Welcome to XG Firewall v17.5 Early Access

Welcome to our Early Access Program for Sophos XG Firewall v17.5!

We are glad to have you on board, because your feedback will help us make the new release simply better. Your experiences with Sophos XG Firewall itself and with many different customer installations in the field will be a real benefit on our way to create a reliable SFOS v17.5 with useful new features!

Firmware and Installer download links

XG 85(w) HW-17.5.0_Beta-2.SF110-280.gpg
XG/SG 105(w) HW-17.5.0_Beta-2.SF210-280.gpg
other XG/SG appliances HW-17.5.0_Beta-2.SF300-280.gpg

Please find the complete list of installers and updates at Download Links - 17.5 EAP1 build 280 firmware and installers.pdf

How to update

Please find instructions on how to update in this KB article

What's New in XG Firewall v17.5

Here’s a quick overview of the key new features in v17.5. For a more detailed description please refer to Sophos-XG-firewall-v17.5-whats-new.pdf

Lateral Movement Protection

extends our Security Heartbeat automated threat isolation to prevent any threat from moving laterally or spreading across the network, even on the same subnet. The firewall instructs all healthy endpoints to completely isolate any unhealthy endpoints.

Synchronized User ID

utilizes Security Heartbeat™ to greatly streamline authentication for user-based policy enforcement and reporting in any Active Domain network by eliminating the need for any kind of server or client agent.

Education Features

such as per-user policy-based control over SafeSearch and YouTube restrictions, teacher enabled block-page overrides, and Chromebook authentication support

Email Features

adds Sender Policy Framework (SPF) anti-spoofing protection and a new MTA based on Exim which closes a couple of top requested feature differences with SG Firewall.

IPS Protection

is enhanced with greatly expanded categories enabling you to better optimize your performance and protection.

Management Enhancements

including enhanced firewall rule grouping with automatic group assignment, a custom column selection for the log viewer; And revamped online help with learning content approach

VPN and SD-WAN Failover and Failback

including new IPSec failover and failback controls and SD-WAN link failback options.

Client Authentication

gets a major update with a variety of new enhancements such as per-machine deployment, a logout option, support for wake from sleep, and MAC address sharing.

Sophos Connect

is our new IPSec VPN Client that’s free for all XG Firewall customers that makes remote VPN easy for users and supports Synchronized Security.

 

In addition, coming in a following Maintenance Release we have:

Wireless APX Access Point Support

provides support for the new Wave 2 access points providing faster connectivity and added scalability.

Airgap Support

for deployments where XG Firewall can’t get updates automatically via an internet connection (due to an “airgap” or physical isolation) – XG Firewall can now be updated via USB.

Sophos Central Management of XG Firewall

With v17.5, XG Firewall is also joining Sophos Central.  The Early Access Program for Sophos Central Management of XG Firewall is expected to start soon.

You will be able to manage XG Firewall from within Sophos Central along with all your other Sophos Central products.  And there’s a few great new features coming along with Sophos Central Management of XG Firewall:

  • Secure access and management with single-sign-on through Sophos Central from anywhere
  • Backup management and storage for your regularly scheduled firewall backups
  • Firmware update management to make multiple firewall updates easy
  • Light-touch deployment to enable easy remote setup of a new Firewall

A feature is not working as expected? You have found a bug?

Please post it in this forum with a detailed description and - if possible - with some details how our team can reproduce the behaviour. To increase readability we would like to ask you to use one post per issue.

Our engineering teams check the forum on a regular base.

Issues Resolved in EAP0 (17.5.0.257)

  • NC-29648 [Base System] If Default CA is not configured, Generate CSR option should be disabled
  • NC-29906 [Base System] Unable to edit NTP server when 10 servers are configured
  • NC-30497 [Base System] [VMware] SFOS Guest OS detail shows wrong/missing
  • NC-30635 [Base System] Missing focus after closing dialog when editing default certificate
  • NC-31010 [Base System] Configuration import running into timeout on SG/XG 100 series appliances
  • NC-31100 [Base System] Upgrade notification pop-up does not work in some cases
  • NC-35536 [Base System] OpenSSL - “Denial of service during forward secrecy setup” (CVE-2018-0732)
  • NC-34154 [Clientless Access] Unable to connect RDP type bookmark with NLA
  • NC-34803 [Email] Possible denial-of-service due to secure client-initiated renegotiation
  • NC-35175 [Email] Sophos XG is not adding received-by header as per RFC 5321
  • NC-35256 [Email] Invalid XML is generated for Email -> General Settings -> Blocked Senders
  • NC-35915 [Email] "POP-IMAP Scanning" policy generated XML does not contain information of filter criteria "Source IP/Network Address"
  • NC-26440 [Firewall] Firewall rule dropping traffic when there is no user identity attached to the rule
  • NC-30989 [Firewall] CVE-2018-8897: Don't use IST entry for #BP stack
  • NC-31282 [Firewall] Firewall rule group entity name not sent to SFM upon insert/update/delete
  • NC-22889 [Hardware] XG85: poweroff command reboots the device instead of shutting it down
  • NC-21909 [IPsec] Do not show empty-value-warning on page entry
  • NC-30319 [IPsec] Backup fails import when containing IPv6 remotes
  • NC-30462 [IPsec] Site-to-Site connection not initiated after DHCPv6 interface update
  • NC-30618 [IPsec] New virtual IP on every Phase 1 rekey even though client requests same IP
  • NC-30794 [IPsec] NAT checkbox is always enabled in IE11
  • NC-30796 [IPsec] Local gateway selection shows invalid interface in IE11
  • NC-33410 [IPsec] VPN Connection Status shows 'Any' on both sides even when configured only on one side
  • NC-22604 [Logging] GUI alignment issue when sender name or subject is longer
  • NC-25714 [Logging] Firewall rule ID in log viewer not linking to actual rule anymore
  • NC-29974 [Network Services] Disconnect PPPoE interface doesn't update corresponding interface based DNS static entry
  • NC-30753 [Network Services] DGD service in stopped state and segmentation fault
  • NC-33876 [Network Services] IPset command shows wrong information for wildcard and FQDN Host
  • NC-30483 [Networking] Port and IP address may show "undefined" in WAN Link Manager "Failover Rules"
  • NC-30493 [Networking] Link status not updated in WAN Link Manager when RA client has no IP address
  • NC-30544 [Networking] Full and selective configuration import fails when bridge innterface configured in WAN zone
  • NC-31399 [Networking] Full backup import fails when bridge member interface is LAG
  • NC-33628 [Networking] LAG mode related configuration missing on configuration export
  • NC-34573 [Networking] Configuration changes of CFM not propagated to XG
  • NC-20785 [Reporting] PDF export of reports taking much time or failing completely
  • NC-26459 [Reporting, UI Framework] Reports for "Traffic Insight" not shown on dashboard
  • NC-29573 [Reporting] Sending of scheduled reports does not consider changes of daylight saving time
  • NC-31243 [Reporting] Table headers in reports span two lines and cannot be seen
  • NC-32490 [Reporting] Unable to click "PDF", "CSV", "Bookmark" or "Schedule" under "Report > Applicazioni & Web" when WebAdmin language is Italian
  • NC-28206 [SecurityHeartbeat] Heartbeat deamon does not handle all allowed MAC address formats correctly
  • NC-32459 [SecurityHeartbeat] Endpoint name in StoneWall message
  • NC-32580 [SecurityHeartbeat] Extend StoneWall protocols/messages
  • NC-34169 [SSLVPN] Fail to access SSLVPN (site-to-site) page after any tunnel modification
  • NC-30984 [Synchronized App Control] [SAC] improve usability
  • NC-30987 [Synchronized App Control] [SAC] no action "acknowledge" for acknowledged apps
  • NC-30988 [Synchronized App Control] [SAC] filter with deleted apps should be last in the dropdown field
  • NC-28064 [WAF] Form hardening sets block-reason only in case of GET requests
  • NC-25805 [Web] Handle non-compliant HTTP status code 999
  • NC-27519 [Web] Proxy continues to download files in batch mode even if client closes connection
  • NC-28851 [Web] Default Web policies contain duplicate rules
  • NC-29305 [Web] "Expect" header not handled correctly
  • NC-31837 [Web] Add "alert.hitmanpro.com" to proxy bypass list
  • NC-33650 [Web] Enabling web content cache for Sophos Updates blocks further updates

Issue Resolved in EAP1 (17.5.0.280)

  • NC-32763 [Authentication] Importing users with .csv file having usernames with Thai characters creates junk character
  • NC-34340 [Authentication] Users not getting authenticated via Radius SSO
  • NC-37091 [Authentication] Show error when Chromebook SSO is not configured correctly
  • NC-37300 [Authentication] Create FQDN Hosts and Groups for Chromebook
  • NC-38381 [Authentication] "Record does not exist" error when trying to open created LDAP server
  • NC-36185 [Azure] Upgrade Linux VM Agent
  • NC-38176 [Base System] garner memory corruption affecting RED
  • NC-38471 [Base System] EULA not shown on GUI on Azure
  • NC-38473 [Base System] Reading of /proc/timer_list file leads to NMI watchdog soft lockups
  • NC-31499 [Email] Unable to send .eml attachments to specific domain
  • NC-32682 [Email] SPX generates password for same email recipient in different case
  • NC-32690 [Email] SPX encryption corrupting attachments by adding line breaks
  • NC-32754 [Email] XG not able to insert spool query
  • NC-33360 [Email] Add missing header fields in notification emails
  • NC-33391 [Email] Quarantine digest and released emails not sent
  • NC-33977 [Email] Unable to release unscannable quarantined emails
  • NC-34450 [Email] Fail to send email notifications
  • NC-35494 [Email]  UI hangs when user selects specific date on SMTP quarantine page
  • NC-36612 [Email] Cross version import/export not working for exception policy
  • NC-37849 [Email] Console command 'subsystem-info' shows awarrensmtp and smtpd service with same name
  • NC-37945 [Email] Scanner crash on low end devices due to high number of forwarders
  • NC-38005 [Email] Improper IP reputation reject status message in mail log
  • NC-38013 [Email] Typo in Authentication Relay drop message
  • NC-38015 [Email]  Emails moved to error queue when header part is big
  • NC-38021 [Email] Return-Path/Reply-To header ignored while sending failure notifications
  • NC-38252 [Email] Add support of email based routing and RBL scanning
  • NC-38257 [Email] No reason logged in mail logs for mails dropped due to file filter
  • NC-38297 [Email] Improper label in exception policy at device level from SFM
  • NC-38312 [Email] SFM pushes exception policy to firewalls even in legacy mode
  • NC-38391 [Email] Core dump in mail scanner
  • NC-38392 [Email]  Notifications are logged with '0 bytes' in MailLogs
  • NC-38501 [Email] SPX fails to encrypt on hardware appliances when SPX reply portal is enabled template
  • NC-39024 [Email] Do not allow multi use for port 587
  • NC-32530 [Firewall] Post-Authentication SQL injection in Firewall User Interface
  • NC-34612 [Firewall] Appliance frequently rebooting when having IPv6 permitted networks for remote access SSLVPN
  • NC-34675 [Firewall] Live connections page not showing connection list
  • NC-35656 [Firewall] Internet access being lost, SFOS consuming all memory.
  • NC-35660 [Firewall] MAC address missing in export of MAC list having only one list member
  • NC-37274 [Firewall] SMTP MTA mode does not support TCP port 587
  • NC-37760 [Firewall] Misleading message when adding rule using automatic grouping and group has already 200 rules
  • NC-37992 [Firewall] Transferred data not shown in firewall rules when reaching tera bytes
  • NC-36318 [IPS, SFM-SCFM] Application filter policy rule not containing any application being pushed from SFM is not applied on SF
  • NC-36565 [IPS] Category replacement not working on export/import
  • NC-38347 [IPS] Category based IPS policy import not mapping to Talos categories
  • NC-30016 [IPsec] Merged IKE gets deleted when one connection is disabled in UI
  • NC-32269 [IPsec] GRE traffic forwarded through WAN interface after HA failover event
  • NC-34131 [IPsec] L2TP still connects after user was disabled
  • NC-38310 [IPsec] IPsec site-to-site tunnel not established with Cisco ASA and gateway type "Initiate the connection"
  • NC-39059 [Localization] Using "state" causes mistranslations
  • NC-36455 [Networking] WWAN is not connected automatically at boot time if the primary WAN link is disconnected/down
  • NC-36720 [Networking] Traffic might flow via backup gateway even hard gateway failback configured
  • NC-34149 [nSXLd] Keywords are not deleted when custom web category is deleted
  • NC-37809 [nSXLd] Proxy authentication is not cleared after config reload
  • NC-38125 [SSLVPN] Unable to edit SSLVPN (remote access) page
  • NC-35500 [UI Framework] Apache service start fails if webadmin certificate passphrase having single quote character
  • NC-35682 [WAF] Unable  to edit and load business app rule for WAF
  • NC-37178 [Web] Name should not be pre-filled while creating new overrides
  • NC-37179 [Web] Improve UI for adding website domains to an Application Override
  • I see mention to the garner memory issue being resolved for a RED - but has it been resolved on the firewall? With 17.1.3 I was still having the admin interface hang after login, and run very slugging which I believed to be the garner memory issue. Only resolution was reboot (or escalate and have GED implement a fix). Even restarting the garner server (service garner:restart -ds nosync) would not resolve the issue.

    This was across multiple hardware firewalls.

    Other than that, all looks good.

    Ryan

  • I faced one small (but nasty) issue so far. After upgrade to 17.5 Beta, Avira Pattern are not downloaded automatically.

    This means if Email Protection is used, and Malware Scanning is set to DualAV or Avira, then those Mails are not getting deliverd (because AV failed).

    I faced this issue on 2 Testmachines so far...

  • In reply to HuberChristian:

    Hi thank you for your report,

    The new Avira patterns are not compatible with previous releases. New full Avira pattern download takes a few mins to download and function. In that time mails get held in the spool and web traffic gets blocked if you configured dual AV.
     
    Emails will stay in spool and get delivered after Avira reloads.
     
    If this is not the behaviour you are seeing please do come back to us.
     
  • In reply to Thomas the tank engine:

    Thanks for reporting this in Ryan. To confirm are you experiencing the admin interface slowdown (garner memory issue) with this 17.5 EAP release? 

  • Hi, after updating to this early release I am still seeing inconsistent display of the traffic insight widgets/components on the dashboard.  Supposedly this was addressed in NC-26459 [Reporting, UI Framework] Reports for "Traffic Insight" not shown on dashboard

     

    Thanks

    Dave

  • In reply to dakster:

    Hi,

    I have been looking of the NTP server as mentioned here so I can point my devices at the firewall and remove the ntp rule.

    • NC-29906 [Base System] Unable to edit NTP server when 10 servers are 

     

    but I suspect it is labelled incorrectly and should be Time?

    Ian

  • In reply to rfcat_vk:

    I was under the impression that STAS was replaced in v17.5 yet there is still a tab for it.

    Ian

  • In reply to Thomas the tank engine:

    Hi Ryan,

    Thank you for the feedback.

    We would need access of the appliance for the further debugging.

    Contacting to you on PM.

     

    Regards,

    Deepti

  • In reply to rfcat_vk:

    Replaced...as in?! - haven't heard of it :-)

     

    EDIT: Ahh because of this: community.sophos.com/.../388112

  • In reply to deeptibhavsar:

    Not on 17.5 no (I've not rolled it out to customers, just development). I was just asking if you believe it is fixed in 17.5 as the only mention in the release notes relate to a RED device (having garner memory resolved).

     

    Thanks

    Ryan (choo choo)

  • In reply to rfcat_vk:

    Hi Ian,

    It will not be replaced overall but the Synchronised User ID for Central Customers is designed to be used instead of STAS.

    STAS and/or NTLM must still be used for non Central customers.

    Emile

  • In reply to Thomas the tank engine:

    Hi Ryan, just confirmed that both issue related to garner memory problems have been resolved in this EAP release.  Thanks

  • how to get the sophos central worked as i enable it and register the device but can not find it on sophos central 

  • In reply to MarcKamel:

    Hi Marc,

    Central management is not released yet pending an update to the Central Dashboard which dhould be released soon.

    Emile

  • Installed SFOS 17.5.0 Beta-2 on a XG105W Appliance.  It looks like Sophos Dynamic DNS is not functioning correctly.  I get a message that the DDNS Failed the Update and that service unavailable.

    A pretty basic setup with this firewall, so far everything else has been working good.