Version 19.0 MR3 Build 517
Released on June 29, 2023
This maintenance release resolves some issues. To see these, click the Resolved issues tab.
For other details, see the Sophos Firewall help.
Version 19.0 MR2 Build 472
Released on January 23, 2023
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
- Bulk mail in MTA mode: Enhanced the spam catch rate with SASI. The firewall now offers bulk mail settings in MTA mode.
- Xstream SD-WAN enhancements:
- You can configure 4 times the existing number of SD-WAN profiles, supporting scaled deployments.
- Improved gateway management. You can filter gateways based on their status, IP address, interface, and health check.
- Search SD-WAN profiles by their names on Diagnostics > SD-WAN performance.
- RED unlock code: The RED provisioning server sends the unlock code to the email address specified on System services > RED when you add a RED device or delete it from the firewall. See the knowledgebase article Pop-up message and email for the RED unlock code.
- Zero-day protection: Intelix can now request submission of samples above the previous built-in limit of 10 MB.
- IPsec VPN:
- Improved security heartbeat selection in remote access IPsec VPN.
- Support for turning off anti-replay protection in IPsec VPN for specific cases.
Version 19.0 MR1 Build 365
Released on August 16, 2022
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
VPN
SSL VPN: Introduced static IP address lease for remote access SSL VPN users on the firewall and from an external RADIUS server. Sophos Firewall now maps remote access SSL VPN users with static IP addresses, enhancing user monitoring and visibility and its ability to trace users.
IPsec VPN:
- IKEv2 profiles: Added default IKEv2 profiles (Head office (IKEv2) and Branch office (IKEv2)) for site-to-site IPsec connections to deliver improved tunnels between the head office and branch offices. This eliminates the manual fine-tuning required for the existing default head office and branch office profiles, such as rekey interval, dead peer detection (DPD) selection, and key negotiation retries. This helps in eliminating rekey collisions and DPD-related issues.
- Tunnel flapping: Changed the defaults to prevent non-TCP (example: VoIP, RDP, Skype, Zoom, UDP) connections from flapping when the IPsec tunnel is established or goes down. The new default settings are as follows:
- vpn conn-remove-tunnel-up: Disabled
- vpn conn-remove-on-failover: Enabled
RED
Supports multiple DHCP servers for RED interfaces.
Licensing
Sophos Firewall offers three free firmware upgrades. A valid support subscription is mandatory for firmware upgrades after the three free upgrades. Free upgrades don't include trial licenses, home use licenses, and firmware upgrades from the installation wizard. See the Sophos Firewall help.
SD-WAN
Added rule-ID and index column to the SD-WAN profile list for easier troubleshooting.
Synchronized Security
Improved firewall management experience from Sophos Central in environments with thousands of endpoint certificates, which are used for Synchronized Security Heartbeat. You can download a maximum of 10,000 certificates at a time. The limit also applies to endpoint certificate download during registration.
Enhancements
The version includes the following enhancements:
Malware engine: Upgrade of malware scan engines and associated components to a full 64-bit operation to ensure optimum performance and future support.
- Avira: The vendor of the second malware scan engine, Avira, won't provide detection updates in the current 32-bit form after December 31, 2022.
- We recommend that customers using dual scan mode or Avira as the primary engine upgrade to 19.0 MR1 or 18.5 MR5 (future release) at the earliest. Avira has been upgraded to the latest 64-bit AVD engine on the firewall.
- If you can't upgrade, we recommend switching to just the Sophos engine for email and web malware scanning.
- Sophos engine: Customers using only the Sophos engine aren't affected.
Sophos Assistant: Added the option to opt out of Sophos Assistant on the web admin console.
Email: Added the capability to report spam emails as false positives on the quarantine release page.
Version 19.0 GA Build 317
Released on April 21, 2022
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
See the video.
SD-WAN profiles
VPN orchestrated SD-WAN network is already available from Sophos Central. It enables you to centrally orchestrate complex SD-WAN overlay networks, simplifying the process. See SD-WAN connection groups.
We now offer Xstream SD-WAN on the firewall:
- Xstream SD-WAN profiles support routing strategies for multiple WAN links, including VDSL, DSL, cable, LTE/cellular, and MPLS. You can configure more than two gateways and specify a routing strategy based on the first available link or performance criteria.
- Performance-based SLAs automatically select the best WAN link based on jitter, latency, or packet loss. SLAs can be based on best performance or custom SLA values. You can use multiple probe targets to perform a health check.
- Zero-impact rerouting maintains application sessions when link performance falls below the thresholds and transitions sessions to a better performing WAN link.
- SD-WAN monitoring graphs on Diagnostics > SD-WAN performance provide real-time insights into latency, jitter, and packet loss for all WAN links. You can select the time. You can also click the status on SD-WAN profiles to go to diagnostics.
- Logs contain SD-WAN routing information. A new SD-WAN log module allows you to focus on log entries specific to SD-WAN routing and health. Log entries include SD-WAN rule ID and name for route request and reply directions.
Xstream FastPath acceleration
IPsec acceleration: Xstream FastPath acceleration of IPsec traffic automatically places IPsec VPN traffic flows on the FastPath through the Xstream Flow Processor, taking advantage of the processor's hardware crypto capabilities. This moves the CPU-intensive processing required for IPsec tunnels, such as ESP encapsulation and encryption, decapsulation and decryption, to the Xstream Flow Processor, freeing up CPU resources and improving performance.
Xstream FastPath Acceleration for IPsec traffic works for both site-to-site (including policy-based and route-based IPsec) and remote access VPN traffic, but weak cipher or authentication algorithms (DES, 3DES, BlowFish, MD5) aren't offloaded. See FastPath acceleration.
Web
- Per-connection authentication: In explicit proxy mode, web authentication can now handle multiple different users coming from the same source address. This is useful in authentication for terminal services, Windows remote desktop, or direct access systems.
- Tenant Restrictions: The Tenant Restriction feature of O365 used to restrict the domains a user can sign in to by adding headers to outbound HTTPS requests is available in web policies. This enables Microsoft Azure AD to enforce restrictions, typically used to restrict personal accounts from accessing O365 from Sophos Firewall protected networks.
- X-Forwarded-For Header configured in web policies allows the source IP address to be passed upstream to load-balancers or proxies.
VPN
User experience
The VPN menu and user interface have been reorganized to make it more intuitive:
- Remote access and site-to-site VPN are individual left menu items.
- IPsec, SSL, and L2TP are top menu items with links on the pages to IPsec profiles, client download, and logs for easy access to the corresponding settings.
- IPsec policies have been renamed IPsec profiles. It's now under System > Profiles.
- The new assistant for remote access SSL VPN streamlines and enables easy configuration.
- Clientless policies, bookmarks, and bookmark groups have been consolidated under Clientless SSL VPN policy.
- Amazon VPC is available on site-to-site VPN for the easy setup of Amazon Web Services VPC tunnels with the option to import the VPC configuration file or AWS security credentials.
Feature enhancements
Custom policy support for remote access IPsec VPN addresses a potential PCI compliance issue with the default remote access IPsec policy:
- Added the ability to configure custom rekey time to prevent MFA prompts every four hours.
- Added the option to increase idle time-out from 10 minutes to 6 hours.
Route-Based VPN (RBVPN)
- Added support for static multicast routes.
- You can specify traffic selectors for route-based VPNs with automatic configuration of the XFRM interface and route management for the selected hosts. Only traffic matching the configured pairs of local and remote addresses enters the tunnel.
GCM and Suite-B cipher suite support for IPsec
- AES-GCM for IPsec significantly improves IPsec VPN performance.
SSL VPN
- Upgraded OpenVPN and OpenSSL.
- Default TLS 1.3 support on SSL VPN tunnels.
- AES-NI path-enabled.
- GCM encryption support.
Significant performance enhancements (nearly 5x) in SSL VPN capacity with the addition of multi-instance support.
This results in a behavior change that enforces only the default SSL VPN lease ranges for remote access SSL VPN connections. If you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule to allow remote access SSL VPN connections, traffic may not flow through the connections after you migrate to version 19.0.
Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.
- The legacy SSL VPN client reached end-of-life on January 31, 2022. It doesn't appear for download on the user portal any longer. Users can download the Sophos Connect client instead. See End-of-Life for Sophos SSL VPN client.
VPN logging
VPN selection is available in the log viewer, making it easy to monitor and troubleshoot VPN connections for remote access and site-to-site IPsec and SSL VPN tunnels. Additionally, IPsec logging messages have been enhanced with more details for greater clarity.
AWS VPC
The new feature enables you to connect your on-premise firewall to your AWS network infrastructure easily. You can now import the VPC configuration XML file from AWS to automate the tunnel setup on your Sophos Firewall, including the related routing and IPsec policies. You can import, monitor, and manage AWS VPC connections on Site-to-site > AWS VPC.
Other enhancements
- DHCP: Added DHCP IPv4 options and boot server configuration on the web admin console.
- Global IPS switch: Added a global switch on Intrusion Prevention > IPS policies to turn IPS on or off. The switch is automatically set when you migrate to 19.0 based on your previous configuration. For example, if you've been using IPS, it's set to On.
- Multi-factor authentication: Added the option to require MFA with a one-time password to sign in to the web admin console for the default admin account. This improves security, workflow, and usability.
- Authentication: Improved authentication performance that eases high-load situations with thousands of users.
- Synchronized Security: An update to Lateral Movement Protection to guard against the use of spoofed MAC addresses that disrupt legitimate traffic.
- Zero-day protection: An additional data center location for cloud-based machine learning file analysis is available for the Asia-Pacific region in Sydney, Australia. This adds to the existing data center locations in Japan, Germany, the UK, and the USA.
- Anti-spam engine: For anti-spam scanning, Email Protection now uses the Sophos Anti-Spam Interface (SASI) in place of the anti-spam engine. SASI is already in use in Sophos Email. If you see false positives or false negatives, see how to submit a sample.
- Log suppression: Repetitive firewall logs within a module are shown in a single event with a count of the repetition. This improves troubleshooting and optimizes logging scalability and storage efficiency.
User experience
- Device and management identity: The device hostname is now shown in the browser tab and the active user ID in the upper right corner of the web admin console. This makes managing multiple firewalls and administrator accounts easier.
- Search functionality:
- Global search: A new intelligent search box with auto-completion shows up above the main menu and allows you to find any page or feature in the firewall.
- Object search: You can search for a network object or service for inclusion in rules and policies. It includes a free-text search option that allows you to search by label or value, enhancing the user experience.
- Flow monitor: Enhanced the user interface and layout of the flow monitor to make the headers persistent and eliminate horizontal scrolling.
Resolved issues
Version 19.0 MR3 Build 517
Issue ID | Component | Description |
---|---|---|
NC-116519 | DDNS | DDNS logs appear every five minutes. |
NC-116312 | CM | Garner thread stuck in Central Management plugin. |
NC-114652 | Logging Framework | Files not sent to Sophos Central. |
NC-114586 | WAF | Unable to restore backup taken in Sophos Central. |
NC-114092 | Wireless | Wireless APX stopped working. No traffic flow for Wi-Fi clients after 19.5 GA upgrade. |
NC-109201 | Firewall | Device goes into failsafe mode after upgrading firmware to 19.0.1. Unable to apply firewall framework. |
NC-107708 | Firewall | Firewall automatically restarts. |
NC-102979 | Backup-Restore | Backup-restore doesn't take place from XG 310 to XG 230. |
Version 19.0 MR2 Build 472
Issue ID | Component | Description |
---|---|---|
NC-112368 | Core Utils IPsec | cacert is missing in .scx file. |
NC-111476 | FQDN | Subdomain learning isn't working in case of non-SFOS DNS server set for client. |
NC-111110 | SDWAN Routing | Import-export doesn't reflect changes in SD-WAN PBR profiles. |
NC-111023 | Legacy email mode is crashing very frequently. | |
NC-110927 | Authentication | Missing MFA enable and disable event logs. |
NC-110026 | XGS-BSP | HA cluster fails even after hardware replacement. |
NC-109626 | HA | Standalone device restarts. msync: too many open files. |
NC-109562 | WAF | Unable to modify or update the WAF protection policy after selecting it for WAF rule. |
NC-109245 | WAF | Can't skip CRS rules in application attacks group with exceptions. |
NC-108562 | Core Utils | Public key authentication for admin can't be managed through Sophos Central. |
NC-108536 | Firewall | Firewall rules stopped working after backup-restroe due to failure in XML API while creating firewall rule. |
NC-108533 | API Framework, UI Framework | Need to hook frontend validations for multipart requests. |
NC-108354 | Wireless | LocalWiFi mac80211 vulnerabilities. |
NC-108318 | Unable to click a few settings under Email > General settings after updating firmware to version 19. | |
NC-108237 | Spam emails are let through with the error "spam scanning failed". | |
NC-108213 | API Framework, UI Framework | Post-auth code injection (CVE-2022-3696). |
NC-108211 | Interface Management | Multiple post-auth read-only SQLi vulnerabilities in InterfaceHelper.java (objStr). |
NC-108115 | Web | Custom category name stored XSS in URL category lookup. |
NC-108003 | NFP-Firewall | Memory utilization increases until the firewall stops responding. |
NC-107999 | IPS Ruleset Management | HA cluster configuration fails. |
NC-107982 | Authentication | Exposing password in setup wizard. |
NC-107975 | Logging Framework | Logging stopped on the device with an error showing that the database disk image is malformed. |
NC-107945 | Wireless | APX 530 becomes inactive after HA failover. |
NC-107943 | Firewall | XG 135 crashed and needed RCA to prevent the issue in future. |
NC-107603 | SDWAN Routing | Stored XSS in SD-WAN performance graphs. |
NC-107481 | Authentication | Log viewer isn't showing source IP field information for authenticated SSL VPN users. |
NC-107453 | WAF | WAF rules not working. |
NC-107327 | WAF | Upgrade ModSecurity and OWASP CRS to the latest version. |
NC-107325 | VFP-Firewall | Firewall becomes inaccessible. |
NC-107283 | AwarrenSMTP service dead. | |
NC-107239 | L2TP | Unable to connect to L2TP after upgrade. |
NC-107145 | Hotspot | For hotspot vouchers in the user portal, under Manage, the delete icon isn't intuitive. |
NC-106907 | Hotspot | WLAN voucher not showing correctly. |
NC-106834 | IPS-DAQ-NSE | Connection untrusted when browsing some sites. |
NC-106811 | Unable to start anti-spam service. | |
NC-106783 | Unable to send or receive emails with certificate error for pop.ocn.ne.jp domain. | |
NC-106738 | Hotspot | Sort functionality doesn't work properly in the user portal for hotspot vouchers. |
NC-106608 | IPsec | Duplicate SAs being created. |
NC-106424 | API Framework, UI Framework | Pre-auth code injection (CVE-2022-3236). |
NC-104844 | Web | Zero-day protection report shows license warning incorrectly. |
NC-103733 | IPsec | BGP service keeps restarting, affecting the Amazon VPC connection. |
NC-103406 | Certificates | Migration fails from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365. |
NC-103037 | XGS BSP | Failsafe issue due to NPU failure. |
NC-102919 | Static Routing | Static routes lost at the backend after enabling QuickHA. |
NC-102771 | Authentication XFOS Migration | Users unable to authenticate through CAA. |
NC-102737 | SSLVPN | SSL VPN not working as sslvpn service is stuck in busy status. Site-to-site and remote access are affected. |
NC-102614 | Firewall | Bridge: Traffic not working with Fastpath for bridge with logical members after migrating to version 19. Traffic shouldn't get offloaded to Fastpath. |
NC-102558 | IPsec | The issue in NC-84750 still occurring on one site after installing the patch. |
NC-102436 | Firewall | Appliance access lost on backup-restore. Local ACL rules stopped working on backup-restore. |
NC-102308 | Firewall | Disabled load balancing NAT rules still sending out alerts for disabled NAT rule. |
NC-102257 | Firewall | Post-auth read-only SQLi through APIController (CVE-2022-3710). |
NC-101720 | XGS-BSP | Random SFP+ port flap. |
NC-101713 | Logging Framework | PG trigger entry should be present for login events even when on-box reporting is off. |
NC-101703 | CDB-CFR CM | Unable to open the web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall. |
NC-101326 | SSLVPN | OS command injection through SSL VPN configuration upload (CVE-2022-3226). |
NC-101300 | Unable to send emails after upgrading to 18.5.4 due to failed malware scan. | |
NC-101271 | Dynamic Routing (BGP) | BGP networks in SFOS web admin console show ASCII characters instead of expected networks for config-type cisco. |
NC-101046 | IPS-DAQ | Website doesn't work due to OCSP must-staple in Firefox browser. |
NC-101021 | Date/Time Zone | Time zone change allowed in Sophos Central on all HA devices. |
NC-100725 | XGS-BSP | NPU in failsafe mode after upgrading from 19.0 GA to 19.0 MR1. |
NC-100716 | FQDN | IPset sporadically not created for wildcard FQDN host. |
NC-100707 | IPsec | Wrong source IP address in IPsec routes. |
NC-100699 | IPsec | SMB transfer stops and doesn't recover with IPsec acceleration and policy-based VPN. |
NC-100623 | Hotspot | Hotspot voucher creation failed. |
NC-100418 | nSXLd | Internet down with error "nSXLd: Connection timeout while connecting to SXL server". |
NC-100334 | WAF | Virtual host not removed if firewall rule is turned off. |
NC-100325 | WAF | Update API JSON fields for encrypted WAF secrets. |
NC-100265 | Web | Expired certificates in certcache are used rather than generating new ones. |
NC-100250 | Gateway Management | RCA: Unable to change DGD settings for a specific WAN port. |
NC-100084 | Firewall | DNAT issue when multiple hosts are added. |
NC-99965 | Interface Management | SQL injections found in application. |
NC-99962 | Wireless | Adjacent code injection in Wi-Fi controller (CVE-2022-3713). |
NC-99801 | Interface Management | Unable to delete a LAG interface. |
NC-99604 | SQLi in getSmtpQuarantineMailRecord. | |
NC-99421 | Mail issues on XG 430 (split from CPU 100%). | |
NC-99247 | SSLVPN | Unable to download SSL VPN site-to-site server configuration. |
NC-99232 | Web | Changes to web proxy settings can't be saved when signed in with German language. |
NC-99152 | Logging Framework | Central reporting: Failed to initiate the mmap case when queue limit is reached with no Sophos Central connectivity. |
NC-98712 | Core Utils | XGS DT-2 r1: Containment plan to handle production issue causing 10+ sec factory reset feature doesn't work on these units. |
NC-98576 | IPS Ruleset Management | IPS pattern doesn't update. |
NC-98574 | SSLVPN | Traffic isn't passing through site-to-site SSL VPN tunnel, although the tunnel is up. |
NC-98573 | Firewall | Country group stored XSS in DNAT rule in version 19 GA. |
NC-98300 | High CPU utilization due to Exim. | |
NC-98296 | Attachments getting corrupted while using SPX. | |
NC-98094 | nSXLd | Unable to categorize URLs and IP addresses using external URL database. |
NC-98089 | Firewall | Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA. |
NC-97883 | Firewall | Unable to upgrade firmware or perform backup-restore from 17.5.15 to 19.0 GA: Duplicate key value violates unique constraint "tblfirewallrule_unique_name". |
NC-97753 | IPS Engine IPS Policy | Unable to Upgrade to version 19 from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table. |
NC-97743 | AppFilter Policy | Unable to export application filter policy. |
NC-97711 | NFP-Firewall | nfnetmap_queue backing up, appliance may fail. |
NC-95926 | CDB-CFR Reporting | Reports aren't being generated. |
NC-95861 | Firewall | Country blocking through firewall rule isn't working. |
NC-95633 | IPsec | Unable to connect IPsec remote access due to invalid .scx file. |
NC-95603 | Legacy email mode is crashing every 2 minutes. | |
NC-95543 | Mail logs page stuck in loading status. | |
NC-95353 | Static Routing | Static route to RED disappears in XGS (HA) after a restart. |
NC-95351 | HA | HA failover isn't working due to auto-restart of auxiliary device. |
NC-95239 | IPsec | Different gateway entry in the IPsec configurations when using DDNS. |
NC-95197 | RED | Appliance auto-restarts frequently in a day or two. |
NC-94734 | IPsec | PPPoE isn't connecting after random disconnect event if XFRM interface is created on PPPoE. |
NC-94664 | Hotspot | Post-auth read-only SQLi in user portal (CVE-2022-3711). |
NC-94661 | SSLVPN | Android and iOS users can't import SSL VPN ovpn file. |
NC-94418 | Logging Framework (Central Reporting) | Reporting and logging to Sophos Central stops randomly. |
NC-94362 | SPX stops working after unspecified period. | |
NC-94128 | NFP-Firewall | Firewall stopped responding on specific port. |
NC-93847 | WAF | Stored XSS in WAF exception through IP host. |
NC-92598 | Authentication | Stored XSS in import group wizard (CVE-2022-3709). |
NC-92282 | HA | System services page gets stuck in loading. |
NC-90794 | Authentication | Unable to import groups containing an apostrophe in their name. |
NC-90247 | IPsec | IPsec VPN failback isn't working. |
NC-90151 | Authentication | Unable to authenticate with PUSH with Azure MFA. |
NC-88628 | RED | RED UDP packets are forwarded to the auxiliary device after HA switchover. |
NC-86937 | VFP-Firewall | Memory utilization increasing gradually. |
NC-85961 | Authentication | Guest user is created on secondary appliance but not on primary appliance sometimes. |
NC-85114 | Firmware Management | 'kworker' process continuously takes high CPU on XG 450. |
NC-84924 | Core Utils | Memory utilization increases to 90 percent or above in XGS 3100 due to appcached service. |
NC-84910 | Authentication | Authentication with STAS stopped working when the appliance restarted until the access_server restarted if AD is reachable through a static route. |
NC-84750 | IPsec | Auxiliary node sporadically receives IPsec packets. |
NC-81219 | CM | HA zero downtime upgrade isn't supported if the firmware upgrade is scheduled on Sophos Central. |
NC-79378 | Web | Uploading user-defined logo in user notification settings gives error. |
NC-77804 | Firewall | Netlink: 153776 bytes leftover after parsing attributes in process `ipsetelite'. |
NC-75655 | Arbitrary file write creates a DoS and possibly RCE vector. | |
NC-75654 | Logical error in a global SQL escape function might enable injections. | |
NC-74241 | CaptivePortal | Stored XSS through captive portal customization (CVE-2022-4238). |
NC-74120 | Spoofing | Traffic through bridge will be blocked as IP_Spoof if spoof protection is enabled for the involved zone. |
Version 19.0 MR1 Build 365
Issue ID | Component | Description |
---|---|---|
NC-100971 | IPsec | Migration from 19.0 GA to 19.0 MR1 fails. |
NC-100737, NC-94019 | Wireless | Inbound traffic for hosts connected on Wi-Fi SSID on Separate zone is dropped by firewall rule ID 0, and outbound traffic may experience slowness. |
NC-100681 | IPS Engine | Increase in snort memory with ATP pattern updates. |
NC-100679 | CDB-CFR, Reporting | Conf partition usage increases for the primary HA device. |
NC-81131 | Reporting | Last access time isn't generated if a user's username has an XSS payload. |
NC-94337 | Reporting | Migration failure to 19.0 GA when SSL/TLS inspection's log retention period isn't set to the default value. |
NC-94291 | Firmware Management | Small var partition created for VM image using an auxiliary disk. |
NC-94253 | Licensing | Can't upload airgap license file. Error message: "Certification verification failed. Invalid license file." |
NC-93919 | SSL VPN | SecurityHeartbeat_over_VPN is removed from SSL VPN policy after updating SSL VPN global settings. |
NC-93720 | SecurityHeartbeat | Auxiliary device isn't synchronized with the primary HA device for delay-missing-heartbeat-detection. |
NC-93689 | Up2Date Client | Cosmetic issue with SASI pattern after firmware downgrade. |
NC-93380 | Anti-spam doesn't work after an upgrade to SFOS 18.5 MR3. | |
NC-92840 | Email isn't received and shows the error message: smtp_check_forward_reply: response arrived without any command. | |
NC-92745 | DNS | Appliance restarts with kdump: stack guard page was hit. |
NC-92131 | IPS-DAQ-NSE | Unable to upload a large file with SSL/TLS inspection enabled in do-not-decrypt mode. |
NC-91300 | XGS BSP | npu_version (among other things) missing from telemeter. Large number of missing entries. |
NC-91295 | Firewall | Zones tab shows up blank after deleting a zone listed on the second page. |
NC-90839 | RED | RED interface disappears during a change to the DHCP server configuration. |
NC-90702 | SASI detection problems when too many hits are returned. | |
NC-90684 | Wireless | Multiple APX 320s don't register with XG Firewall. They don't appear on the pending list. |
NC-90566 | NFP-Firewall | Traffic doesn't traverse XGS firewall under a specific configuration. |
NC-90203 | SD-WAN Routing | SD-WAN route policy update fails. |
NC-90024 | Firewall | Backup restore and firmware migration fails when multiple local ACL rules are configured. |
NC-89996 | Logging | Issue with redirection to IPS policy from log viewer. |
NC-89162 | Firewall | Auto restart 0010:queued_spin_lock_slowpath+0x148/0x170. |
NC-89076 | Firewall, VFP-Firewall | Unable to access the website www.radix.ad.jp on the environment tagged VLAN + DPI configured. |
NC-88903 | Localization | German menu is broken. |
NC-88483 | SSL VPN | CVE: 2022-0547 openvpn deferred auth vulnerability. |
NC-88404 | IPsec | Tunnel doesn't come up automatically after a restart of a HA appliance. |
NC-88207 | Firmware Management | Firmware update fails when space is used in filename. |
NC-87659 | Wireless | Legacy AP roaming key decryption fails when fast transition is enabled. |
NC-87596 | SSL VPN | Site-to-site and remote access SSL VPN isn't working after backup is restored. |
NC-87240 | Avira engine error with axpx files. | |
NC-86819 | Firmware Management, Licensing | AWS instance stuck while starting it. |
NC-86690 | SD-WAN Routing | SD-WAN FTP proxy traffic isn't working with transparent proxy. |
NC-86652 | SD-WAN Routing | TFTP traffic doesn't follow SD-WAN routing. |
NC-86451 | IPS-DAQ-NSE | Unable to access web server through XG Firewall. SSL/TLS inspection error: Dropped due to TLS internal error. |
NC-86093 | Firewall | Duplicate firewall rule group. |
NC-85547 | CaptivePortal | Sign-in message and sign-out option don't appear with custom captive portal. |
NC-85423 | SNMP | Kernel crash on XG 125 with SNMP high memory consumption. |
NC-85383 | IPsec | Unable to connect remote access IPsec due to invalid .scx file. |
NC-85346 | Smarthost authentication failed in server_plain authenticator: nsgenc decryption failed. | |
NC-85151 | Authentication | Firewall moved to a group on Sophos Central gets added to the group but changes to "Error needs attention". |
NC-84604 | Wireless | Unable to restore backup from SG 230 to XGS 2300 due to access point database issue. |
NC-84231 | Core Utils | Receiving a duplicate copy of the same executive schedule reports. |
NC-84146 | WAF | Warning about Subject Alternative Name (SAN) not being part of the domain. |
NC-84142 | Backup-Restore | Unable to delete VLAN interface. |
NC-83734 | Firewall | Inbound emails are dropped randomly in HA load balancing with SMTP scanning enabled. |
NC-83469 | SSL VPN | Dashboard doesn't show the remote users. |
NC-83445 | IPsec | Constant IPsec VPN flapping. Pushed through Central SD-WAN orchestration. |
NC-83419 | Inbound emails aren't delivered when SMTP scanning is enabled. | |
NC-83405 | Core Utils | Inconsistency with Security Audit Reports (SAR). |
NC-83114 | Authentication | Web authentication doesn't work in HA mode when the auxiliary node is restarting. |
NC-82972 | CSC | Appliance in active-active HA mode stopped responding. |
NC-82225 | HA | Unable to establish HA correctly on fiber ports. |
NC-81944 | IPsec | WWAN isn't connecting after a random disconnect event if XFRM interface is created on WWAN. |
NC-81939 | Firewall | The firewall isn't reflecting daylight savings time correctly. |
NC-81430 | CM and UI Framework | User portal host injection reported. |
NC-81207 | IPsec | Web admin console shows an error while updating the configuration of any VPN tunnel. |
NC-81131 | Reporting | Last access time isn't generated when a user exists with the username having XSS payload. |
NC-80305 | Certificates | Though CA isn't available on the pfx file, CA upload opcode is called. |
NC-79359 | IPsec | Using AES256GMAC can show invalid configuration in IPsec profiles. |
NC-79319 | IPsec | Clarification required on the web admin console for remote access IPsec. |
NC-79128 | IPsec | Memory increase to 90 percent over 20-25 days. |
NC-76071 | RED | XGS-2100: Interface doesn't have any IP address when backup is restored. |
NRF-517 | RED | SD-RED 60: LAN switch VLAN configuration is lost after some time. |
NRF-509 | Firmware | AP doesn't register through the RED 15w tunnel. |
Version 19.0 GA Build 317
Issue ID | Component | Description |
---|---|---|
NC-89079 | CM | fwcm-eventd agent isn't listening to the IP address availability event. |
NC-87798 | WAF | Upgraded Apache to 2.4.53+. |
NC-87665 | API Framework, UI Framework | Fixed pre-auth RCE (CVE-2022-1040). |
NC-87165 | Core Utils | Fixed OpenSSL DoS vulnerability (CVE-2022-0778). |
NC-85549 | Wireless | SFOS becomes unresponsive after a restart if time-based SSID is configured. |
NC-85412 | PPPoE | Two PPPoE links with different passwords in 18.5 MR2. |
NC-85339 | Security | Resolved multiple XSS vulnerabilities through company name (CVE-2021-25268). |
NC-84951 | Network Utils | Fixed Diagnostics > Tools > Route lookup. |
NC-84281 | Authentication | Status column isn't visible on Authentication > Users. |
NC-84218 | Web | Can't turn on OTP for admin user whose user ID isn't 3. |
NC-84158 | Web | Sophos Central signing admin out of the firewall console when they click Add user. |
NC-84101 | UI Framework | Corrected a typo in Spanish on the Control center. |
NC-83662 | Web | Updated the number of administrator accounts unprotected by MFA shown in the alert on Authentication > Users. |
NC-83584 | WebInSnort | IPS segfault in libnsg_tcphold_preproc disconnecting live users after a limit. |
NC-83581 | Gateway Management | Corrected the typo in CLI command to session-persistence. |
NC-83470 | Firewall, VFP-Firewall | Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG750 during connection rate test. |
NC-83430 | RED | RED causing massive network traffic after upgrading to SF 18.0 MR6 or SF 18.5 MR2. |
NC-83392 | CM (Join to Cloud) | Backup isn't generated when the backup name contains []. |
NC-83366 | SDWAN Routing | Unable to turn off captcha for VPN zone for route-based VPN with SD-WAN routing. |
NC-83347 | Email, FQDN | Unable to add lx63.hoststar.hosting to email server under notification settings. |
NC-83177 | IPS Ruleset Management | Unable to turn IPS switch on or off in 18.5 MR2. |
NC-83065 | IPsec | Ping: sendto: operation not permitted when upgraded from 18.0 MR3 to later firmware on directly connected network. |
NC-82566 | Firewall | Kernel crash after update to 18.5 MR2. |
NC-82332 | Firewall | Kernel panic because kernel NULL pointer ip_route_me_harder wasn't handled. |
NC-82215 | Firewall | Device freeze issue. |
NC-81974 | IPS-DAQ | Snort soft lockup and device restart. |
NC-81956 | WebInSnort | HTTP and HTTPS traffic to internal server on 8080 is dropped by IPS tcphold. |
NC-81768 | Backup-Restore | Couldn't restore backup because of duplicated key. |
NC-81517 | Firewall | Policy test for firewall not showing correct results. |
NC-81069 | Import fails for the entity MtaBlockedSenders. | |
NC-80660 | DHCP | DHCP IP lease issue. |
NC-79468 | Authentication | Outdated users shown in Live Users. |
NC-79417 | Web | SSL/TLS rules can't be seen on the web admin console. |
NC-78563 | WAF | WAF not redirecting page to proper domain when there are multiple domains listed in the WAF rule. |
NC-74847 | Web | Snort crashing with a segfault due to a blank conf file. |
NC-74228 | Can't show quarantine due to \x1E? in the subject. | |
NC-73975 | Firewall | FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2. |
NC-71761 | Security | Resolved multiple XSS vulnerabilities (CVE-2021-25267). |
NC-71379 | MTA doesn't provide the full certificate chain. | |
NC-69997 | Notification test mail has wrong encoded subject when web admin console's language is set to Traditional Chinese or Simplified Chinese. | |
NC-66163 | Report received with garbled characters. | |
NC-51929 | DDNS | DDNS doesn't apply to some generic top-level domains. |
Known issues
To see the known issues for the firewall, go to the Known issues list.
Set Choose your product to Sophos Firewall. Alternatively, enter a search term.
Upgrading firmware and restoring backups
Upgrading firmware
Information about 19.0.x is as follows:
- The versions are available on all form factors.
- The versions aren't FIPS-compliant.
Important changes to consider before you migrate to 19.0.x
Remote access SSL VPN IP lease range: After you upgrade from 18.5 and earlier to 19.0 and later versions, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.
Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.
Versions you can upgrade from
We strongly recommend that you migrate only to the approved versions listed in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.
See how to upgrade.
Firewalls on 19.0 MR1 build 350 can migrate to 19.0 MR1 build 365.
Upgrade from | Upgrade to 19.0 (all form factors) | |||
---|---|---|---|---|
MR3 Build 517 | MR2 Build 472 | MR1 Build 365 | GA Build 317 | |
19.0 MR2 Build 472 | ||||
19.0 MR1 Build 350 and 365 | ||||
19.0 GA | ||||
18.5 MR5 | ||||
18.5 MR4 | ||||
18.5 GA to MR3 | ||||
18.0 MR3 and later | ||||
17.5 MR14 and later |
You can downgrade only to compatible versions. You can't downgrade from 19.0 and later to 17.5 and earlier. However, you can roll back to any previous version.
Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.
Previously restored Cyberoam backup: If your appliance is using a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to 19.0.x versions only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.0 doesn't support appliance certificates with this algorithm.)
Restoring backups
You can restore backups from any earlier version to 19.0 GA and later versions.
To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.
Supported platforms
Version 19.0
Sophos Firewall OS 19.0.x versions are available on all form factors as follows:
- XGS Series firewalls
- XG Series firewalls
- SG Series firewalls
- Virtual and software appliances
- Cloud platforms
For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.
Minimum RAM
19.0.x versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to these versions:
- XG 85, XG 85w, XG 105, and XG 105w
- SG 105, SG 105w
Supported firmware versions
19.0.x versions support the following firmware versions:
- Wi-Fi firmware 11.0.021 and earlier
- RED firmware 3.0.009 and earlier
- Sophos Connect 2.3 MR-1 and earlier
Support
You can find technical support for Sophos products in the following ways:
- To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
- Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
- Visit Sophos Support.
Legal notices
Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.