Related
Recommended
talex

Hi XG Community!

We've released SFOS v17.5.9 MR9 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from the Licensing Portal. We then make the firmware available via auto-update to a number of customers, which will increase over time.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Issues Resolved

  • NC-45755 [Authentication] Delayed/timeout for login when users authenticated remotely
  • NC-46473 [Authentication] Constant login/logout of users
  • NC-46591 [Authentication] Guest user registration is not working if username is not based on cell number
  • NC-47038 [Authentication] Password complexity alert on dashboard remains after setting strong password
  • NC-47933 [Authentication] Chromebook log files not rotating
  • NC-49930 [Authentication] Access server service is restarting with coredump
  • NC-49677 [Backup-Restore] tmp partition gets full with backup intended for Central synchronization
  • NC-46118 [CSC] Not possible to edit business application rule
  • NC-49648 [CSC] API Get BridgePair requests sometimes report incorrectly "No. of records Zero."
  • NC-47884 [Email] Mail notification stops working after migrating from CROS to SFOS
  • NC-48092 [Email] IPReputation Service shows as stopped on dashboard when Email and WAF module not subscribed
  • NC-50528 [Email] Patch Exim (CVE-2019-15846)
  • NC-47512 [Firewall] IP-list in DNAT rule does not work if service object contains TCP & UDP port combination
  • NC-48803 [Firewall] Virtual Host update is calling on every FQDN IP update even its not used in virtual host configuration
  • NC-50222 [Firewall] Firewall rule position display is incorrect on rule deletion
  • NC-51079 [Firewall] Invalid traffic config takes effect only after reboot - Garner flooded with firewall dropping events
  • NC-51181 [Firewall] Invalid messagid(0) log being sent to garner from pktcapd
  • NC-50191 [Firmware Management] Device rebooting continuously while boot with SFOS firmware version after migration from CROS
  • NC-51607 [Firmware Management] Smaller devices in HA are not able to migrate to v18.0
  • NC-47546 [HA] Delay in routing traffic during HA failover when interfaces without an IP address are configured
  • NC-50786 [Interface Management] Webadmin Interface page with lots of devices stops loading after 7 minutes
  • NC-46908 [IPS Engine] IPS double free or corruption (!prev): 0x000000000a9c69e0
  • NC-45317 [IPsec] Overload protection for IPsec IKE daemon
  • NC-46550 [L2TP] L2TP disconnects after rekey and doesn't reconnect
  • NC-44124 [Licensing] Registration page shows up in HA setup after upgrading to 17.5 to 17.5 MR1
  • NC-33302 [Logging Framework] HttpProxy Dead-Epoll worker coredump
  • NC-47183 [Logging Framework] Reports in Control Center shown with delay
  • NC-48106 [Logging Framework] XG85 - /tmp partition fills up
  • NC-50024 [Logging Framework] Improper input validation in email notification after failed login (Webadmin, SSH, ...)
  • NC-50127 [Logging Framework] Garner coredump in HA setup at handle_sync_input
  • NC-50493 [Logging Framework] S2S IPsec logging in LogViewer is inconsistent
  • NC-49273 [Reporting] Filtering on blocked user activities not working as expected
  • NC-47823 [SecurityHeartbeat] heartbeatd libssl segfaults
  • NC-48453 [SecurityHeartbeat] When heartbeat switch is toggled, in UI SAC switch is not updated
  • NC-49791 [SecurityHeartbeat] Heartbeat status not behaving as expected when the client machine has multiple IPs
  • NC-49852 [SFM-SCFM] SSH got exposed on XG after new firewall rule is pushed from SFM
  • NC-43977 [UI Framework] Incorrect message shown after disabling/enabling any device access services in Central Firewall UI
  • NC-30827 [WAF] Double quotes in site path rules breaks WAF when reverse authentication is used
  • NC-49251 [WAF] Newly created duplicate WAF policy not taking precedence
  • NC-49777 [WAF] Frontend realm and cookie secret not unique for default authentication profiles
  • NC-49906 [WAF] Limited cross-site scripting in mod_proxy (CVE-2019-10092)
  • NC-50172 [Web] Conform to Apple's new certificate requirements (awarrenhttp)
  • NC-47617 [Wireless] API - 'update' operation does not work
  • NC-47975 [Wireless] Remove/Disable simplified bridge does not work
  • NC-48628 [Wireless] TX/RX UI values are mixed up for 2.4Ghz network

Download

To manually install the upgrade, you can download the firmware from the Licensing Portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

  • Patched a XG230 HA A-P pair two weeks ago and  they are working fine so far.

  • Experiencing SSL VPN Issues after upgrading to this latest Firmware.  SSL VPN Connects fine and will work for a short period of time, but eventually cuts off all traffic.  The SSL VPN Connection will stay active and appear to be connected fine on both Client / FW, but further packet capture diagnostics show all traffic being blocked due to unknown Firewall Violation.  A simple reconnect of the VPN will resolve the issue each time, but it will happen over and over again.  Firewall reboots and other subsequent troubleshooting have been unsuccessful so far.  Hopefully I can get this figured out with Sophos Support before having to rollback to the previous SFOS 17.5.8.

  • Sophos Connect VPN continued working correctly on one xg330 HA pair after updating from mr8 to mr9.   On another pair with same hardware client connectivity was failing after update and udp 500 was no longer accessible.  This fixed the problem and udp 500 became accessible again: community.sophos.com/.../123263

  • Anyone else got problem with traffic from RED networks after update?

  • After update we are getting issue client authentication ( CCA certificate) frequently disconnecting and some users  SSL VPN is broken .

    we are getting this error for ssl vpn :

    Thu Nov 21 12:34:59 2019 MANAGEMENT: Client disconnected

    Thu Nov 21 12:34:59 2019 ERROR: could not read Auth username/password/ok/string from management interface

    Thu Nov 21 12:34:59 2019 Exiting due to fatal error

    username and password is correct. we are downloaded SSL VPN configuration.  For some users its connecting !

Unfiltered HTML