Hi XG Community!

We've finished SFOS v16.05.5 MR5. This release is available from within your device for all SFOS v16.05 installations as of now and will increase the group in a few days.

The release is available to all SFOS version via MySophos portal.

Issues Resolved

NC-14549 [API] Unable to delete a web policy
NC-16612 [API] Can not configure second WAN link on any physical interface
NC-17948 [API] Getting different autogenerated password for same guest user in HA (Primary and Auxiliary device)
NC-17955 [API] Unable to ping facebook.com from ping tool in the diagnostics page
NC-18595 [API] Issues with char encoding using Sophos API
NC-16205 [Authentication] First user login not registered with firewall
NC-17493 [Authentication] Radius authentication doesn't work for Webadmin login
NC-17767 [Authentication] AD users cannot login to userportal with samAccount name plus domain information in login
NC-18282 [Authentication] Client based SSO doesn't work
NC-18630 [Authentication] AD users email addresses will be cut if the email address contains more than 64 characters
NC-18940 [Authentication] access_server crash when multiple users log in at the same time
NC-18733 [Base System, License] UTM9 to SF – Eval to full license migration fails in one of two possible user flows
NC-13297 [Base System] Appliance certificate is invalid after import .xml file.
NC-16623 [Base System] Firmware install message shows "undefined" string instead of firmware display version on GUI
NC-16660 [Base System] CCL details XML information not displaying for Sandbox Events on System Service > Log Settings
NC-17339 [Base System] Hotspot with voucher and full customization can't be created
NC-17393 [Base System] Eval registration from a SG appliance results in multiple registration requests
NC-17545 [Base System] Interface names are not correct for 4-Port 10G module with CR200iNG-XP/CR300iNG-XP appliances
NC-17753 [Base System] User not displayed in correct format in log-viewer in case of email sandbox
NC-18497 [Base System] XG Home subscription - RAM in some corner cases gets Limited to 4GB than 6GB
NC-18830 [Base System] Appliance certificate's issuer CA not present resulting in not able to download SSL client from user portal
NC-3719 [Base System] VPN IPSec connection name length increase from 50 to 100
NC-8998 [Base System] During memtest from SFLoader, units don't reboot by pressing ESC button
NC-18485 [CR-to-CN_Migration] Migration failed from CR 10.6.5-050 to SF 16.05.3-MR3
NC-17334 [Certificates] Certificate Authority can not be deleted in specific scenario
NC-13570 [Clientless Access(HTTP/HTTPS)] Clientless Web Access: Site access issue with 'Restrict Web Application ON' in policy
NC-18639 [DDNS] IP not getting updated in case of NATed IP address using Sophos DDNS
NC-15754 [Date/Time Zone] Time Zone changes for Russia
NC-13855 [Firewall] CCL link not displaying for device access from group level and device level
NC-16484 [Firewall] Kernel Panic on 'IPSET -L' when host have more than 600 IPs
NC-16819 [Firewall] Device becomes inaccessible after deleting Business Policy rule
NC-17042 [Firewall] "Log Firewall Traffic" is unchecked in firewall rule but visible in log viewer
NC-17420 [Firewall] Unable to set proxy port as 80
NC-18425 [Firewall] In WAN to LAN rule firewall drop and reject doesn't work for HTTP and HTTPS traffic
NC-18618 [Firewall] Update of custom zone shows error "Record does not exist" on zone page when "Any" interface not bound with zone
NC-18844 [Firewall] Local ACL exception rule export-import fails
NC-18880 [Firewall] Existing iptables traffic redirection chains not removed when web proxy listening port is updated
NC-18709 [HA] All timers disabled in primary appliance (HA A-A )
NC-17806 [Hotspot] Voucher creation fails if the description includes ' or " sign
NC-17878 [Hotspot] Remove TLS v1.0 and DES/3DES/RC4 cipher algorithm from Hotspot login page
NC-16862 [IPS] Default CA blank because of company name more than chars(50)
NC-17561 [IPS] AWS Upload consumes 100% CPU and goes down only when IPS is disabled
NC-18617 [IPS] IPS restarting (sometimes) while enabling ATP or on ATP policy change
NC-18208 [License] License does not update in Auxiliary appliance in case of standalone in HA Active-Passive mode
NC-18521 [License] Unable to increase virtual cores after license upgrade
NC-11596 [Mail Proxy] Vulnerability fix for CVE-2011-1473
NC-17072 [Mail Proxy] SMTP DOS max Recipients exceeds limit
NC-17311 [Mail Proxy] File filter is not working if file name is very large (i.e. 1k)
NC-17738 [Mail Proxy] SPX encrypted PDF doesn't render properly in case of very long sender address
NC-17875 [Mail Proxy] SMTP service doesn't in MTA mode after switching back and forth between MTA and Legacy Mode multiple times
NC-18353 [Mail Proxy] Image file within compressed files not being allowed with white listing
NC-18493 [Mail Proxy] SMTP service (MTA mode) doesn't deliver mails when receiving and forwarding n/w are on different IP family (ipv4/ipv6)
NC-18548 [Mail Proxy] Sender notification not send when DPP action set as accept with SPX and SPX type as specified by recipient
NC-18869 [Mail Proxy] SF failing PCI compliance on port 25 due to MTA mode responding to RC4 ciphers
NC-18958 [Mail Proxy] System files are accessible to authenticated non-admin users
NC-17781 [Network Services] Static Mac-IP binding
NC-18696 [Network Services] 4G dongle(D-Link DWM-222) not detected
NC-12852 [Networking] DHCP Relay flood customer network
NC-18828 [RED] RED15 tunnel disconnect and data traffic is higher before disconnect
NC-17846 [Reporting] Not able to get reports in case of long email sender (>256)
NC-18769 [Reporting] Records for more than 256 character for sender/receiver should be properly displayed in PDF export
NC-17978 [SSLVPN] Unable to delete bridge interface when bridge host is used in SSL VPN Site to Site
NC-18424 [SSLVPN] SSLVPN Client fails to connect if certificate character has "ã" in the certificate attributes
NC-18885 [SSLVPN] Openvpn Denial of Service due to Exhaustion of Packet-ID counter (CVE-2017-7479)
NC-18265 [Sandstorm] SFM CCL: XML API changes missing for Sandstorm activity in System > Profiles > Device Access
NC-17391 [SupportAccess] SupportAccess: UMA sometimes sends "ApuPort 0" in WebadminResponse
NC-11775 [VPN] Import for selective configuration with "include dependent entity" failed
NC-18039 [VPN] IPSec services is restarting continuously
NC-17862 [WAF] Remote users accessing the site for the web server forwarded with WAF intermittently lose access to the site
NC-18923 [WAF] Segfault for HTTP1.0 requests when cookie rewriting is enabled
NC-18395 [Web] Not getting website category in custom message for unauthenticated blocks
NC-18620 [Wireless] Unable to change the encryption to TKIP or TKIP&AES, settings are reverted back to AES after saving
NC-18623 [Wireless] Wireless clients not able to authenticate after patches applied from NC-13982
NC-18628 [Wireless] Unable to change channel_width for an AP(5GHz) from cli
NC-18698 [Wireless] Internal AP in "W" models are broadcasting the incorrect case for country code
NC-18750 [Wireless] SSIDs are suddenly not broadcasted and connections are getting dropped
NC-18792 [Wireless] LocalWiFi - failed to configure IP address on Bridge to LAN interface if configuration is done immediately
NC-18960 [Wireless] Wireless network stops broadcasting on in-built Wifi Appliance models


You can find the firmware for your appliance from in MySophos portal.

  • SSL VPN is broken.  TCP 8443 does not respond

  • Hi, everyone, since i installed SFOS 16.05.5 MR5 RC on my XG135, I have some issue : cannot not acces to some website as linkedin. I have no web policy active.

    I 'm beginner, do you have some ideas? Thanks.

  • I got XG210 with the (SFOS 16.05.5 MR-5)

    The log viewer stop working when I went to "System Services->Log Setting" selected all and hit apply. looks like no logs recorded at all even in awarrenhttp.log?

    I was trying to call customer support, spend 45min on phone talk to guy from dispatch service to take my details and create a case number???

  • Can anyone tell me what these new variables are?  I have seen them since MR-4 and I am assuming since the VoIP issues are reported as fixed since MR-4 that these might have something to do with it?  They are found in the System Console "show ips_conf"

    var SEARCH_METHOD               hyperscan

    var SIP_STATUS          enabled

    var IGNORE_CALL_CHANNEL         enabled

  • There seems to be a new issue with the attachment filter in MTA mode: even with no documents selected for blocking it strips xlsx, docx and pptx.  The only solution appears to be turning off attachment filtering.