Community!

We've finished SFOS v16.05.0 RC1 and want to hand it to you as a soft-release.

Those of you who already used Sophos UTM might remember that we do soft-releases from time to time. For all others, let me quickly explain what it is:


We finish the release and think it's worth getting some feedback before shipping the release to all.

So we provide the links to the update packages to you via this forum and you can download the update package and upload it to your SFOS device.

We will monitor the feedback in this forum for some time and then ship the release to everyone.

For detailed list of features and changes , Please refer the attached Release Note : Sophos XG Firewall v16_5 RN_v3.3.pdf


Issues Resolved

NC-12759 [Authentication] Segmentation Fault of access server
NC-13930 [Authentication] Access_server segmentation fault
NC-14100 [Authentication] Appliance IP doesn't appear on general tab of STAS suite
NC-14160 [Authentication] Netbios packages sent out via WAN port
NC-13972 [Base System] Webadmin certificate is not updated when changing common name in ca certificate
NC-14123 [Base System] No reconnect of ipsec tunnel when using IPv6
NC-14140 [Base System] If VPN profile name is matching an existing log file then the profile will log to this log file
NC-14227 [Certificates] Improve error message for Certificate Revocation List
NC-3820 [Certificates] The validation period To/From is not taken into account for CRL uploads
NC-13394 [Clientless Access(HTTP/HTTPS)] Japanese character issue in HTTP bookmark of clientless access
NC-13014 [FirewallDatapath] Not able to ping local machine located in DMZ zone from LAN zone with IPsec S2S tunnel setup
NC-13665 [Firewall] Skipping load balancing for missing heartbeat drop traffic
NC-13702 [Firewall] Block Page with captive portal link shown for users when webfilter + user based rules are used
NC-13987 [Firewall] Wizard failed after configure DOS rule using src-zone
NC-14137 [Firewall] 'Internet Scheme' page loading failed
NC-11810 [Framework(UI)] Application List headings are removed after applying filter
NC-13043 [Framework(UI)] Control Center - system graph initially renders without title
NC-13858 [Framework(UI)] Improve XG Firewall dashboard diagrams
NC-14649 [Framework(UI)] Possible SQL injection in EventViewerHelper
NC-14671 [Framework(UI)] XSS in LiveConnectionDetail.jsp in SFOS
NC-15101 [Framework(UI)] Apache service stop in case of certificate names contain space characters
NC-8116 [Framework(UI)] Disable TLS1.0 and TLS1.1 support for Webadmin and Userportal
NC-14995 [Galileo Heartbeat] Heartbeat - Service restarting automatically
NC-14244 [Hotspot] Hotspot type POTD send extra mail while updating password creation time
NC-13610 [IDS + AppControl] Psiphon Proxy application is not blocked
NC-13496 [IPS] Wrong ip address shown in web filter logviewer when device configured in TAP-Mode
NC-14231 [IPS] Internet traffic dropped by IPS if network subscription is missing
NC-12228 [Mail Proxy] MIME whitelist box is not large enough to display the entire text
NC-14093 [Mail Proxy] Proxy stops processing mails if IP reputation is enabled with action "Reject"
NC-14098 [Mail Proxy] Delivery failure notification not sent if sender or recipient email address contains space character
NC-14178 [Mail Proxy] SMTP proxy dies to due to specific characters in return path of delivery failure notification
NC-14213 [Mail Proxy] Read only profile should be set in Email protection in HA mode
NC-13448 [Network Services] DHCP service dies while binding custom option to DHCP Server
NC-12214 [Networking] New warning message for unbinding interfaces trivialize effects
NC-12966 [Networking] WWAN connectivity issue with Huawei E3372
NC-13449 [Networking] DHCP Option is deleted without removing it's binding.
NC-13599 [RED] Transparent Split and 3G Failover should not be possible to configure
NC-14164 [RED] [RED] implement "TLS 1.2 only" mode
NC-11769 [Reporting] Event Type 'Not Available' seen in Reports of Admin Events
NC-12472 [Reporting] PDF Report Export/On Demand: When records continue on 2nd page server time change
NC-13257 [Reporting] Pagination is not working for "Interface" widget in executive report.
NC-14337 [Reporting] Reports is not loading when language is spanish
NC-6345 [Reporting] Custom Reports: Sometimes application/protocoll filter is not working properly
NC-12969 [SSLVPN] SSLVPN Remote-Access to Apple iPhone: traffic cannot pass through tunnel
NC-13945 [UI] Log Viewer link from widget window is not working
NC-13995 [VPN] VPN failover group stops retrying after couple of minutes
NC-6589 [VPN] DHCP_V6A_IPSec connection not re-connected when changing IPv4 address of the same WAN interface
NC-14118 [WAF] SFM MR-2 can not push web server configuration to SFv16 device
NC-11111 [Web] Captive Portal settings: unauthenticated users redirection does not work
NC-10629 [Wireless] Wifiauth service dies
NC-13207 [Wireless] hostapd dies state after updating radius server in wireless global settings
NC-13326 [Wireless] High CPU usage of DHCPd
NC-13340 [Wireless] Update organizationally unique identifier (OUI) library
NC-13940 [Wireless] Red15w wireless is not detected
NC-14000 [Wireless] DHCP option 234 code missing in "editreddevice" opcode
NC-9469 [Wireless] WLAN interfaces are not shown in network configuration wizard if wireless network name contains 'WLAN'

Known Issues

There is an issue with the Sandstorm licensing if you try to initiate the 30 day evaluation via ControlCenter.
After you clicked the 30 days trial button, you will be redirected to the MySophos portal where you finish the subscription process. At the end you will see a HTTP 404 error page, because the redirect URL is not correct.
As a workaround, please redo the steps until you get to the license overview of your device. The license should be synced to your device at that time.
This issue does not appear if you initiate the process via MySophos instead via ControlCenter


You can find the firmware for your appliance from in MySophos portal.


happy testing

  • In reply to Adriano Almeida:

    Hi Adriano, please don't take 's post personally. Some of us old timers on the board have a bad habbit of derailing every thread into sophos bashing. Most of the times the users that are having problems are the most vocal and they definitely have the right to express their dissatisfaction. But keep in mind that this is sophos community board and your interaction is mostly with other members like yourself. Even  is not a sophos employee. His post was intended more as a reminder to keep to the topicWink and not as you shouldn't say what problems you are having.

    While we sympathize with you and other users that have problems with XG, keep in mind that sophos is the one letting you openly criticize them in an open forum. I am not saying that you shouldn't express the problems you are having or if I was right when I wrote the whole speech earlier on (I have since marked that OFF TOPIC). All I am saying is that when we start criticizing sophos and particularly XG in every release thread, the intended purpose of the thread which is to deliver high quality software to users that want to test it before others to find bugs completely gets side tracked and we start finding the commonalities like 

    You don't like logging ... me too, STAS is a problem in your deployment... mine too, Heartbeat not working the way you thought... me tooBig Smile And nobody is talking about sandstorm which the whole beta was aboutWink 

    Trust me, sophos is more than aware of the problems that we are facing and working as fast as possible to fix them. Just look at the v16 releases... we have had a few since the original GA. Is every problem fixed? Ofcourse not but they are trying and we should give them the benefit of doubt once in a while.

    Sorry again for your troubles with XG, keep aggravating your local support and by all means express your frustrations by opening a new thread on the forum... we will all join you in your efforts. A few sophos employees check that regularly and even if they don't answer, trust me they are relaying the message.


  • In reply to Billybob:

    I see a GA version of 16.05 available now, I'll give it a go today and see what happens

  • In reply to Billybob:

    I have to reboot all my 16.5 test devices several times for the following:

    • Wifi dropouts.
    • Drops the ADSL side.
    • Router just hangs.

    Do like the new "Firewall is starting"

  • In reply to DomusRegis:

    none of the downloadlinks are working

  • In reply to Michael Kopp:

    Hi Michael,

    you are right, we removed the old data from the server, because we already have a maintenance release for SF16.05 (see: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-05-1-mr1-released). Therefore there is no need for a release candidate anymore. I will remove the links from the text above. Thank for for the hint.

    The new files can be found in MySophos.

  • In reply to talex:

     its supoort drivers?


  • In reply to ValentinGUEGNARD:

    HI Valentin, 

    The issue is still Pending and Should be resolved in the next Release. 

  • In reply to lferrara:


    IPv6 is always a big challenge for appliances (in this case XG). I had a problem even with routers that had IPv6 issues. XG should manage IPv6 like UTM 9. Let's see"


    Not sure why IPv6 is such a big challenge - most appliances are using a Linux base and Linux does a pretty decent job of correctly implementing IPv6 functionality, and that's before you even consider any third party packages. Dibbler for example has provided DHCP-PD support as both a client and server for over 6 years.

    Also, if small players such as Netcomm can implement a wide scope of IPv6 capability including DHCP-PD in a sub-$100 router, what's Sophos's excuse?

  • In reply to ChrisKnight:

    Or pfSense which does support IPv6 since 2011