Related
Recommended
sfr1504

Hi XG Community!

We've finished SFOS v17.0.2 MR2. This release is available from within your device for all SFOS v17.0 MR1 installations as of now.

Besides that, the release is available to all SFOS version via MySophos portal.

Issues Resolved

  • NC-22609 [Access] Unable to import groups inside multiple OUs from AD
  • NC-19427 [API] Wrong date in validationError.log
  • NC-22394 [Authentication] User Portal login is logged as SSL VPN login
  • NC-22769 [Authentication] When importing from AD, the name of OUs which are inherited by multiple OUs and groups is not shown correctly
  • NC-23112 [Authentication] Authentication Agent - getting logged out automatically at random time
  • NC-19665 [Backup-Restore] Downloading backup creates Java exceptions
  • NC-21785 [Base System] Wizard UI Improvements
  • NC-22229 [Base System] SG115: pressing power off button does not shutdown appliance
  • NC-22574 [Base System] Control center misleadingly shows notification of new firmware availability for few minutes after firmware upgrade
  • NC-22631 [Base System] Typo in fwinstaller
  • NC-22688 [Base System, Certificates] Missing QuoVadis Root Certificate
  • NC-22771 [Base System] Export of 16.5 MR8 and import into v17.0 GA fails for configs without hostname
  • NC-22780 [Base System] Migration from CR to SF failed on CR500ia-10F appliance
  • NC-22911 [Base System] Blank screen is displayed when user synchronizes license after successful registration
  • NC-25573 [Base System] Users cannot activate license keys from SFOS
  • NC-22354 [Certificates] Passphrase box disappears after trying to upload a CA with private-key after upload fails
  • NC-22734 [Clientless Access] HTML5 VPN: keyboard input not working on Android devices
  • NC-22751 [Documentation] Japanese translation for LogViewer missing
  • NC-17413 [Firewall] Business rules created with device destined IP address can't be blocked with network rules
  • NC-20602 [Firewall] Incorrect validation for local acl and zone where HTTPS is disabled from current login zone
  • NC-21180 [Firewall] Add "Action" column to firewall rule grouping
  • NC-21897 [Firewall] Import/Export of firewall rule with dependent entity fails when a VLAN is configured on WAN
  • NC-22219 [Firewall] Issue with SNAT policy with multiple gateways
  • NC-22557 [Firewall] Service edit option not working in specific case
  • NC-22670 [Firewall] Unable to create RED interface
  • NC-22923 [Firewall] Hostset ERROR: XG stopped Responding
  • NC-22932 [Firewall] Export/Import fails for every entity after exporting Security Policy entity
  • NC-22946 [Firewall] Typo in SF API documentation for IP host object
  • NC-22958 [Firewall, SFM-SCFM] SFM Compatibility v17: DNAT rule cannot be updated in some combinations of forward type
  • NC-22982 [Firewall] Incorrect position of firewall rule name in Firefox
  • NC-22424 [Framework(UI)] Close notification button does not work properly
  • NC-22917 [Framework(UI)] Infomation icon does not show any info text in authentication page
  • NC-21856 [IPS] In AppFilter policy smart filter values are still displayed after removal
  • NC-22448 [IPS] Custom IPS signature not working for all keyword supported by snort
  • NC-22753 [IPS] Application filter is not updated when there is no application matching smart filter
  • NC-22834 [IPS] Application Filter Policy: All application is showing while editing through firewall rule with "selected individual application"
  • NC-22382 [IPsec] IPsec UI allow to configure incompatible policy resulting in a silent DPD action change in the backend
  • NC-22383 [IPsec] Typo in IPsec policy list: 'Action on Active Peer'
  • NC-22489 [IPsec] Incorrect IP routes added for local VPN traffic in case of NAT over IPsec
  • NC-22502 [IPsec] IPsec PSK secrets files do not contain local VPN IP
  • NC-22620 [IPsec] DGD can not be disabled
  • NC-22622 [IPsec] 'Remote ID' value shows blank on UI for IPSEC connection when external cert is used
  • NC-22633 [IPsec] Activate on save tries to connect to respond only connections
  • NC-22793 [IPsec] Cisco VPN connection with cert auth not working on iOS using config from userportal
  • NC-22888 [IPsec] IPsec S2S tunnel with PSK and local/remote ids not working
  • NC-22892 [IPsec] Aggressive mode IPsec policys are not filtered correctly in UI
  • NC-22900 [IPsec] Cannot create 2 IPsec RSA connections with same local id to different remote gateways
  • NC-22914 [IPsec] Connection status for DGD IPsec connections is not shown correctly
  • NC-23035 [IPsec] DGD table locked - postgres has returned errcode 25P02
  • NC-23125 [IPsec] "Randomize Re-Keying Margin by" - When setting the value to 0%, UI displays 100% after saving the policy
  • NC-23186 [IPsec] IPsec status not displayed when too many SAs are established
  • NC-22549 [Logging] Sandstorm logo displayed in RED for reason "eligible","pending" & "Cloud Malicious"
  • NC-22745 [Logging] Port and protocol information are missing in LogViewer standard view and filter
  • NC-15612 [Mail Proxy] Update DLP engine and CCL data
  • NC-19881 [Mail Proxy] Whitelist and blacklist for e-mail/domains in WebAdmin
  • NC-21366 [Mail Proxy] Spam e-mails pass due to error " X-CTCH-Error: Unable to connect local ctasd"
  • NC-21437 [Mail Proxy] Mail addresses with "systems" or "solutions" as top level domain cannot be added in address groups
  • NC-21671 [Mail Proxy] Message is not displayed properly in LogViewer
  • NC-21891 [Mail Proxy] Spam headers displayed in e-mail when sent through reply portal
  • NC-22271 [Mail Proxy] Issues with mails in spool marked with a firewall ID
  • NC-22921 [Mail Proxy] Email flow is affected for recipients using TLS1.0
  • NC-25332 [Mail Proxy] awarrenmta service segfaults when IP reputation is enabled
  • NC-22504 [Network Services] Unable to assign two static IP mappings for the same host in different DHCP scopes
  • NC-22163 [Networking] OSPF Neighbors not updated on changing multicast group limit
  • NC-22539 [Networking] Fail to add vlan when specific DHCP server confiration migrated
  • NC-22662 [Networking] Unable to make changes in WAN Link Manager for an interface with /31 subnet
  • NC-21952 [RED] Site-to-Site RED tunnel between XG and UTM does not pass traffic with hardware acceleration enabled
  • NC-22433 [RED] Generating certificates fails when long company name is used
  • NC-22174 [Reporting] Missing size verification on custom logo for on-box reporting
  • NC-22819 [Reporting] Application reports stop working after enabling Sync App Control
  • NC-22853 [Reporting] Drill down is not working in mail report when "Mail Count" is selected as sortby
  • NC-22868 [Reporting] Font style mismatch
  • NC-22364 [SecurityHeartbeat] EP_Certificates table not available error
  • NC-22778 [SecurityHeartbeat] Heartbeat registration fails with appliance in HA
  • NC-22151 [SSLVPN] When using special character in Appliance Certificate, SSL VPN connection fails
  • NC-22116 [Synchronized App Control] Last occurance time of applications in SAC is not consistent between HA nodes
  • NC-22384 [Synchronized App Control] After de-registration of Heartbeat enhancedappctrl service is still running
  • NC-22440 [Synchronized App Control] Sort list of categories in SAC customize menu
  • NC-22766 [Synchronized App Control] Path of a customized app is shortened in SAC customize popup when app path contains slashes
  • NC-22768 [Synchronized App Control] Uncategorized category is shown twice in the SAC customize popup
  • NC-22813 [Synchronized App Control] Fixed height for SAC data table
  • NC-22824 [Synchronized App Control] EP name with special character is not displayed correctly for macOS in SAC list
  • NC-22962 [Synchronized App Control] Show category in SAC app list
  • NC-22544 [UI] Incorrect start time displayed in Live Users list
  • NC-22576 [UI] Disclaimer message is shown without line breaks
  • NC-25275 [UI] Internet usage time displayed "NaN:NaN" value in Live Users list
  • NC-22319 [WAF] "Edit Reverse Authentication" dialog contains untranslatable strings
  • NC-22521 [WAF] Leftover of shm files cause a WAF restart loop
  • NC-21534 [Web] Certificate error on accessing sites with https scanning enabled
  • NC-21930 [Web] Incorrect Error message on Captive Portal when the user exceeds the number of simultaneous logins
  • NC-22023 [Web] Word list files with non-UTF8 or whitespace-only should not be uploaded successfully
  • NC-22124 [Web] Web Policy rule is converted to "AllWebTraffic" when adding more than one backslash character in the rule
  • NC-22125 [Web] When maximum limit is reached, web exceptions cannot be updated anymore
  • NC-22403 [Web] Certificate Error while accessing Outlook with direct proxy
  • NC-22653 [Web] Policy Tester does not display backslash in policy name correctly
  • NC-22721 [Web] AVD dies unpredictably when it runs out of memory
  • NC-22800 [Web] AVD stability fixes
  • NC-22930 [Web] Server side rbuf not reset for reused request
  • NC-22954 [Web] Access to Custom Captive Portal does not work
  • NC-23156 [Web] Not able to access any websites due to malformed ATP data update
  • NC-23163 [Web] Font color for Initial Setup Wizard changes
  • NC-12089 [Wireless] Unable to edit alias of "GuestAP" interface
  • NC-19166 [Wireless] SSID disappears randomly with Dynamic Channel Selection
  • NC-20761 [Wireless] Wireless Client List shows wrong IP address after network change
  • NC-21369 [Wireless] VLAN and non VLAN SSIDs can't be selected at the same time for RED15w
  • NC-22358 [Wireless] SSID is not broadcasted from time to time
  • NC-22852 [Wireless] Wireless network interface status states being unplugged

Downloads

You can find the firmware for your appliance from in MySophos portal.

  • Sophos, my XG is back in MR2 as after a power loss it booted back.  Apparently, selecting the firmware from the console at startup does not set it as the default. At any rate, the device is in MR 2 and I'm still experiencing the "Internal Server Error" upon logging into the web interface.  Is there is fix for this problem with MR2?  If so, let's get it done today please - 207-992-5564   To your point of being on the recommended patch, it toasted the web admin interface and your support folks were unable to address the issue. There are 3k computers behind this FW and it's located off site. Each time I have to reboot it , I have to schedule it. Part of the problem with your patches, and the attitude about the problems you cause when you relase them, is that you fail to realize that people have sunk a signifigant amount of money into these devices.  You're not just patching home users' hobby boxes, you're patching production units that cost tens of thousand of dollars. Sophos may be a good firewall for home users, but it's a really bad choice for a production environment. You're releasing patches that break important mission critical funtionality, authentication, web admin, VPN.  You release fuatures that don't work, such as keyword filtering. This is the third "corporate" firewall that I've managed and is by far the worst in terms if functionality and support.  I really should have gone with my gut feeling and sent this thing back when I had the chance.  With all of that said, my FW is running on your recommended firmware, please fix the web admin interface so that I can mange my firewall rules.

  • Apparently, SSL VPN is broken after upgrading to MR2. It worked for the first few hours but now all SSL VPN clients are unable to get the local IP address. PPTP VPN is still working but I am still dealing with the Mail Flow issue that was not corrected in MR2 as per the Release Notes.

  •                    

    Thanks for the feedback regarding the issues your experiencing with VPN. Could you all please raise a case with our Sophos Support team via our webform, chat, phone or SophServ with as much detail as possible and the following logs:

    strongswan.log in DEBUG mode

    strongswan_migration.log

    postgres.log

    garner.log

    charon.log

    migration.log

    Information on where logs can be found (community.sophos.com/.../123185).

    Once you get the case number, please let me know by responding back to this blog post or via private message me and I'll inform the support team to look at it right away.

      Sophos 17.0.2 MR2 is the recommended version that all customers should be on. The Sophos Support engineer you spoke with mis-interpreted the senior engineer's response. He will be reaching out to you today to continue working on your case.

  • still waiting to set option to allow hostname in quarantine report

  • From Sophos Support:  

    "Sophos Support

    4:20 PM (15 hours ago)

    to me

    Hello Mark:

    I have been informed that there have been some issue with V17 MR2 and it was suggested to hold off on recommending people update."

Unfiltered HTML