Sophos Firewall release notes (2024)

Version 19.0 MR3 Build 517

Released on June 29, 2023

This maintenance release resolves some issues. To see these, click the Resolved issues tab.

For other details, see the Sophos Firewall help.

Version 19.0 MR2 Build 472

Released on January 23, 2023

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

  • Bulk mail in MTA mode: Enhanced the spam catch rate with SASI. The firewall now offers bulk mail settings in MTA mode.
  • Xstream SD-WAN enhancements:
    • You can configure 4 times the existing number of SD-WAN profiles, supporting scaled deployments.
    • Improved gateway management. You can filter gateways based on their status, IP address, interface, and health check.
    • Search SD-WAN profiles by their names on Diagnostics > SD-WAN performance.
  • RED unlock code: The RED provisioning server sends the unlock code to the email address specified on System services > RED when you add a RED device or delete it from the firewall. See the knowledgebase article Pop-up message and email for the RED unlock code.
  • Zero-day protection: Intelix can now request submission of samples above the previous built-in limit of 10 MB.
  • IPsec VPN:
    • Improved security heartbeat selection in remote access IPsec VPN.
    • Support for turning off anti-replay protection in IPsec VPN for specific cases.

Version 19.0 MR1 Build 365

Released on August 16, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

VPN

SSL VPN: Introduced static IP address lease for remote access SSL VPN users on the firewall and from an external RADIUS server. Sophos Firewall now maps remote access SSL VPN users with static IP addresses, enhancing user monitoring and visibility and its ability to trace users.

IPsec VPN:

  • IKEv2 profiles: Added default IKEv2 profiles (Head office (IKEv2) and Branch office (IKEv2)) for site-to-site IPsec connections to deliver improved tunnels between the head office and branch offices. This eliminates the manual fine-tuning required for the existing default head office and branch office profiles, such as rekey interval, dead peer detection (DPD) selection, and key negotiation retries. This helps in eliminating rekey collisions and DPD-related issues.
  • Tunnel flapping: Changed the defaults to prevent non-TCP (example: VoIP, RDP, Skype, Zoom, UDP) connections from flapping when the IPsec tunnel is established or goes down. The new default settings are as follows:
    • vpn conn-remove-tunnel-up: Disabled
    • vpn conn-remove-on-failover: Enabled
    The change only applies to new configurations and doesn't impact existing configurations after a firmware upgrade or migration.

RED

Supports multiple DHCP servers for RED interfaces.

Licensing

Sophos Firewall offers three free firmware upgrades. A valid support subscription is mandatory for firmware upgrades after the three free upgrades. Free upgrades don't include trial licenses, home use licenses, and firmware upgrades from the installation wizard. See the Sophos Firewall help.

SD-WAN

Added rule-ID and index column to the SD-WAN profile list for easier troubleshooting.

Enhancements

The version includes the following enhancements:

Malware engine: Upgrade of malware scan engines and associated components to a full 64-bit operation to ensure optimum performance and future support.

  • Avira: The vendor of the second malware scan engine, Avira, won't provide detection updates in the current 32-bit form after December 31, 2022.
    • We recommend that customers using dual scan mode or Avira as the primary engine upgrade to 19.0 MR1 or 18.5 MR5 (future release) at the earliest. Avira has been upgraded to the latest 64-bit AVD engine on the firewall.
    • If you can't upgrade, we recommend switching to just the Sophos engine for email and web malware scanning.
  • Sophos engine: Customers using only the Sophos engine aren't affected.

Sophos Assistant: Added the option to opt out of Sophos Assistant on the web admin console.

Email: Added the capability to report spam emails as false positives on the quarantine release page.

Version 19.0 GA Build 317

Released on April 21, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

See the video.

SD-WAN profiles

VPN orchestrated SD-WAN network is already available from Sophos Central. It enables you to centrally orchestrate complex SD-WAN overlay networks, simplifying the process. See SD-WAN connection groups.

We now offer Xstream SD-WAN on the firewall:

  • Xstream SD-WAN profiles support routing strategies for multiple WAN links, including VDSL, DSL, cable, LTE/cellular, and MPLS. You can configure more than two gateways and specify a routing strategy based on the first available link or performance criteria.
  • Performance-based SLAs automatically select the best WAN link based on jitter, latency, or packet loss. SLAs can be based on best performance or custom SLA values. You can use multiple probe targets to perform a health check.
  • Zero-impact rerouting maintains application sessions when link performance falls below the thresholds and transitions sessions to a better performing WAN link.
  • SD-WAN monitoring graphs on Diagnostics > SD-WAN performance provide real-time insights into latency, jitter, and packet loss for all WAN links. You can select the time. You can also click the status on SD-WAN profiles to go to diagnostics.
  • Logs contain SD-WAN routing information. A new SD-WAN log module allows you to focus on log entries specific to SD-WAN routing and health. Log entries include SD-WAN rule ID and name for route request and reply directions.

Xstream FastPath acceleration

IPsec acceleration: Xstream FastPath acceleration of IPsec traffic automatically places IPsec VPN traffic flows on the FastPath through the Xstream Flow Processor, taking advantage of the processor's hardware crypto capabilities. This moves the CPU-intensive processing required for IPsec tunnels, such as ESP encapsulation and encryption, decapsulation and decryption, to the Xstream Flow Processor, freeing up CPU resources and improving performance.

Xstream FastPath Acceleration for IPsec traffic works for both site-to-site (including policy-based and route-based IPsec) and remote access VPN traffic, but weak cipher or authentication algorithms (DES, 3DES, BlowFish, MD5) aren't offloaded. See FastPath acceleration.

Web

  • Per-connection authentication: In explicit proxy mode, web authentication can now handle multiple different users coming from the same source address. This is useful in authentication for terminal services, Windows remote desktop, or direct access systems.
  • Tenant Restrictions: The Tenant Restriction feature of O365 used to restrict the domains a user can sign in to by adding headers to outbound HTTPS requests is available in web policies. This enables Microsoft Azure AD to enforce restrictions, typically used to restrict personal accounts from accessing O365 from Sophos Firewall protected networks.
  • X-Forwarded-For Header configured in web policies allows the source IP address to be passed upstream to load-balancers or proxies.

VPN

User experience

The VPN menu and user interface have been reorganized to make it more intuitive:

  • Remote access and site-to-site VPN are individual left menu items.
  • IPsec, SSL, and L2TP are top menu items with links on the pages to IPsec profiles, client download, and logs for easy access to the corresponding settings.
  • IPsec policies have been renamed IPsec profiles. It's now under System > Profiles.
  • The new assistant for remote access SSL VPN streamlines and enables easy configuration.
  • Clientless policies, bookmarks, and bookmark groups have been consolidated under Clientless SSL VPN policy.
  • Amazon VPC is available on site-to-site VPN for the easy setup of Amazon Web Services VPC tunnels with the option to import the VPC configuration file or AWS security credentials.

Feature enhancements

Custom policy support for remote access IPsec VPN addresses a potential PCI compliance issue with the default remote access IPsec policy:

  • Added the ability to configure custom rekey time to prevent MFA prompts every four hours.
  • Added the option to increase idle time-out from 10 minutes to 6 hours.

Route-Based VPN (RBVPN)

  • Added support for static multicast routes.
  • You can specify traffic selectors for route-based VPNs with automatic configuration of the XFRM interface and route management for the selected hosts. Only traffic matching the configured pairs of local and remote addresses enters the tunnel.

GCM and Suite-B cipher suite support for IPsec

  • AES-GCM for IPsec significantly improves IPsec VPN performance.

SSL VPN

  • Upgraded OpenVPN and OpenSSL.
  • Default TLS 1.3 support on SSL VPN tunnels.
  • AES-NI path-enabled.
  • GCM encryption support.
  • Significant performance enhancements (nearly 5x) in SSL VPN capacity with the addition of multi-instance support.

    This results in a behavior change that enforces only the default SSL VPN lease ranges for remote access SSL VPN connections. If you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule to allow remote access SSL VPN connections, traffic may not flow through the connections after you migrate to version 19.0.

    Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.

  • The legacy SSL VPN client reached end-of-life on January 31, 2022. It doesn't appear for download on the user portal any longer. Users can download the Sophos Connect client instead. See End-of-Life for Sophos SSL VPN client.

VPN logging

VPN selection is available in the log viewer, making it easy to monitor and troubleshoot VPN connections for remote access and site-to-site IPsec and SSL VPN tunnels. Additionally, IPsec logging messages have been enhanced with more details for greater clarity.

AWS VPC

The new feature enables you to connect your on-premise firewall to your AWS network infrastructure easily. You can now import the VPC configuration XML file from AWS to automate the tunnel setup on your Sophos Firewall, including the related routing and IPsec policies. You can import, monitor, and manage AWS VPC connections on Site-to-site > AWS VPC.

Other enhancements

  • DHCP: Added DHCP IPv4 options and boot server configuration on the web admin console.
  • Global IPS switch: Added a global switch on Intrusion Prevention > IPS policies to turn IPS on or off. The switch is automatically set when you migrate to 19.0 based on your previous configuration. For example, if you've been using IPS, it's set to On.
  • Multi-factor authentication: Added the option to require MFA with a one-time password to sign in to the web admin console for the default admin account. This improves security, workflow, and usability.
  • Authentication: Improved authentication performance that eases high-load situations with thousands of users.
  • Synchronized Security: An update to Lateral Movement Protection to guard against the use of spoofed MAC addresses that disrupt legitimate traffic.
  • Zero-day protection: An additional data center location for cloud-based machine learning file analysis is available for the Asia-Pacific region in Sydney, Australia. This adds to the existing data center locations in Japan, Germany, the UK, and the USA.
  • Anti-spam engine: For anti-spam scanning, Email Protection now uses the Sophos Anti-Spam Interface (SASI) in place of the anti-spam engine. SASI is already in use in Sophos Email. If you see false positives or false negatives, see how to submit a sample.
  • Log suppression: Repetitive firewall logs within a module are shown in a single event with a count of the repetition. This improves troubleshooting and optimizes logging scalability and storage efficiency.

User experience

  • Device and management identity: The device hostname is now shown in the browser tab and the active user ID in the upper right corner of the web admin console. This makes managing multiple firewalls and administrator accounts easier.
  • Search functionality:
    • Global search: A new intelligent search box with auto-completion shows up above the main menu and allows you to find any page or feature in the firewall.
    • Object search: You can search for a network object or service for inclusion in rules and policies. It includes a free-text search option that allows you to search by label or value, enhancing the user experience.
  • Flow monitor: Enhanced the user interface and layout of the flow monitor to make the headers persistent and eliminate horizontal scrolling.

Resolved issues

Version 19.0 MR3 Build 517

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-116519 DDNS DDNS logs appear every five minutes.
NC-116312 CM Garner thread stuck in Central Management plugin.
NC-114652 Logging Framework Files not sent to Sophos Central.
NC-114586 WAF Unable to restore backup taken in Sophos Central.
NC-114092 Wireless Wireless APX stopped working. No traffic flow for Wi-Fi clients after 19.5 GA upgrade.
NC-109201 Firewall Device goes into failsafe mode after upgrading firmware to 19.0.1. Unable to apply firewall framework.
NC-107708 Firewall Firewall automatically restarts.
NC-102979 Backup-Restore Backup-restore doesn't take place from XG 310 to XG 230.

Version 19.0 MR2 Build 472

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-112368 Core Utils IPsec cacert is missing in .scx file.
NC-111476 FQDN Subdomain learning isn't working in case of non-SFOS DNS server set for client.
NC-111110 SDWAN Routing Import-export doesn't reflect changes in SD-WAN PBR profiles.
NC-111023 Email Legacy email mode is crashing very frequently.
NC-110927 Authentication Missing MFA enable and disable event logs.
NC-110026 XGS-BSP HA cluster fails even after hardware replacement.
NC-109626 HA Standalone device restarts. msync: too many open files.
NC-109562 WAF Unable to modify or update the WAF protection policy after selecting it for WAF rule.
NC-109245 WAF Can't skip CRS rules in application attacks group with exceptions.
NC-108562 Core Utils Public key authentication for admin can't be managed through Sophos Central.
NC-108536 Firewall Firewall rules stopped working after backup-restroe due to failure in XML API while creating firewall rule.
NC-108533 API Framework, UI Framework Need to hook frontend validations for multipart requests.
NC-108354 Wireless LocalWiFi mac80211 vulnerabilities.
NC-108318 Email Unable to click a few settings under Email > General settings after updating firmware to version 19.
NC-108237 Email Spam emails are let through with the error "spam scanning failed".
NC-108213 API Framework, UI Framework Post-auth code injection (CVE-2022-3696).
NC-108211 Interface Management Multiple post-auth read-only SQLi vulnerabilities in InterfaceHelper.java (objStr).
NC-108115 Web Custom category name stored XSS in URL category lookup.
NC-108003 NFP-Firewall Memory utilization increases until the firewall stops responding.
NC-107999 IPS Ruleset Management HA cluster configuration fails.
NC-107982 Authentication Exposing password in setup wizard.
NC-107975 Logging Framework Logging stopped on the device with an error showing that the database disk image is malformed.
NC-107945 Wireless APX 530 becomes inactive after HA failover.
NC-107943 Firewall XG 135 crashed and needed RCA to prevent the issue in future.
NC-107603 SDWAN Routing Stored XSS in SD-WAN performance graphs.
NC-107481 Authentication Log viewer isn't showing source IP field information for authenticated SSL VPN users.
NC-107453 WAF WAF rules not working.
NC-107327 WAF Upgrade ModSecurity and OWASP CRS to the latest version.
NC-107325 VFP-Firewall Firewall becomes inaccessible.
NC-107283 Email AwarrenSMTP service dead.
NC-107239 L2TP Unable to connect to L2TP after upgrade.
NC-107145 Hotspot For hotspot vouchers in the user portal, under Manage, the delete icon isn't intuitive.
NC-106907 Hotspot WLAN voucher not showing correctly.
NC-106834 IPS-DAQ-NSE Connection untrusted when browsing some sites.
NC-106811 Email Unable to start anti-spam service.
NC-106783 Email Unable to send or receive emails with certificate error for pop.ocn.ne.jp domain.
NC-106738 Hotspot Sort functionality doesn't work properly in the user portal for hotspot vouchers.
NC-106608 IPsec Duplicate SAs being created.
NC-106424 API Framework, UI Framework Pre-auth code injection (CVE-2022-3236).
NC-104844 Web Zero-day protection report shows license warning incorrectly.
NC-103733 IPsec BGP service keeps restarting, affecting the Amazon VPC connection.
NC-103406 Certificates Migration fails from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365.
NC-103037 XGS BSP Failsafe issue due to NPU failure.
NC-102919 Static Routing Static routes lost at the backend after enabling QuickHA.
NC-102771 Authentication XFOS Migration Users unable to authenticate through CAA.
NC-102737 SSLVPN SSL VPN not working as sslvpn service is stuck in busy status. Site-to-site and remote access are affected.
NC-102614 Firewall Bridge: Traffic not working with Fastpath for bridge with logical members after migrating to version 19. Traffic shouldn't get offloaded to Fastpath.
NC-102558 IPsec The issue in NC-84750 still occurring on one site after installing the patch.
NC-102436 Firewall Appliance access lost on backup-restore. Local ACL rules stopped working on backup-restore.
NC-102308 Firewall Disabled load balancing NAT rules still sending out alerts for disabled NAT rule.
NC-102257 Firewall Post-auth read-only SQLi through APIController (CVE-2022-3710).
NC-101720 XGS-BSP Random SFP+ port flap.
NC-101713 Logging Framework PG trigger entry should be present for login events even when on-box reporting is off.
NC-101703 CDB-CFR CM Unable to open the web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall.
NC-101326 SSLVPN OS command injection through SSL VPN configuration upload (CVE-2022-3226).
NC-101300 Email Unable to send emails after upgrading to 18.5.4 due to failed malware scan.
NC-101271 Dynamic Routing (BGP) BGP networks in SFOS web admin console show ASCII characters instead of expected networks for config-type cisco.
NC-101046 IPS-DAQ Website doesn't work due to OCSP must-staple in Firefox browser.
NC-101021 Date/Time Zone Time zone change allowed in Sophos Central on all HA devices.
NC-100725 XGS-BSP NPU in failsafe mode after upgrading from 19.0 GA to 19.0 MR1.
NC-100716 FQDN IPset sporadically not created for wildcard FQDN host.
NC-100707 IPsec Wrong source IP address in IPsec routes.
NC-100699 IPsec SMB transfer stops and doesn't recover with IPsec acceleration and policy-based VPN.
NC-100623 Hotspot Hotspot voucher creation failed.
NC-100418 nSXLd Internet down with error "nSXLd: Connection timeout while connecting to SXL server".
NC-100334 WAF Virtual host not removed if firewall rule is turned off.
NC-100325 WAF Update API JSON fields for encrypted WAF secrets.
NC-100265 Web Expired certificates in certcache are used rather than generating new ones.
NC-100250 Gateway Management RCA: Unable to change DGD settings for a specific WAN port.
NC-100084 Firewall DNAT issue when multiple hosts are added.
NC-99965 Interface Management SQL injections found in application.
NC-99962 Wireless Adjacent code injection in Wi-Fi controller (CVE-2022-3713).
NC-99801 Interface Management Unable to delete a LAG interface.
NC-99604 Email SQLi in getSmtpQuarantineMailRecord.
NC-99421 Email Mail issues on XG 430 (split from CPU 100%).
NC-99247 SSLVPN Unable to download SSL VPN site-to-site server configuration.
NC-99232 Web Changes to web proxy settings can't be saved when signed in with German language.
NC-99152 Logging Framework Central reporting: Failed to initiate the mmap case when queue limit is reached with no Sophos Central connectivity.
NC-98712 Core Utils XGS DT-2 r1: Containment plan to handle production issue causing 10+ sec factory reset feature doesn't work on these units.
NC-98576 IPS Ruleset Management IPS pattern doesn't update.
NC-98574 SSLVPN Traffic isn't passing through site-to-site SSL VPN tunnel, although the tunnel is up.
NC-98573 Firewall Country group stored XSS in DNAT rule in version 19 GA.
NC-98300 Email High CPU utilization due to Exim.
NC-98296 Email Attachments getting corrupted while using SPX.
NC-98094 nSXLd Unable to categorize URLs and IP addresses using external URL database.
NC-98089 Firewall Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA.
NC-97883 Firewall Unable to upgrade firmware or perform backup-restore from 17.5.15 to 19.0 GA: Duplicate key value violates unique constraint "tblfirewallrule_unique_name".
NC-97753 IPS Engine IPS Policy Unable to Upgrade to version 19 from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table.
NC-97743 AppFilter Policy Unable to export application filter policy.
NC-97711 NFP-Firewall nfnetmap_queue backing up, appliance may fail.
NC-95926 CDB-CFR Reporting Reports aren't being generated.
NC-95861 Firewall Country blocking through firewall rule isn't working.
NC-95633 IPsec Unable to connect IPsec remote access due to invalid .scx file.
NC-95603 Email Legacy email mode is crashing every 2 minutes.
NC-95543 Email Mail logs page stuck in loading status.
NC-95353 Static Routing Static route to RED disappears in XGS (HA) after a restart.
NC-95351 HA HA failover isn't working due to auto-restart of auxiliary device.
NC-95239 IPsec Different gateway entry in the IPsec configurations when using DDNS.
NC-95197 RED Appliance auto-restarts frequently in a day or two.
NC-94734 IPsec PPPoE isn't connecting after random disconnect event if XFRM interface is created on PPPoE.
NC-94664 Hotspot Post-auth read-only SQLi in user portal (CVE-2022-3711).
NC-94661 SSLVPN Android and iOS users can't import SSL VPN ovpn file.
NC-94418 Logging Framework (Central Reporting) Reporting and logging to Sophos Central stops randomly.
NC-94362 Email SPX stops working after unspecified period.
NC-94128 NFP-Firewall Firewall stopped responding on specific port.
NC-93847 WAF Stored XSS in WAF exception through IP host.
NC-92598 Authentication Stored XSS in import group wizard (CVE-2022-3709).
NC-92282 HA System services page gets stuck in loading.
NC-90794 Authentication Unable to import groups containing an apostrophe in their name.
NC-90247 IPsec IPsec VPN failback isn't working.
NC-90151 Authentication Unable to authenticate with PUSH with Azure MFA.
NC-88628 RED RED UDP packets are forwarded to the auxiliary device after HA switchover.
NC-86937 VFP-Firewall Memory utilization increasing gradually.
NC-85961 Authentication Guest user is created on secondary appliance but not on primary appliance sometimes.
NC-85114 Firmware Management 'kworker' process continuously takes high CPU on XG 450.
NC-84924 Core Utils Memory utilization increases to 90 percent or above in XGS 3100 due to appcached service.
NC-84910 Authentication Authentication with STAS stopped working when the appliance restarted until the access_server restarted if AD is reachable through a static route.
NC-84750 IPsec Auxiliary node sporadically receives IPsec packets.
NC-81219 CM HA zero downtime upgrade isn't supported if the firmware upgrade is scheduled on Sophos Central.
NC-79378 Web Uploading user-defined logo in user notification settings gives error.
NC-77804 Firewall Netlink: 153776 bytes leftover after parsing attributes in process `ipsetelite'.
NC-75655 Email Arbitrary file write creates a DoS and possibly RCE vector.
NC-75654 Email Logical error in a global SQL escape function might enable injections.
NC-74241 CaptivePortal Stored XSS through captive portal customization (CVE-2022-4238).
NC-74120 Spoofing Traffic through bridge will be blocked as IP_Spoof if spoof protection is enabled for the involved zone.

Version 19.0 MR1 Build 365

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-100971 IPsec Migration from 19.0 GA to 19.0 MR1 fails.
NC-100737, NC-94019 Wireless Inbound traffic for hosts connected on Wi-Fi SSID on Separate zone is dropped by firewall rule ID 0, and outbound traffic may experience slowness.
NC-100681 IPS Engine Increase in snort memory with ATP pattern updates.
NC-100679 CDB-CFR, Reporting Conf partition usage increases for the primary HA device.
NC-81131 Reporting Last access time isn't generated if a user's username has an XSS payload.
NC-94337 Reporting Migration failure to 19.0 GA when SSL/TLS inspection's log retention period isn't set to the default value.
NC-94291 Firmware Management Small var partition created for VM image using an auxiliary disk.
NC-94253 Licensing Can't upload airgap license file. Error message: "Certification verification failed. Invalid license file."
NC-93919 SSL VPN SecurityHeartbeat_over_VPN is removed from SSL VPN policy after updating SSL VPN global settings.
NC-93720 SecurityHeartbeat Auxiliary device isn't synchronized with the primary HA device for delay-missing-heartbeat-detection.
NC-93689 Up2Date Client Cosmetic issue with SASI pattern after firmware downgrade.
NC-93380 Email Anti-spam doesn't work after an upgrade to SFOS 18.5 MR3.
NC-92840 Email Email isn't received and shows the error message: smtp_check_forward_reply: response arrived without any command.
NC-92745 DNS Appliance restarts with kdump: stack guard page was hit.
NC-92131 IPS-DAQ-NSE Unable to upload a large file with SSL/TLS inspection enabled in do-not-decrypt mode.
NC-91300 XGS BSP npu_version (among other things) missing from telemeter. Large number of missing entries.
NC-91295 Firewall Zones tab shows up blank after deleting a zone listed on the second page.
NC-90839 RED RED interface disappears during a change to the DHCP server configuration.
NC-90702 Email SASI detection problems when too many hits are returned.
NC-90684 Wireless Multiple APX 320s don't register with XG Firewall. They don't appear on the pending list.
NC-90566 NFP-Firewall Traffic doesn't traverse XGS firewall under a specific configuration.
NC-90203 SD-WAN Routing SD-WAN route policy update fails.
NC-90024 Firewall Backup restore and firmware migration fails when multiple local ACL rules are configured.
NC-89996 Logging Issue with redirection to IPS policy from log viewer.
NC-89162 Firewall Auto restart 0010:queued_spin_lock_slowpath+0x148/0x170.
NC-89076 Firewall, VFP-Firewall Unable to access the website www.radix.ad.jp on the environment tagged VLAN + DPI configured.
NC-88903 Localization German menu is broken.
NC-88483 SSL VPN CVE: 2022-0547 openvpn deferred auth vulnerability.
NC-88404 IPsec Tunnel doesn't come up automatically after a restart of a HA appliance.
NC-88207 Firmware Management Firmware update fails when space is used in filename.
NC-87659 Wireless Legacy AP roaming key decryption fails when fast transition is enabled.
NC-87596 SSL VPN Site-to-site and remote access SSL VPN isn't working after backup is restored.
NC-87240 Email Avira engine error with axpx files.
NC-86819 Firmware Management, Licensing AWS instance stuck while starting it.
NC-86690 SD-WAN Routing SD-WAN FTP proxy traffic isn't working with transparent proxy.
NC-86652 SD-WAN Routing TFTP traffic doesn't follow SD-WAN routing.
NC-86451 IPS-DAQ-NSE Unable to access web server through XG Firewall. SSL/TLS inspection error: Dropped due to TLS internal error.
NC-86093 Firewall Duplicate firewall rule group.
NC-85547 CaptivePortal Sign-in message and sign-out option don't appear with custom captive portal.
NC-85423 SNMP Kernel crash on XG 125 with SNMP high memory consumption.
NC-85383 IPsec Unable to connect remote access IPsec due to invalid .scx file.
NC-85346 Email Smarthost authentication failed in server_plain authenticator: nsgenc decryption failed.
NC-85151 Authentication Firewall moved to a group on Sophos Central gets added to the group but changes to "Error needs attention".
NC-84604 Wireless Unable to restore backup from SG 230 to XGS 2300 due to access point database issue.
NC-84231 Core Utils Receiving a duplicate copy of the same executive schedule reports.
NC-84146 WAF Warning about Subject Alternative Name (SAN) not being part of the domain.
NC-84142 Backup-Restore Unable to delete VLAN interface.
NC-83734 Firewall Inbound emails are dropped randomly in HA load balancing with SMTP scanning enabled.
NC-83469 SSL VPN Dashboard doesn't show the remote users.
NC-83445 IPsec Constant IPsec VPN flapping. Pushed through Central SD-WAN orchestration.
NC-83419 Email Inbound emails aren't delivered when SMTP scanning is enabled.
NC-83405 Core Utils Inconsistency with Security Audit Reports (SAR).
NC-83114 Authentication Web authentication doesn't work in HA mode when the auxiliary node is restarting.
NC-82972 CSC Appliance in active-active HA mode stopped responding.
NC-82225 HA Unable to establish HA correctly on fiber ports.
NC-81944 IPsec WWAN isn't connecting after a random disconnect event if XFRM interface is created on WWAN.
NC-81939 Firewall The firewall isn't reflecting daylight savings time correctly.
NC-81430 CM and UI Framework User portal host injection reported.
NC-81207 IPsec Web admin console shows an error while updating the configuration of any VPN tunnel.
NC-81131 Reporting Last access time isn't generated when a user exists with the username having XSS payload.
NC-80305 Certificates Though CA isn't available on the pfx file, CA upload opcode is called.
NC-79359 IPsec Using AES256GMAC can show invalid configuration in IPsec profiles.
NC-79319 IPsec Clarification required on the web admin console for remote access IPsec.
NC-79128 IPsec Memory increase to 90 percent over 20-25 days.
NC-76071 RED XGS-2100: Interface doesn't have any IP address when backup is restored.
NRF-517 RED SD-RED 60: LAN switch VLAN configuration is lost after some time.
NRF-509 Firmware AP doesn't register through the RED 15w tunnel.

Version 19.0 GA Build 317

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-89079 CM fwcm-eventd agent isn't listening to the IP address availability event.
NC-87798 WAF Upgraded Apache to 2.4.53+.
NC-87665 API Framework, UI Framework Fixed pre-auth RCE (CVE-2022-1040).
NC-87165 Core Utils Fixed OpenSSL DoS vulnerability (CVE-2022-0778).
NC-85549 Wireless SFOS becomes unresponsive after a restart if time-based SSID is configured.
NC-85412 PPPoE Two PPPoE links with different passwords in 18.5 MR2.
NC-85339 Security Resolved multiple XSS vulnerabilities through company name (CVE-2021-25268).
NC-84951 Network Utils Fixed Diagnostics > Tools > Route lookup.
NC-84281 Authentication Status column isn't visible on Authentication > Users.
NC-84218 Web Can't turn on OTP for admin user whose user ID isn't 3.
NC-84158 Web Sophos Central signing admin out of the firewall console when they click Add user.
NC-84101 UI Framework Corrected a typo in Spanish on the Control center.
NC-83662 Web Updated the number of administrator accounts unprotected by MFA shown in the alert on Authentication > Users.
NC-83584 WebInSnort IPS segfault in libnsg_tcphold_preproc disconnecting live users after a limit.
NC-83581 Gateway Management Corrected the typo in CLI command to session-persistence.
NC-83470 Firewall, VFP-Firewall Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG750 during connection rate test.
NC-83430 RED RED causing massive network traffic after upgrading to SF 18.0 MR6 or SF 18.5 MR2.
NC-83392 CM (Join to Cloud) Backup isn't generated when the backup name contains [].
NC-83366 SDWAN Routing Unable to turn off captcha for VPN zone for route-based VPN with SD-WAN routing.
NC-83347 Email, FQDN Unable to add lx63.hoststar.hosting to email server under notification settings.
NC-83177 IPS Ruleset Management Unable to turn IPS switch on or off in 18.5 MR2.
NC-83065 IPsec Ping: sendto: operation not permitted when upgraded from 18.0 MR3 to later firmware on directly connected network.
NC-82566 Firewall Kernel crash after update to 18.5 MR2.
NC-82332 Firewall Kernel panic because kernel NULL pointer ip_route_me_harder wasn't handled.
NC-82215 Firewall Device freeze issue.
NC-81974 IPS-DAQ Snort soft lockup and device restart.
NC-81956 WebInSnort HTTP and HTTPS traffic to internal server on 8080 is dropped by IPS tcphold.
NC-81768 Backup-Restore Couldn't restore backup because of duplicated key.
NC-81517 Firewall Policy test for firewall not showing correct results.
NC-81069 Email Import fails for the entity MtaBlockedSenders.
NC-80660 DHCP DHCP IP lease issue.
NC-79468 Authentication Outdated users shown in Live Users.
NC-79417 Web SSL/TLS rules can't be seen on the web admin console.
NC-78563 WAF WAF not redirecting page to proper domain when there are multiple domains listed in the WAF rule.
NC-74847 Web Snort crashing with a segfault due to a blank conf file.
NC-74228 Email Can't show quarantine due to \x1E? in the subject.
NC-73975 Firewall FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2.
NC-71761 Security Resolved multiple XSS vulnerabilities (CVE-2021-25267).
NC-71379 Email MTA doesn't provide the full certificate chain.
NC-69997 Email Notification test mail has wrong encoded subject when web admin console's language is set to Traditional Chinese or Simplified Chinese.
NC-66163 Email Report received with garbled characters.
NC-51929 DDNS DDNS doesn't apply to some generic top-level domains.

Known issues

To see the known issues for the firewall, go to the Known issues list.

Set Choose your product to Sophos Firewall. Alternatively, enter a search term.

Upgrading firmware and restoring backups

Upgrading firmware

Information about 19.0.x is as follows:

  • The versions are available on all form factors.
  • The versions aren't FIPS-compliant.

Important changes to consider before you migrate to 19.0.x

Remote access SSL VPN IP lease range: After you upgrade from 18.5 and earlier to 19.0 and later versions, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.

Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.

Versions you can upgrade from

We strongly recommend that you migrate only to the approved versions listed in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

See how to upgrade.

Firewalls on 19.0 MR1 build 350 can migrate to 19.0 MR1 build 365.

Upgrading firmware
Upgrade from Upgrade to 19.0

(all form factors)

MR3 Build 517 MR2 Build 472 MR1 Build 365 GA Build 317
19.0 MR2 Build 472
19.0 MR1 Build 350 and 365
19.0 GA
18.5 MR5
18.5 MR4
18.5 GA to MR3
18.0 MR3 and later
17.5 MR14 and later

You can downgrade only to compatible versions. You can't downgrade from 19.0 and later to 17.5 and earlier. However, you can roll back to any previous version.

Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.

Previously restored Cyberoam backup: If your appliance is using a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to 19.0.x versions only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.0 doesn't support appliance certificates with this algorithm.)

Restoring backups

You can restore backups from any earlier version to 19.0 GA and later versions.

To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.

Supported platforms

Version 19.0

Sophos Firewall OS 19.0.x versions are available on all form factors as follows:

  • XGS Series firewalls
  • XG Series firewalls
  • SG Series firewalls
  • Virtual and software appliances
  • Cloud platforms

For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.

Minimum RAM

19.0.x versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to these versions:

  • XG 85, XG 85w, XG 105, and XG 105w
  • SG 105, SG 105w

Supported firmware versions

19.0.x versions support the following firmware versions:

  • Wi-Fi firmware 11.0.021 and earlier
  • RED firmware 3.0.009 and earlier
  • Sophos Connect 2.3 MR-1 and earlier

Support

You can find technical support for Sophos products in the following ways:

  • To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
  • Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
  • Visit Sophos Support.

Legal notices

Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall release notes (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Terence Hammes MD

Last Updated:

Views: 5645

Rating: 4.9 / 5 (49 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Terence Hammes MD

Birthday: 1992-04-11

Address: Suite 408 9446 Mercy Mews, West Roxie, CT 04904

Phone: +50312511349175

Job: Product Consulting Liaison

Hobby: Jogging, Motor sports, Nordic skating, Jigsaw puzzles, Bird watching, Nordic skating, Sculpting

Introduction: My name is Terence Hammes MD, I am a inexpensive, energetic, jolly, faithful, cheerful, proud, rich person who loves writing and wants to share my knowledge and understanding with you.