Hi XG Community!

We've released SFOS v17.5.10 MR10 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from the Licensing Portal. We then make the firmware available via auto-update to a number of customers, which will increase over time.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Note: The upgrade from this version SF 17.5 MR10 to v18.0 GA-build339 is supported.

Issues Resolved

  • NC-46001 [Authentication] STAS is erroring out and causing high CPU load on E-Directory
  • NC-50521 [Authentication] User group assignment issue with LDAP users
  • NC-51881 [Authentication] CAA causing access_server to crash
  • NC-53730 [Dynamic Routing (PIM)] HA active/active appliance is duplicating multicast traffic
  • NC-50560 [Email] Restrict access to WEB-INF directory on port 8094
  • NC-37775 [Firewall] Configuring over 20 time schedulers on the various firewall rules is causing CSC freeze
  • NC-49976 [Firewall] NMI Backtraces & Device Hang in XG v17.5.7-MR7
  • NC-50176 [Firewall] DNAT with Range doesn't work as expected after reboot
  • NC-50713 [Firewall] Sophos Connect does not work with WebProxy and HTTPS traffic
  • NC-51632 [Firewall] Invalid traffic is sent to garner although syslog server is deleted
  • NC-51867 [Firewall] Denied firewall logs send to garner for allowed firewall rule even if logging is disabled
  • NC-52395 [Firewall] Getting wrong username in admin event for firewall rule group name update
  • NC-52474 [Firewall] Incorrect error message displayed while creating "Email server" business rule with existing name
  • NC-55842 [Firewall] Local ACL Exception Rule not working for WebProxy
  • NC-46189 [Hotspot] Timeout received when generating lots of vouchers with QR code enabled
  • NC-50854 [Interface Management] Firefox: vertical scrolling is affected for network interfaces when 4 or more aliases are configured
  • NC-52056 [Interface Management] GRE Tunnel disabled state doesn't persist through a reboot
  • NC-54013 [IPS Ruleset Management] Unable to create backup via local, ftp or email
  • NC-44603 [IPsec] Default Microsoft Azure IPsec policy should use disconnect instead of re-initiate
  • NC-49919 [IPsec] DGD service stopped and unable to start
  • NC-51534 [IPsec] Allowed User is not treating as compulsory for Sophos Connect client configuration
  • NC-51887 [IPsec] Simultaneous login does not work for Sophos Connect IPsec client
  • NC-52701 [IPsec] IPsec tunnel is not reinitiated when XG rekeys IKEv1 session in aggressive mode with certificate
  • NC-50239 [Network Utils] Internet connection get lost when backup job (storagecraft) is running
  • NC-52986 [nSXLd] Web categorization failed and nSXLD coredump
  • NC-49339 [Policy Routing] Traceroute is answered with IP addresses from different port
  • NC-44880 [RED] XG Site to Site RED Tunnel disconnects randomly and does not reconnect until we restart RED service
  • NC-46758 [RED] REDS2 interface is showing blank IP address in hosted server details for WAF.
  • NC-47109 [RED] When customer boot 17.5 MR5 it goes into fail-safe mode because it failed to start RED service
  • NC-49527 [RED] FQDN host appearing as IP host in RED configuration - split network
  • NC-50148 [RED] XG85 /tmp partition fills up
  • NC-47526 [Sandstorm] During Sandstorm scanning, web UI session to the XG gets expired
  • NC-43224 [Synchronized App Control] Unable to load Synchronized Application Control page
  • NC-50809 [UI Framework] Patch jQuery (CVE-2019-11358)
  • NC-44637 [Web] Appliance reboots randomly
  • NC-47824 [Web] File downloading stopped when enabling HTTPs scanning
  • NC-51134 [Web] HTTPS redirected links via HTTP not accessible with sandstorm option on
  • NC-51971 [Web] Scan FTP for malware corrupts zip files
  • NC-48479 [Wireless] Active Access Points are showing as inactive in GUI
  • NC-49480 [Wireless] Backup restore fails from CR35iNG to XG135
  • NC-50532 [Wireless] Wireless Interfaces in UNPLUGGED state after upgrade
  • NC-51539 [Wireless] HA failover takes 15-20 mins due to separate zone(vxlan) interfaces
  • NC-52714 [Wireless] Unable to open the GUI due to CSC service stuck

Download

To manually install the upgrade, you can download the firmware from the Licensing Portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

Parents
  • similar to what others noted - after updating XG210_WP03 from 17.5.9 to 17.5.10 MR-10 "Local service ACL exception rule" under device access for access to services from specific allowed wan hosts no longer worked and https/ssh + anything else previously allowed through that mechanism became blocked.  Having the firewall already included in Sophos Central firewall management which was still accessible was the only thing that saved this from becoming a difficult situation since it's a remote location.   Changing a firewall drop rule destination from "All" to specific zones as suggested at community.sophos.com/.../134210 has resolved the problem.

Comment
  • similar to what others noted - after updating XG210_WP03 from 17.5.9 to 17.5.10 MR-10 "Local service ACL exception rule" under device access for access to services from specific allowed wan hosts no longer worked and https/ssh + anything else previously allowed through that mechanism became blocked.  Having the firewall already included in Sophos Central firewall management which was still accessible was the only thing that saved this from becoming a difficult situation since it's a remote location.   Changing a firewall drop rule destination from "All" to specific zones as suggested at community.sophos.com/.../134210 has resolved the problem.

Children
No Data