Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.604 without problems?

Anybody has installed 9.604 already and being happy with it?

Best regards

Alex



This thread was automatically locked due to age.
Parents
  • I had no problems updating the SG135 in my lab to version 9.604 and the UTM seems to work fine until now.

    Kind regards, Holger

  • URGENT ALERT: Issue with RED 50 and 9.604 which fixes the TCP SACK PANIC vulnerability

    I just received an SMS alert from Sophos: Up2Date to 9.604 after powering off your RED 50(s)! Otherwise, there's a good chance a RED 50 will be bricked.  Then after the before powering the RED 50 on again, execute the following commands as root at the command line:

    cc set red use_unified_firmware 0
    cc get red use_unified_firmware

    If you're running in High Availability, I believe you must also execute these commands on the Slave - at least do the second one to confirm.  For that, you will need the loginuser and root passwords after doing the following as root at the command line:

    ha_utils ssh

    The relevant Sophos KnowledgeBase article is: https://community.sophos.com/kb/en-us/134398

    Sign up to receive SMS alerts yourself at https://sms.sophos.com

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I just received the following from Sophos Support:

    1. Are any other REDs in danger of being bricked, or is it just the RED 50?
    - So far we have only seen RED 50 but this doesn't rule out RED 15
    2. In High Availability, does use_unified_firmware need to be set to 0 on all nodes?
    - No it would replicate the command
    3. Instead of physically unplugging REDs, would it suffice to disable the RED server objects in WebAdmin before applying the Up2Date and then enable them after 9.604 has had use_unified_firmware set to 0?
    - In theory yes if you disable the service in the UTM or turn off the RED devices, then they won't be able to get the Firmware Update, so they won't be able to contact the server, and once you re-enable the services they will not search for a new firmware update

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I just received the following from Sophos Support:

    1. Are any other REDs in danger of being bricked, or is it just the RED 50?
    - So far we have only seen RED 50 but this doesn't rule out RED 15
    2. In High Availability, does use_unified_firmware need to be set to 0 on all nodes?
    - No it would replicate the command
    3. Instead of physically unplugging REDs, would it suffice to disable the RED server objects in WebAdmin before applying the Up2Date and then enable them after 9.604 has had use_unified_firmware set to 0?
    - In theory yes if you disable the service in the UTM or turn off the RED devices, then they won't be able to get the Firmware Update, so they won't be able to contact the server, and once you re-enable the services they will not search for a new firmware update

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • hi

     

    i had 2 dead  red 50's  back around the time we first upgraded to 9.6  , and had them replaced by sophos

    i remember at the time setting this  unified firmware to  0 

    currently running 9.603 and just checked the switch is set back to 1 

    so are we saying that every new 9.6 update resets the switch to 1 ? 

    so currently i have 9.603 with 2 red devices attached and everything is working , is there any comment from sophos , does it affect all red 50 devices , or only some revisions ? 

    if they know this is a problem- and i think they have as this happened to us a few months ago , would it not make sense to set the firmware to 0 , in the update file ? or have the change persist after updates