This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.407-3 released


Up2Date 9.407003 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade
Connected Wifi APs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [NUTM-4079]: [AWS] DNS Resolver too slow for ELBs
Fix [NUTM-3885]: [Access & Identity] [RED] RED50 reconnecting every 30 minutes
Fix [NUTM-4502]: [Access & Identity] [RED] reactivating RED management causes problem with provisioning server
Fix [NUTM-4749]: [Access & Identity] [RED] interface default routes are not written
Fix [NUTM-4832]: [Access & Identity] 9.404 SSL site-to-site VPN client is not compatibal with older UTM versions
Fix [NUTM-4870]: [Access & Identity] STAS: Packetfilter rule is written too late when enabling the feature
Fix [NUTM-4875]: [Access & Identity] 9.404 SSL site-to-site VPN doesn't work with static IP setting
Fix [NUTM-4881]: [Access & Identity] IPsec remote access xauth fails with "could not find cache entry"
Fix [NUTM-4918]: [Access & Identity] HTML5 VPN: Portuguese (Brazil) keyboard doesn't appear to support special characters
Fix [NUTM-4974]: [Access & Identity] UTM unable to connect to support tunnel
Fix [NUTM-4981]: [Access & Identity] [RED] RED management can't be reactivated after a Backup / Restore
Fix [NUTM-4987]: [Access & Identity] 9.404 SSL site-to-site VPN client compatibility to older openvpn versions
Fix [NUTM-5004]: [Access & Identity] [RED] misleading peer status send
Fix [NUTM-4941]: [Basesystem] NTP Vulnerability
Fix [NUTM-5132]: [Basesystem] Disable weak ciphers for webadmin
Fix [NUTM-3180]: [Confd] IP Address change was not applied properly to the interface
Fix [NUTM-4346]: [Documentation] Enhance documentation regarding unencrypted SSO AD password in printable configuration
Fix [NUTM-3225]: [Email] JSON error when accessing Data Loss Prevention Tab and SMTP Profiles
Fix [NUTM-3483]: [Email] Missing/incomplete logging for sandstorm in SMTP proxy
Fix [NUTM-3505]: [Email] MIME type blacklist can be bypassed if an another file is whitelisted
Fix [NUTM-3666]: [Email] Mail log in user portal is case-sensitive
Fix [NUTM-3667]: [Email] RAR and XLSX files causing Scanner timeout or deadlock - moving to error queue
Fix [NUTM-4331]: [Email] Implement more error handling in QMGR for error cases
Fix [NUTM-4874]: [Email] SMTP proxy can't be disabled when upgrading from 9.31x
Fix [NUTM-5228]: [Email] change LogLevel in httpd-spx-reply.conf to warn
Fix [NUTM-5355]: [Email] Increase AV Scanner timeout to 60 seconds
Fix [NUTM-2768]: [HA/Cluster] 36307: Postgres can't be started on Slave / rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.4]
Fix [NUTM-4894]: [Logging] Fallback log on slave node is filling up the partition
Fix [NUTM-1954]: [Network] 35457: Amazon vpc gets imported but quagga doesnt start
Fix [NUTM-3092]: [Network] snmp does not work: because 10G modules query of link status timeout if no GBIC is plugged
Fix [NUTM-3115]: [Network] AFC misclassifying HTTPS connections as 'OpenVPN'
Fix [NUTM-3157]: [Network] [INFO-152] Network Monitor not running - restarted
Fix [NUTM-3229]: [Network] IPv6 over transparent proxy
Fix [NUTM-3247]: [Network] Spam Filter cannot query database servers from Slave if a block all AFC rule exists
Fix [NUTM-4037]: [Network] Update kernel to 3.12.58
Fix [NUTM-4992]: [Network] Unitymedia / KabelBW customer getting always the MTU 576
Fix [NUTM-4885]: [Reporting] SSL VPN reporting shows no user with a "#" sign in the username
Fix [NUTM-4593]: [Sandboxd] Constant error when inserting record into sandstorm transactionlog table
Fix [NUTM-5128]: [Virtualization] Incorrect interface order on HyperV
Fix [NUTM-4868]: [WAF] WAF service restart issue (segmentation fault in mod_avscan)
Fix [NUTM-5266]: [WAF] Form auth default template login not possible with chrome and FF
Fix [NUTM-4916]: [WebAdmin] User portal: add Windows 10 to list of supported OSs for SSL VPN
Fix [NUTM-2447]: [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working
Fix [NUTM-4525]: [Web] Handle ha zeroconf for sandbox_reportd
Fix [NUTM-4806]: [Web] postgres[xxxxx]: [x-x] STATEMENT: INSERT INTO TransactionLog
Fix [NUTM-4877]: [Web] segfault after installing ep-httpproxy-9.40-319.g32fa996.i686.rpm
Fix [NUTM-4127]: [WiFi] MAC filter whitelist does not work after editing the MAC Address List
Fix [NUTM-4451]: [WiFi] Mesh AP doesn't connect after deleting the AP from webadmin
Fix [NUTM-4913]: [WiFi] Hotspot voucher QR code pointing to IP address instead of configured host name
Fix [NUTM-5032]: [WiFi] 'STA WPA Failure' messages not appearing in wireless log

RPM packages contained:
firmwares-bamboo-9400-0.239798409.gadeedea.rb1.i586.rpm
freerdp-1.0.2-5.g9ab7846.rb6.i686.rpm
modavscan-9.40-88.g4be0a1f.rb3.i686.rpm
perf-tools-3.12.58-0.238097715.g942ca6f.rb5.i686.rpm
red-firmware2-5033-0.237486050.g1d6fa2f.rb1.noarch.rpm
red15-firmware-5033-0.237486204.g88604a9.rb4.noarch.rpm
uma-9.40-9.g4114428.rb3.i686.rpm
ep-reporting-9.40-28.g366bbbd.rb8.i686.rpm
ep-reporting-c-9.40-29.gdbdd0e5.rb7.i686.rpm
ep-reporting-resources-9.40-28.g366bbbd.rb8.i686.rpm
ep-aua-9.40-29.g044c154.rb4.i686.rpm
ep-branding-ASG-afg-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-ang-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-asg-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-atg-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-branding-ASG-aug-9.40-45.ga7a71f4.rb4.noarch.rpm
ep-confd-9.40-758.g4ba8297.i686.rpm
ep-confd-tools-9.40-699.g3e73a8d.rb11.i686.rpm
ep-endpoint-0.5-0.238842559.g74c0041.rb3.i686.rpm
ep-ha-aws-9.40-193.gbbbdb1f.rb1.noarch.rpm
ep-libs-9.40-18.g98311c6.rb4.i686.rpm
ep-mdw-9.40-473.gbb2acca.rb1.i686.rpm
ep-migration-agent-9.40-0.238246977.g97d8100.rb2.i686.rpm
ep-repctl-0.1-0.236091535.g244907c.rb4.i686.rpm
ep-screenmgr-9.40-1.g05ac056.rb11.i686.rpm
ep-utm-watchdog-9.40-9.gb87dc68.rb5.i686.rpm
ep-webadmin-9.40-649.gcf9df68.rb15.i686.rpm
ep-webadmin-contentmanager-9.40-48.g2579cc5.rb7.i686.rpm
ep-chroot-dhcpc-9.40-7.g5875cb6.rb4.noarch.rpm
ep-chroot-httpd-9.40-13.g05599fc.rb4.noarch.rpm
ep-chroot-smtp-9.40-108.g7e71836.rb1.i686.rpm
chroot-ntp-4.2.8p8-0.g2398560.rb7.i686.rpm
chroot-openvpn-9.40-26.g733afa5.rb6.i686.rpm
chroot-reverseproxy-2.4.10-242.g832ffb5.rb3.i686.rpm
ep-httpproxy-9.40-351.gd42c00a.rb8.i686.rpm
kernel-smp-3.12.58-0.238097715.g942ca6f.rb6.i686.rpm
kernel-smp64-3.12.58-0.238097715.g942ca6f.rb6.x86_64.rpm
ep-release-9.407-3.noarch.rpm



This thread was automatically locked due to age.
  • Dlabun said:

    That really doesn't help people who remotely administer UTMs... Right now I don't have a stable enough connection to my branch location to get in and make that change. Now my only choice is to drive out to this location, a 3 hour drive. The default should be to ignore the MTU from DHCP as it always had in the past so it doesn't affect the ability to administer these boxes.

    I agree with you, mtu_auto_discovery should be 0 (diabled) as default.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Cannot see where this has changed:

    Fix [NUTM-4916]: [WebAdmin] User portal: add Windows 10 to list of supported OSs for SSL VPN

    Maybe it's only in the UK version ? :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Is this a new feature also?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • entire RED 50 remote site down after Update:

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: RED10rev1 version set to 14

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: RED10rev2 version set to 2005R2

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: RED10rev2 local version set to 5033R2

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: RED15 fw version set to 5033

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: RED15w fw version set to 5033

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: RED50 fw version set to 2005

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: RED50 local fw version set to 5033

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: IO::Socket::SSL Version: 1.953

    2016:09:29-23:03:45 utm-2 red_server[8067]: SELF: Startup - waiting 15 seconds ...

    2016:09:29-23:03:46 utm-2 red2ctl[8076]: Starting REDv2 control daemon

    2016:09:29-23:04:00 utm-2 red_server[8067]: SELF: Overlay-fw has been updated ...

    2016:09:29-23:04:00 utm-2 red_server[8814]: UPLOAD: Uploader process starting

    2016:09:29-23:04:01 utm-2 red_server[8067]: SELF: (Re-)loading device configurations

    2016:09:29-23:04:01 utm-2 red_server[8067]: OUR_RED_ID: New device

    2016:09:29-23:04:01 utm-2 red_server[8067]: OUR_RED_ID: Staging config for upload

    2016:09:29-23:04:04 utm-2 red_server[8814]: [OUR_RED_ID] Uploaded config to registry service

    2016:09:29-23:05:03 utm-2 red_server[9018]: SELF: New connection from OUR_EXTERNAL_IP with ID OUR_RED_ID (cipher AES256-GCM-SHA384), rev1

    2016:09:29-23:05:03 utm-2 red_server[9018]: OUR_RED_ID: connected OK, pushing config

    2016:09:29-23:05:04 utm-2 red_server[8067]: SELF: (Re-)loading device configurations

    2016:09:29-23:05:34 utm-2 red_server[9018]: OUR_RED_ID: No ping for 30 seconds, exiting.

    2016:09:29-23:05:34 utm-2 red_server[9018]: id="4202" severity="info" sys="System" sub="RED" name="RED Tunnel Down" red_id=" OUR_RED_ID " forced="0"

    2016:09:29-23:05:34 utm-2 red_server[9018]: OUR_RED_ID is disconnected.

    good job ! 

  • Have you checked the RED display, the REDs perform firmware upgrade and therefore disconnets, it will respond in 3-4 minutes again??

    I have upgraded 11 UTM's yesterday, there are several RED10, 15 and 50's in the environment, all came up :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • why there are still no IPv6 fixes and all users with these problems are still beeing ignored? such behavior is not acceptable and unprofessional. Are ISP with Dual Stack-lite (ONLY IPv6) in future NOT supported by UTM or is there a chance of a fix. Anyhow this setup worked for month until it crashed, maybe caused by an UTM Update in Juli 2016.

  • No but the RED came up 1 hour after the Update.

    Seems like this takes a while to upgrade the Firmware, especially with the provisioning cloud service of Sophos in between.

    Kind Regards,

    AOS-IT

  • This is not configurable in webadmin? If not this is the most stupid fix I have seen a long time. Why would they fix it for two ISP's only. All I can say is WOW!!! It seems like such a simple concept to allow a user to enable or disabled in the webadmin instead of forcing this down our throats and make us go to a command line interface to fix

  • You have it all wrong... Somebody at Sophos clearly thought it'd be funny if they turned this bug fix into an easter egg customers have to find and activate. I have to drive out to one of my locations now to fix the problem, completely flushing my weekend down the drain.

  • I need a little help with twister5800's reply. I previously had the 576 MTU problem, and had applied VegardOestengen's suggestion from another thread, which fixed the problem. The fix continued to work after the upgrade to 9.406-3. Last night, however, I upgraded my home (software-based) UTM to 9.407-3, and it's been a disaster. Although the web interface tells me that the internet-facing interface is still using a MTU of 1500, I'm not believing it. Most websites are unreachable. Pings and traceroutes work, but not much else. I've had some experience with MTU problems before, and this pretty clearly seems to be an MTU problem. I've tried changing the MTU in the web interface to 1492, and then back to 1500, but it didn't help.

    So I want to try twister5800's suggestion, but I'm lost. I know how to ssh into the UTM, but I'm not sure what to do after that. "cc", "RAW", "lock_override", etc., don't appear to be shell commands. So what's going on? Have I missed a step?