We've just released UTM 9.707. As usual, the release will be rolled out in phases:

  • In phase 1 you can download the update package from our download server.
  • During phase 2 we will make it available via our Up2Date servers in several stages.
  • In phase 3 we will make it available via our Up2Date servers to all remaining installations.

Up2date information


  • Maintenance release
  • Security release


  • System will be rebooted
  • Configuration will be upgraded

Issues resolved

  • NUTM-12550 [Access & Identity] Replace deprecated option in SSLVPN client config
  • NUTM-12310 [Email] SPF checks incorrectly occurring when multiple upstream hosts are configured in an availability group
  • NUTM-12672 [Logging] IPFIX does not switch source and destination ports between inbound and outbound side of flow
  • NUTM-12749 [Basesystem] Update bzip2 to address CVE-2019-12900
  • NUTM-12590 [Basesystem] Patch OpenSSL against CVE-2021-23840 & CVE-2021-23841
  • Please take a look at this KB article.

    Email Catchrate issue on UTM 9.706 (sophos.com)

    The issue seems to be limited to devices running on old hardware or on KVM/QEMU environments that are configured to suppress advanced processor features.

  • what is Sophos doing to address the massive screw up in the latest updates? Up2date is downloading new patterns every 30 seconds and then not actually stopping any spam.

  • I know the tunnelblick clients MAC get the warning since several months. But it works.

    Thanks a lot RichBaldry

  • No. There is no need to update the configuration of working clients.

    This change doesn't impact the VPN server, it only impacts the generation of the config download for Windows clients in the User Portal. It just means that for any user that does download the VPN client bundle or the VPN client configuration updater, the config file installed will use the new option.

    The Sophos VPN client that currently ships with the product can handle either option, but some third party clients raise warnings about use of the deprecated tls-remote option if it's present.

  • Dear RichBaldry,

    if i have a client with the old option --tls-remote, is it forcely neccesary to change each conf to --verify? Or is it possible to connect to the sophos ssl Firewall after the update with the old option? Thats very important. I dont want change  100 openvpn ssl clients.

    Greetings Peter