Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.408-4 released

Up2Date 9.408004 package description:

System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade

Maintenance Release

Fix [NUTM-5349]: [AWS] Restore fails if UTM is created with backup file in user data
Fix [NUTM-5466]: [AWS] ssh disabled - No connection to stack instances
Fix [NUTM-5546]: [AWS] UTM Cloud Update does not work in GovCloud
Fix [NUTM-5654]: [AWS] Conversion should not be visible for HA and AS
Fix [NUTM-3203]: [Access & Identity] [RED] If creation of RED device fails, certificates are not deleted
Fix [NUTM-4948]: [Access & Identity] [RED] Enabling wireless on RED15w causes 'link down'
Fix [NUTM-5068]: [Access & Identity] [RED] TCP Vulnerability (CVE-2016-5696)
Fix [NUTM-5173]: [Basesystem] Memory (swap) leak in RAID monitor
Fix [NUTM-5407]: [Basesystem] OpenSSL security update (1.0.1u)
Fix [NUTM-5461]: [Basesystem] BIND Security update (CVE-2016-2776)
Fix [NUTM-5714]: [Basesystem] CVE-2016-5195 - Linux Kernel - Dirty Cow
Fix [NUTM-3042]: [Configuration Management] Advanced Threat Protection page error when login as Network Protection Auditor
Fix [NUTM-4215]: [Documentation, Email] POP3 Proxy reporting source IP of
Fix [NUTM-4840]: [Email] Email is automatically released after timeout from Sandstorm
Fix [NUTM-5285]: [Email] SMTP file extension filter is case sensitive
Fix [NUTM-5599]: [Email] Mails with the same recipient set twice lead to corrupt mail queue
Fix [NUTM-4938]: [Endpoint] Customers who expand their EP license do not get EP Protection enabled
Fix [NUTM-5049]: [Endpoint] Liveconnect Connectivity Issue
Fix [NUTM-4400]: [HA/Cluster] pg_ctl: PID file "/var/storage/pgsql92/data/" does not exist
Fix [NUTM-3158]: [Kernel] Kernel freeze when running Web Proxy in full transparent mode
Fix [NUTM-3490]: [Network] Ethernet Bridge with dynamic IP looses connectivity after IP renewal
Fix [NUTM-4592]: [Network] OSPF: SSL VPN route injection still not working in 9.404
Fix [NUTM-5147]: [Network] Kernel panic on several SG135 - Kernel Fixes
Fix [NUTM-5542]: [SUM] Availability Group is unresolved after it was re-deployed without a real change
Fix [NUTM-5207]: [Sandboxd] Sandbox error when downloading a file with an umlaut in file name
Fix [NUTM-5209]: [Sandboxd] sandboxd is unable to open database file due to wrong ownership
Fix [NUTM-4816]: [Up2Date] Up2Date downloader logs errors in uplink balancing setups
Fix [NUTM-488]: [Virtualization] Fix unstable NIC ordering on VMWare
Fix [NUTM-5334]: [WebAdmin] Authenticated users might gain access to stored passwords (CVE-2016-7397, CVE-2016-7442)
Fix [NUTM-4167]: [Web] Web Protection Reporting filtered by departments doesn't provide all data
Fix [NUTM-4806]: [Web] sandboxd is unable to insert into TransactionLog on HA setup
Fix [NUTM-4876]: [Web] URL request to parent proxy seems to be send as http request instead of https
Fix [NUTM-5136]: [Web] Web proxy in transparent mode removes authentication header
Fix [NUTM-5082]: [WiFi] IPSec traffic is not routed properly if the client is connected over Hotspot
Fix [NUTM-5303]: [WiFi] Characters in Hotspot terms of use not encoded correctly

RPM packages contained:

This thread was automatically locked due to age.
  • Sophos cannot control what your ISP is delivering in the DHCP options.  I every case I have helped on, the ISP was sending the DHCP option to  set MTU to 576.  The UTM was simply honoring that setting rather than overriding it.  If the ISP was not sending it (it is a default setting, they should disable it), it would not need a workaround.  I agree, though, it would be nice if you could just set it in the GUI and not have to SSH into the box to address the issue.

  • My VM did the update, and I had problems. Not normal ones. Box was up but ethernet was not working. Restarted, got errors on eth3 (HA link interface) during boot. Took a long time to boot due to ethernet errors. Once booted still couldn't ping it from my workstation. HA backup system had been offline for a few days so I powered it up. It's working fine. Not going to update it yet.

    Have the same setup at my home. Updated to 9.408 just fine just now.

    Follow up:

    With sometime to investigate, I turned off all the connections in ESXi to the interfaces and let the system come up. Logged into the console, checked the ethernet interfaces, 3 out of 4 ethernet interfaces got relabeled.

    eth0 -> eth0

    eth1 -> rename3

    eth2 - > eth1

    eth3 -> eth2

    I'm guessing "NUTM-488 [Virtualization] Fix unstable NIC ordering on VMWare" broke my VM.

    Follow up:

    It appears the update made it so the VM interface order matched the ethX order? (Atleast that's what happened here, and it now works as you would think it should.)

    I modified the /etc/udev/rules.d/70-persistent-net.rules to add the missing 4th interface and modified the VM network interface map to match.

    My main VM is back online.

  • No one is disputing that the ISP should not be sending the MTU option, however I would say that this firewall never had issues for years going back to Astaro days until someone thought it was needed to start honoring the MTU option from the DHCP servers. I can understand that there may have been a driver to do this but really would it have killed them to add an option to disable it if needed through the GUI? It can't be that hard. These ISP's have tones of devices on there network that are not having these issues. The issue is that no ISP is going to turn it off just because Sophos started using it and all there other customers are not and not having issues. They should just add an option in the GUI to enable or disable so there is no need to go to the console of SSH into the firewall and run some commands to change the object.

    I did upgrade to this latest version and DID NOT have to re due the MTUI setting so it would seem that upgrade does not over write that setting in the object.

  • @MarkMurphy - Isn't that a rather long worded reply that could have simply been summed up as "we agree"?  I am not sure what you read into my response, but we basically said the same thing.  Nothing I said was disputed in your post.  Nothing I said contradicts anything you said in your post.  Amirite?  :)

  • No we agree. Sorry if I miss read..

  • Seems stable on my home install after almost a day.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see for Sophos related posts.

  • We have two SG330 in HA cluster. After upgrade to 9.408-4 in Email protection -> Mail manager we noticed new SMTP Corrupt tab. What it is and when messages would appear in it?

  • like the name of the tab.. when smtp messages are identified corrupt for utm system.

    since install have never one mail in it so i dont know which exact conditions a corrupt mail have...




    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • RichardRoderick said:
    With sometime to investigate, I turned off all the connections in ESXi to the interfaces and let the system come up. Logged into the console, checked the ethernet interfaces, 3 out of 4 ethernet interfaces got relabeled.

    Same problem here, but no matter what I do, I can't get the missing interface back up.

    I've synced my VM interface MAC's with the contents of the rules file, restarted, but the UTM still doesn't see it. Do I have to do anything extra?

  • I had to do:

    ifconfig eth5 up

    before it was recognized. After this I could re-enable the interface, swap nodes, change the rules file there as well, then cycle the HA cluster to get everything back up again.

    This has taught me not to update too soon, lesson learned here... :-(