Sophos Firewall OS v19 MR1 re-release (Build 365) is Now Available


Sophos Firewall OS v19 was released just a few months ago in April, and has already been adopted by a huge number of partners and customers who have upgraded to take advantage of the many Xstream SD-WAN and VPN enhancements.

This latest update, v19 MR1 Build 365, brings a number of additional enhancements and fixes to what is already one of our best firewall updates ever:

What’s New in SFOS v19 MR1 Build 365:

VPN and SD-WAN Enhancements:

  • SSLVPN Remote Access - Static IP lease support to enable mapping of remote users with static IP addresses to improve user traceability, monitoring and visibility. This also includes static IP leases with an external Radius server.
  • IPsec VPN Enhancements - includes adding default IPsec site-to-site IKEv2 policies for improved head office to branch office tunnels, eliminating manual fine tuning for re-key interval, dead peer detection (DPD) action and key negotiation. Defaults were also updated to prevent flapping of UDP connections (VoIP, Skype, RDP, Zoom, etc.).  Also disabled "vpn conn-remove-tunnel-up" and enabled "vpn conn-remove-on-failover" for new configuration (but does not impact existing deployments)
  • SD-RED - Now support multiple DHCP servers for RED interfaces
  • SD-WAN Profiles - The Rule-ID and index column are added on the SD-WAN profile management page for easier troubleshooting

Other Enhancements:

  • Anti-Malware Engine - Anti-malware engines and associated components were upgraded to full 64-bit operation to provide optimal performance and future support. Note that the secondary malware scan engine, Avira, will no longer provide detection updates for the 32-bit version after December 31, 2022.  Anyone using Avira will need to upgrade to v19 MR1 or v18.5 MR5 (to be released soon) before the end of the year or switch to just using the Sophos engine. 
  • Synchronized Security - Improved Sophos Central Firewall Management resilience in environments with thousands of endpoint certificates being used for Synchronized Security Heartbeat.
  • Email - Added an option to report a spam email as a False Positive from the quarantine release screen
  • Sophos Assistant - Added an option to opt-out of the Sophos Assistant
  • Additional Fixes - Over 50+ additional performance, stability and security fixes and enhancements are also included

Issues fixed in the re-release of v19 MR1:

  • NC-100681 [IPS Engine] Increase in snort memory with ATP pattern updates
  • NC-94019/ NC-100737 [Wireless] Inbound traffic for hosts connected on Wi-Fi SSID on Separate zone is dropped by firewall rule ID 0, and outbound traffic may experience slowness
  • NC-100971 [IPsec] Migration fails from v19.0 GA to v19.0 MR1 Build 350
  • NC-81131 [Reporting] Last access time is not generated when there is user present with username that has xss payload
  • NC-100679 [CDB-CFR, Reporting] "INSERT INTO available_login_eventv6%" error in postgres.log causing conf partition to rise

Check out the v19 MR1 Build 365 release notes for full details.

Important Licensing Change for Future Firmware Updates:

As covered in the recent community blog post, SFOS v19 MR1 introduces a support requirement for firmware upgrades which will come into effect for customers without a valid support subscription after they've used an initial free upgrade allocation.

 To summarize:

  • No change for customers with a valid support subscription (about 80% of customers)
  • Future action will be required by the remaining 20% who do not have a support subscription, but also no immediate change

Full Details and FAQs

How to Get it:

The release of v19 MR1 Build 365 follows our regular firmware release process so you can download it now from MySophos or wait until it appears in your console over the next few weeks.

Sophos Firewall OS v19 MR1 Build 365 is a fully supported upgrade from v19 GA and v19 MR1 Build 350, all previous versions of v18.5 including the latest v18.5 MR4 and v18 MR3 and later. Please refer to the Upgrade information tab in the release notes for more details.

Parents
  • After upgrading to v19, I noticed a site2site VPN issue.

    VPN server has static IP, VPN clients have dynamic that update every 24 hours or so.

    After clients get their new WAN IP, the tunnel reconnects but not traffic can cross the tunnel, even though the tunnel shows as being up.
    Solution is to login to firewall acting as server, turning the tunnel off and back on for each client.

  • Hello Rick. I've got the same issue for several clients which uses SSL site to site VPN connection with their branches. What i end up doing is leaving the Head Office firewalls on version SFOS 18.5.3 MR-3-Build408 and the branches on V19. Had opened a ticket with support but they struggled to even identify the issue. Now i will test this new Firmware release in our LAB and see if the issue has been fixed.

Comment
  • Hello Rick. I've got the same issue for several clients which uses SSL site to site VPN connection with their branches. What i end up doing is leaving the Head Office firewalls on version SFOS 18.5.3 MR-3-Build408 and the branches on V19. Had opened a ticket with support but they struggled to even identify the issue. Now i will test this new Firmware release in our LAB and see if the issue has been fixed.

Children
  • Hi Zaheer, I am not able to DM you, can you provide me way to reach. out to you for further discussion.

    Also if you can provide support case ID will have at info available.

  • Zaheer, I have looked into your problem statement and Support case (#05343128) tagged to your name.

    I can see its similar type of issue triaged and fixed in upcoming v19MR2 (NC-98574), fix is also available and you can reach out to support.

    Basically it's observed in case SSLVPN S2S tunnel gets teardown due to any link flap which does not trigger any event on server side, and old tunnel teardown happens after new tunnel comes up in any scenario.

    I assume same problem for Ricky's case as well on WAN IP changes for client end.