Sophos Firewall v18.5 MR1 is now available

The product team is pleased to announce that v18.5 MR1 is now available. v18.5 MR1 is available for all SFOS form factors – XGS Series, XG Series, Virtual and Software appliances as well as all supported cloud platforms. SFOS v18.5 MR1 includes support for new Sophos Central Orchestration capabilities as well as a number of important security fixes and enhancements.

Here’s a full list of what’s new in v18.5 MR1:

Support for new Central Orchestration Subscription (included in the new Xstream Protection license bundle):

  • Central SD-WAN VPN Orchestration enables easy point-and-click site-to-site VPN orchestration from Sophos Central – automatically configuring the necessary tunnels and firewall access rules for your desired SD-WAN overlay network.
  • Central Firewall Reporting Advanced with 30-days of data retention for full multi-firewall reporting in Sophos Central with access to all pre-packaged reports plus flexible custom report capabilities and the option to save, schedule, or export your reports.
  • Sophos MTR/XDR connector to enable Sophos Firewall intelligence and data to be used as part of our Managed Threat Response 24/7 service, or as part of your self-managed cross-product extended detection and response solution.

Get the full details on Central Orchestration and how to take advantage of it.

Additional Enhancements:

  • Resolved FragAttack Vulnerabilities recently discovered in the Wi-Fi specification for all internal and add-on Wi-Fi modules for Sophos (XG) Firewall desktop series appliances. All other updates will follow as outlined in this advisory.
  • With v18.5 MR1, Non-XGS form factors can benefit from performance improvements included in v18.5 GA, including - Improved network performance for TLS traffic in DPI mode.
  • Enhanced Backup/Restore Support improves backup/restore operations across different models by better mapping the management ports. v18.5 MR1 can also restore backups from v18 MR5 and earlier including any older v17.5 MRs.
  • XGS Series Reset Button enables a long press of the hardware reset button on XGS Series appliances (XGS 116 and higher models) to perform a factory reset to help recover from a bad configuration.
  • VPN Tunnel Logging adds improved logging of VPN tunnel flap events and IPsec IKEv2 rekeying
  • Sophos DDNS (myfirewall.com) will be discontinued and no longer supports new registrations. This is planned from January 31, 2022. Refer to KBA-41764 for more details.

Main Menu Enhancements:

A few main menu items have been renamed and re-organized to make the menu more intuitive:

  • A new "Zero-Day Protection" menu item is now part of the "Monitor and Analyze" section that contains two tabs that were previously under the “Advanced threat” menu. The first tab provides a record of all files that have been analyzed by Threat Intelligence and Sandboxing in the SophosLabs Intelix Cloud.  The second tab provides settings for this analysis..
  • A new "Sophos Central" menu item is part of the “System" section that contains the settings for connecting the firewall to Sophos Central for Synchronized Security features and for Sophos Central Management and Reporting (including the new Central VPN Orchestration capability).
  • Other minor changes include the renaming of the “Advanced threat” menu item to “Advanced Protection” to better reflect it’s function

More info available here: v18.5 MR1 release notes

Issues Resolved:

  • NC-69584 [Authentication, SSLVPN] The user information displayed for remote users under Monitor & Analyze -> Current activities on Web Admin are not display proper.
  • NC-73734 [Date/Time Zone] Reports showing wrong time zone due to /etc/timezone is not updated during restore
  • NC-72625 [Email] Fixes multiple vulnerabilities (AKA 21Nails) in Exim with upgraded version v4.94.2
  • NC-73542 [Email] DKIM signing broken in Exim 4.94
  • NC-73665 [Email] Email exception list is empty for source/host if you save and re-open the exception
  • NC-58370 [Firewall] User logout event clears firewall fields in conntrack of connection going through network based rules, results in packet drop
  • NC-66067 [Firewall] Firewall filter for 'unused' rules does not work.
  • NC-69495 [Firewall] XG 210 frequently rebooting [skb->sk corruption]
  • NC-69558 [Firewall] XG750 18.0.3.457 crash: tcp_v4_rcv+0xb14/0xbb0
  • NC-70461 [Firewall] IPv6 Host group doesn't match when a network type host is added in host group
  • NC-71473 [Firewall] PortB4 (not existing) still shows up in custom SNAT on CLI
  • NC-71922 [Firewall] XGS6500 auto rebooted
  • NC-72153 [Firewall] VLAN on bridge with fastpath enabled does not pass traffic
  • NC-72494 [Firewall] When multiple packets are sent from the same origin to the same destination at the same time,the first packets always get drop
  • NC-71033 [Firmware Management] VM - Some time Mandatory firmware applied successfully but device did not reboot after it
  • NC-68595 [HA] Unable to establish HA with Quick Mode
  • NC-72076 [HA] HA sync dir failure resulted in empty directory
  • NC-69937 [Hotspot] Hotspot option device per voucher is inconsistent
  • NC-72311 [Hotspot] Hotspot user logged in when the arp resolution was in incomplete state
  • NC-71126 [Interface Management] XGS 116w EAP3 - IF alias UI timeout error
  • NC-71151 [QoS] Unable to edit/add users when traffic shaping policy exist with name "None"
  • NC-71333 [SDWAN Routing] Incoming VPN traffic doesn't follow SDWAN policy
  • NC-71996 [SNMP] SNMPD memory usage keeps increasing
  • NC-73687 [SSLVPN] SSLVPN remote access: push_reply does not include updated permitted lan networks
  • NC-71443 [WAF] WAF license warning even if WAF is subscribed
  • NC-76446 [WAF] SSLVPN DEAD on 18.5 MR1 Build318 upgrade if WAF and SSLVPN uses the same port

Upgrade as soon as possible

While we always encourage you to keep your firewalls up to date with the latest firmware, over the next few months we are recommending you rapidly apply maintenance releases to ensure you have all the important security, performance, and feature enhancements applied as soon as possible.

Also ensure you have automatic pattern updates enabled so that you can be assured you have the latest protection updates.

XG Firewall v18.5 MR1 is an easy and fully supported upgrade from XG Firewall v17.5 MR14 and later, XG Firewall v18 MR3 and later and all previous versions of v18.5. Please refer to the Upgrade information tab in the release notes for more details.

How to get it

As usual, this firmware update is no charge for all licensed Sophos Firewall customers. The firmware will be rolled out automatically to all systems over the coming weeks, but you can access the firmware anytime to do a manual update through the Licensing Portal.  Please refer to the documentation for more information on how to apply firmware updates.

Sincerely,

Sophos Firewall Product Team

Parents
  • Unfortunately upgrade for XG210 rev.3 (from 18.0.5) does not work, despite promise above, that the XG series hardware is bow also supported - we have error message: invalid for this appliance model.

  • Which file did you download? The file should be called: HW-18.5.1_MR-1.SF300-326.sig 

    This one is the wrong: HW-18.5.1_MR-1.SF310-326.sig  (XGS) 

  • FormerMember
    FormerMember in reply to LuCar Toni

    ,

    As mentioned by , if you're having an issue with "HW-18.5.1_MR-1.SF300-326.sig " please create a support case for further investigation and send me the case number via personal message. 

    Thanks,

  • I see,

    there is different 18.5 update package for XG platforms and different for XGS :-)

    Good to know, thanks.

  • Its quite simple and mySophos should present you only the matching.

    SF300 is XG/SG

    SF310 is XGS. 

  • If you have 1 box, then it is simple. If you administrate hundreds of boxes, then it gets really complicated, because you really don't know when you need special installation files as this is not described somewhere and it's not really productive to download the same iso file again and again just to be sure.

    As far as I know there are 3 sets of installation files now for 17.5 (Sophos XGS, Sophos XG85+105, All other Sophos XGs), 1 set for 18.0 and 2 sets for 18.x (XG and XGS) - not counting the virtual an software appliances.

    Installation files for 17.5.x are no longer available from mysophos at all. I understand the technical reasons for having multiple installation sets and it is absolutely OK, as long as there will be possibility to download all of that from mysophos and all supported versions (like it was with UTM9) or at least couple of MRs back.

    For example today I wanted to assemble HA cluster, but I'm not able to because the new passive box has 17.5 MR-12 preinstalled and the production box uses 18.0 MR-4. ISO is only available for 18.0 MR-5 and upgrade to MR-5 is not possible, because of bug in Email Protection Exceptions. It is really annoying to raise a ticket for every such occasion especially, when I know how difficult this will be to explain and get the permissions to that. I can imagine how stressful this would be for normal customers or partners without dedicated TAM.

Comment
  • If you have 1 box, then it is simple. If you administrate hundreds of boxes, then it gets really complicated, because you really don't know when you need special installation files as this is not described somewhere and it's not really productive to download the same iso file again and again just to be sure.

    As far as I know there are 3 sets of installation files now for 17.5 (Sophos XGS, Sophos XG85+105, All other Sophos XGs), 1 set for 18.0 and 2 sets for 18.x (XG and XGS) - not counting the virtual an software appliances.

    Installation files for 17.5.x are no longer available from mysophos at all. I understand the technical reasons for having multiple installation sets and it is absolutely OK, as long as there will be possibility to download all of that from mysophos and all supported versions (like it was with UTM9) or at least couple of MRs back.

    For example today I wanted to assemble HA cluster, but I'm not able to because the new passive box has 17.5 MR-12 preinstalled and the production box uses 18.0 MR-4. ISO is only available for 18.0 MR-5 and upgrade to MR-5 is not possible, because of bug in Email Protection Exceptions. It is really annoying to raise a ticket for every such occasion especially, when I know how difficult this will be to explain and get the permissions to that. I can imagine how stressful this would be for normal customers or partners without dedicated TAM.

Children