Welcome to XG Firewall v17.0 Beta

Welcome to our Beta program for Sophos XG Firewall v17.0!

We are glad to have you on board, because your feedback will help us make the new release simply better. Your experiences with Sophos XG Firewall itself and with many different customer installations in the field will be a real benefit on our way to create a reliable SFOS v17.0 with useful new features!

A feature is not working as expected? You have found a bug?

Please post it in this Beta forum with a detailed description and - if possible - with some details how our team can reproduce the behavior. To increase readability we would like to ask you to use one post per issue.

Our engineering teams check the forum on a regular base.

Please also check the Known Issues List post as it gets updated as we go forward.

What's New

There are lots of new features in XG Firewall v17.0. Here is a short list, please find the detailed list at  4073.Sophos XG Firewall - Whats New v17.pdf.

Setup, Control Center and Navigation

  • Initial Setup Wizard
  • Synchronized App Control Widget
  • How-to Guides

Security and Control

  • Synchronized App Control
  • Web Keyword Monitoring and Enforcement
  • IPS Policy Enhancements and Smart Filters
  • App Control Policy Enhancements and Smart Filters
  • Web Filtering Enhancements
  • Streaming Media Enhancements

Management and Troubleshooting

  • Firewall Rule Management
  • Firewall Rule and Policy Test Simulator


  • Synchronized Applications Report
  • Web Keyword Content Report
  • Security Audit Report (SAR)
  • Report Scheduling

Network and VPN

  • IKEv2 Support
  • VPN UI Enhancements
  • Wildcard Support for Domain Name Host Objects
  • NAT Rule Enhancements

Email Protection

  • Smart Host
  • Greylisting
  • Recipient Verification

Synchronized Security

  • Synchronized Security in Discover (TAP) Mode Deployments
  • Synchronized App Control

Deployment and Hardware

  • Microsoft Azure High Availability
  • New Hardware Support
  • Central Management


  • NC-3005 [Access] Use "Bind DN" instead of "Username" in LDAP and eDir configuration
  • NC-18753 [Access] Segmentation Fault in Access Server
  • NC-7073 [API] WAF - LogViewer logs successful deletion although deletion actually fails
  • NC-14037 [API] Firewall rules can be created with name null
  • NC-15942 [API] Unable to import full configuration correctly
  • NC-17429 [API] Wrong Link (file extension) in XG Documentation
  • NC-14462 [Authentication] [STAS] Apostrophe in AD user display name cause STAS to fail
  • NC-18447 [Authentication] Access Server: live users are not logged out correctly
  • NC-18744 [Authentication] [HA] Live users not synced to aux node
  • NC-20473 [Authentication] Unable to activate users when a range of clientless users is activated
  • NC-20781 [Authentication] Unable to login via captive portal when using network traffic policy
  • NC-21404 [Authentication] Authentication Agent - getting logged out automatically at random time
  • NC-21538 [Authentication] STAS user login getting failed because access_server is assigning existing liveuserid to new login user
  • NC-16801 [Backup-Restore] FTP auto backup is not working if there is a space in directory name
  • NC-11760 [Base System] No messgae for end user that page reload is required after regeneration of appliance certificate
  • NC-11792 [Base System] Webadmin accepts reserved port in configuration
  • NC-13205 [Base System] Change message for Certificate Authorities if CA is invalid
  • NC-14128 [Base System] SFM Device Monitor display 0 devices though 28 devices are added & sync in SFM
  • NC-15819 [Base System] HA (A-P) garner dead on primary appliance
  • NC-16306 [Base System] OpenSSL update to 1.0.2k
  • NC-16660 [Base System] CCL details XML information not displaying for Sandbox Events on System Service > Log Settings
  • NC-18173 [Base System] CLONE - Column filter is not working for all labels at sandstorm log viewer
  • NC-19521 [Base System] Framework Failed: Unable to fetch interfaces from DB(backup/restore)
  • NC-19642 [Base System] Apache httpd vulnerabilties (CVE-2017-3169, CVE-2017-7679)
  • NC-21583 [Base System] Up2date patterns status is shown as "Failed" in 16.05 MR7
  • NC-14667 [Certificates] Not able to upload cert without private key
  • NC-21201 [Clientless Access(HTTP/HTTPS), Framework(UI)] HTTP/HTTPS bookmarks offer option "Automatic Login" which does not work
  • NC-18689 [Documentation] Improve Email MTA mode relay settings in online help
  • NC-14330 [Firewall] VLAN interface is missing for hotspot configuration
  • NC-15575 [Firewall] Traffic on port 443 is intercepted by the proxy even though WebProxy is not enabled
  • NC-15631 [Firewall] IPSEC VPN disconnects when changes are made to object names used in the config
  • NC-15775 [Firewall] Invalid logs for ipv4 tcp and udp not display in logviewer
  • NC-15984 [Firewall] Firewall logs: message column should be display "-" for anything other than invalid traffic
  • NC-19359 [Firewall] Firewall rule does not work if more than 255 SNAT rules are used
  • NC-19715 [Firewall] Label is misleading in SMTP business policy profile
  • NC-20768 [Firewall] Typo in Display Filter of Packet Capture
  • NC-20792 [Firewall] HA (active-active) auxiliary node goes into fail safe mode
  • NC-12971 [Firmware Management] Backup & Firmware page - column title and value mismatch
  • NC-16026 [IPsec] StrongSwan IPSec reacts slow on disconnect events
  • NC-13893 [License] Redirected license page shows invalid massage while click on initiate sync button after registration success
  • NC-14425 [License] Strange characters in license agreement
  • NC-20782 [Logging] Cannot filter for 'Web Server Name' in Logviewer
  • NC-11496 [Mail Proxy] MTA not trying next IP host & recipient if server abruptly close connection after 4xx
  • NC-15201 [Mail Proxy] API Sample configuration missing for MTA
  • NC-16770 [Mail Proxy] MTA filters should not be visible in legacy mode and vise-versa
  • NC-21438 [Mail Proxy] XG not connecting to the correct mail servers if MX has multiple entries
  • NC-21566 [Mail Proxy] Inbound emails stopped in legacy mode after upgrade to 16.05 MR-7
  • NC-4519 [Network Services] DHCPv6 interface does not get IP address when multiple DHCPv6 interfaces are enabled
  • NC-10402 [Network Services] DHCP Relay is not working when VLAN is configured over LAG
  • NC-13948 [Network Services] Device boots in fail safe mode upon reboot when DNS static host configured on alias IP assigned from RA client
  • NC-14009 [Network Services] Dhcpserver and dhcprelay can be configured on same interface
  • NC-14421 [Network Services] DNS lookup via GUI does not work with top level domain ".network"
  • NC-16998 [Network Services] It's possible to create a DHCP server without interface
  • NC-17758 [Network Services] Unexpected DHCP broadcast forwarding
  • NC-19984 [Network Services] Upgrade might cause XG to drop packets on DHCP requests when DHCP relay is enabled
  • NC-13328 [Networking] Import failed if configuration contains interface dhcpv6 IP only
  • NC-13575 [Networking] Server side and client side validation mismatch for DNSHostEntry
  • NC-13577 [Networking] Server side and client side validation mismatch for DNS Configuration
  • NC-13671 [Networking] API help for Traffic Shaping Policy is not available
  • NC-20633 [Networking] DHCP lease issue when VLAN 100 configured over LAG
  • NC-21228 [Networking] Invalid links in network connection section in wizard
  • NC-21229 [Networking] Ports are not configurable on registration pages Pop Up in case of standalone
  • NC-5811 [RED] [RED] Fix RED10 kernel module locking
  • NC-19844 [RED] RED server does not restart on force tls 1.2 switch
  • NC-20763 [RED] RED15w does not send split DNS traffic over RED tunnel
  • NC-21424 [Reporting] Control Center reports are displayed with delay
  • NC-6756 [Routing] Although 'redistribute static routes' is enabled, static routes not getting reflected on other device
  • NC-16533 [Routing] IP family wise gateway host validation is not done while adding policy route via API
  • NC-16614 [Routing] IP family wise service validation is not done while adding policy route via API
  • NC-13000 [SecurityHeartbeat] Wizard run & HA disable failed after configure Missing Heartbeat Zones in security heartbeat
  • NC-13480 [SecurityHeartbeat] Heartbeat using 100% CPU
  • NC-13538 [SecurityHeartbeat] Improve Control Center page for IE
  • NC-16599 [SecurityHeartbeat] Crash of heartbeatd after "Broken Pipe"
  • NC-17916 [SecurityHeartbeat] Crash of heartbeatd, when receiving messages without payload
  • NC-10230 [SSLVPN] [SSLVPN] script not found when creating a remote access tunnel
  • NC-11848 [UI] Firewall reorder is not functioning properly if rules are expanded while doing reorder
  • NC-13323 [VPN] Use Policy "DefaultL2TP" as default for L2TP configuration
  • NC-13716 [WAF] Change error message for missing HTML template in authentication templates
  • NC-13958 [WAF] "wafgr[...] failed to convert ruleid to integer: - is not a decimal number" in syslog.log
  • NC-19900 [WAF] libexpat.so.1: cannot open shared object file
  • NC-9312 [Web] Sent Bytes= 0 in 'content filtering' type syslog logs
  • NC-10823 [Firewall, Web] Traffic not pass through auxiliary appliance when using action "Warn"
  • NC-14090 [Web] Web>Protection>Action column doesn't fit for long captions
  • NC-14336 [Web] Segfault in httpproxy when upstream proxy and no LAN port
  • NC-15024 [Web] File type "Compressed Files" does not include rar due to TFT mapping
  • NC-15039 [Web] ACL checks for category do not happen when there's no response body
  • NC-16379 [Web] Sometimes awarrenhttp coredumps on exit
  • NC-16619 [Web] Fix headers when sending to upstream proxy
  • NC-16816 [Web] Chunked responses with real-time do not stop writing to disk when avscanlimit is exceeded
  • NC-17020 [Web] Proxy waits for timeout when server connection is invalidated by firewall
  • NC-17062 [Web] FTP connection fails when using FTP Proxy
  • NC-19418 [Web] Custom category with keyword in list is applied to all groups and users
  • NC-19497 [Web] System log continuously logging 'Unknown protocol traffic is denied. Disable "Block unrecognized SSL protocols"
  • NC-19569 [Web] QoS on application category not working
  • NC-19982 [Web] Web Proxy is restarting and segfault
  • NC-20050 [Web] Snap-chat does not work properly with Web Proxy
  • NC-20122 [Web] Date & time under nasm.log is not in sync with system date & time
  • NC-20833 [Web] Segfault within NTLM authentication
  • NC-21279 [Web] Web Proxy Segfault and Assertion
  • NC-20756 [Wireless] AP being placed in inactive state

Download Links

Please use the download links for later versions.

Thank you very much in advance for your effort and your cooperation!

Happy testing