Version 19.5 MR4 Build 718
Released on January 25, 2024
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
VPN enhancements
- Remote access SSL VPN: Sophos Firewall is now compatible with OpenVPN 3.0 clients. Users can download the compatible configuration file from the user portal.
- IPsec VPN: Phase-1 IKEv2 tunnels for IPsec VPN support GCM and suite-B ciphers. Phase-2 IKEv2 tunnels already offer these ciphers, ensuring full delivery of the stronger encryption.
ZTNA
- The ZTNA gateway in the firewall supports scaled deployments with up to 5000 concurrent connections. It now supports 2.5 times more connections than earlier.
Other enhancements
- Web: In the web proxy, we've refined the Pharming protection feature to address a potential vulnerability arising from modifications to the destination IP address during proxy DNS resolution. With the updated behavior, the firewall policy will now undergo re-evaluation using the DNS-resolved IP address from Pharming protection.
- Logging: You can customize the delimiter in syslog event messages, offering flexibility in managing log data.
- New SSD firmware: A firmware upgrade is available for specific SSD drives in some XGS Series appliance models. For more details, see KB-000045830.
- Reporting: Storage threshold for on-box reporting has been lowered from 90 to 80 percent to prevent the
/var
partition from filling up.
Version 19.5 MR3 Build 652
Released on August 02, 2023
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
Important enhancements
- Fixed issues: This release resolves 65+ important performance, reliability, and stability issues, and provides security fixes.
- ZTNA Gateway: Sophos Firewall supports the upcoming release of Sophos ZTNA Gateway integration into the firewall. This greatly simplifies ZTNA deployment. ZTNA is an easy and secure way for remote workers to access systems or applications behind the firewall. With the integrated ZTNA gateway in Sophos Firewall, you don't need to deploy any additional applications on your network to support ZTNA secure access.
The new ZTNA gateway capability will be enabled for early access as part of Sophos ZTNA in Sophos Central in September 2023.
- New SSD firmware: Updated SSD firmware is available for select SSD models within the following 1U appliances: XGS 2100, 2300, 3100, 3300, and 4300
The new firmware optimizes performance and reliability.
Other enhancements
- Akamai SIA integration: With the Akamai Secure Internet Access (SIA) integration you can on-ramp traffic from Sophos Firewall to Akamai SIA SSE (Security Service Edge) using redundant and resilient SD-WAN over route-based IPsec VPN tunnels. For configuration details, go to Connect Akamai SIA and Sophos Firewall.
- Cloudflare Magic WAN integration: You can on-ramp traffic from Sophos Firewall to CloudFlare Magic WAN using redundant and resilient SD-WAN over route-based IPsec VPN or GRE tunnels. For configuration details, go to Connect Cloudflare Magic WAN and Sophos Firewall.
Version 19.5 MR2 Build 624
Released on May 09, 2023
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
Important security and hardening enhancements
The release implements two security enhancements that help harden your firewall and follow the industry best practices to protect your firewall from attacks.
These changes impact access to the web admin console and user portal from the WAN zone.
Web admin console access from specific WAN IP addresses:
- We strongly recommend turning off web admin console access from all WAN sources (the entire internet) to reduce the potential for a brute force or reconnaissance attack.
- For remote management of your firewalls, we recommend using Sophos Central. It's free for customers.
- If you must provide access to the web admin console from WAN, go to Administration > Device access, add a local service ACL exception rule, allowing specific IP addresses and networks.
- Web admin console will no longer be available from all WAN sources. So, you won't be able to select WAN under HTTPS on Administration > Device access.
Note Existing deployments aren't impacted. If you've already turned on web admin console access from all WAN sources, the functionality continues to work after you upgrade to SFOS 19.5 MR2.
Unused WAN access to web admin console and user portal:
- Web admin console and user portal access from all WAN sources will be turned off if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments.
- Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.
This has been done to prevent instances where the access was turned on but remains unused, leaving the firewall potentially exposed on the internet to brute force and reconnaissance attacks.
Note If you've already turned it on before migration and are actively using it, the functionality will continue to work.
For details, see Best practices for securing your firewall.
IPsec how-to article list accessible from web admin console
Routing and NAT configurations for IPsec: A how-to article list is directly linked from Site-to-site VPN > IPsec to help with IPsec configurations that require routing and NAT. The list includes articles that address use cases, such as system-generated DHCP relay and authentication traffic and traffic to a host through an existing IPsec tunnel.
Other enhancements
The version offers the following enhancements:
Dynamic routing: The firewall now supports up to 4000 multicast groups providing additional scalability in dynamic routing deployments. This eliminates issues related to dynamic routes being unable to join multicast groups.
SD-RED: A new banner on the Wireless pages highlights the approaching End-of-Life (EOL) date for legacy RED 15, 15w, and RED 50 devices. EOL is on August 31, 2023.
You must upgrade your RED devices to the latest models, which offer higher performance and improved connectivity.
Version 19.5 MR1 Build 278
Released on February 15, 2023
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
New XGS 7500 and XGS 8500 Hardware appliances
The new XGS 7500 and XGS 8500 2U models are engineered from the core to provide the performance needed to target larger enterprise and campus edge deployments.
- Up to 47% higher throughput for all key protection versus the next highest model.
- Industry-leading ROI per Protected Mbps versus comparable competitive models.
- Enterprise-Grade Acceleration with high-performance Xstream Flow Processors and CPUs to meet the needs of the most demanding networks.
- High performance, high capacity with dual redundant Non-Volatile Memory express (NVMe) SSDs, and a significant RAM increase over our other 2U models.
- High speed built-in connectivity with two QSFP28 ports on each model supporting port speeds of up to 40 Gbps on XGS 7500 and 100 Gbps on XGS 8500.
- Up to 2x better power efficiency in combination with IPsec VPN than the industry average for comparable models.
More enhancements
The version offers the following enhancements:
- 5G support: Supports Sierra EM9191 5G module for XGS 116(w), 126(w), and 136(w). Enables 5G cellular connectivity using the 5G sub-6 GHz bands supporting peak download rate up to 4.5 Gbps.
- Xstream SD-WAN: Enhancements to SD-WAN route management. You can clone SD-WAN routes above or below the existing route, move a route to any position on the list, and create a route at the top or bottom of the list.
- Firmware upgrade: A warning message will appear, alerting you to the risk of a factory reset if you try to upgrade to a firmware version that isn't supported for migration.
- Backup management: The firmware version is included in the backup file's name to help you identify the version.
Version 19.5 GA Build 197
Released on November 17, 2022
New features
This page describes the new features introduced. For details, see the Sophos Firewall help.
Xstream architecture
- SD-WAN:
- SD-WAN load-balancing to maximize bandwidth use across multiple links. You can select load balancing as the routing strategy in SD-WAN profiles. You can use round-robin and session persistence based on source and destination IP addresses and connection criteria with gateway weights and SLAs. Ensures routing of application traffic across multiple links, including MPLS, WAN, VPN, and RED. See the help for Load balancing using SD-WAN profiles.
- Real-time monitoring and logging with enhanced gateway performance diagnostics for SD-WAN profiles. Shows link performance with total connections and data transfer count. You can also reset the counts for troubleshooting. See the help for SD-WAN performance diagnostics.
- IPsec VPN: Increased the maximum supported concurrent tunnels from 4,650 to 10,000. See the knowledge base article Supported VPN tunnels on SFOS 18.5, 19, and 19.5.
High availability
- Cluster and device identification:
- Added customizable node names to easily identify HA devices. The name is shown in the browser tab, drop-down widget, CLI, and notifications, allowing you to always identify the device.
- Enhanced HA status panel with information about node names, licensing source, initial primary, current role and status, and status change time for troubleshooting.
- Ability to set the HA cluster ID.
- Clarifies which device is the primary and which the auxiliary plus their license requirements.
- Persistent banner on the auxiliary device to easily identify the device.
- HA widget moved to the admin drop-down on the upper-right making it always available for quick access. Shows the node names, a quick view of the cluster health, and the important cluster information.
- Node name, device role, and enhanced HA information on the CLI. Shows the device role in the hash prompt for easy troubleshooting.
- Redundant HA links:
- Support for up to four interfaces for the dedicated HA link. You can configure the redundant links in QuickHA and interactive modes.
- Automatically creates a LAG interface for multiple dedicated HA links selected in QuickHA mode.
- Supports LAG and VLAN interfaces for the dedicated HA link.
- Supports unbound interfaces as monitored ports if you've configured VLAN on them.
- Clearer selection for the preferred primary device.
See the video for Sophos Firewall 19.5: High availability enhancements.
Dynamic routing
- OSPFv3: Supports OSPFv3 protocol, enabling dynamic routing for IPv6 traffic.
- Better routing decisions: OSPF and OSPFv3 use the configured interface speed, selecting higher-speed interfaces for routing.
- BGP: Automatic router ID selection for BGP allows dynamic updates to the router ID.
- Logs: Provides logs related to adjacency information for BGP, OSPF, and OSPFv3. See the help for BGP and OSPF commands.
- Other enhancements are as follows:
- Integrated a new dynamic routing engine for stable and future-ready capability.
- Fully interoperable with other vendors.
Static routes
Allows you to configure administrative distance and metric for IPv4 static routes. See the help for Static route enhancements.
Important changes in routing behavior
We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. Changes from the earlier behavior are as follows:
- BGP, OSPF, RIP configurations, by default, prevent network and route distribution to the peer if the interface link status is down. To change this default for only BGP, run the following command on the BGP CLI console: no bgp network import-check
- BGP configurations, by default, prevent network and route distribution to the peer if SFOS and BGP network have a non-matching subnet. To change the default, run the following command on the BGP CLI console: no bgp network import-check
- Zebra advanced shell CLI is NOT available due to the new dynamic routing engine. Static route configuration through the Zebra advanced shell CLI is NOT possible in v19.5 GA. You can add the same configuration on the SFOS web admin console on Routing > Static routes.
If you're upgrading or restoring the backup from an earlier version, the changes in behavior may bring network disruption. So, in some cases, the firewall won't allow you to upgrade to SFOS 19.5 GA. See the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.
PKI acceleration for inspected TLS flows
The DPI engine offloads PKI processing for X.509 certificate re-signing for inspected TLS flows to the crypto hardware on the Xstream Flow Processor. PKI offloading delivers higher overall performance with SSL/TLS decryption in the following XGS Series appliances:
- 1UL (4300, 4500)
- 2U (5500, 6500)
See the help for information on Architecture for offloading.
Quality of life enhancements
The version offers the following enhancements:
- Azure AD SSO: Supports Azure AD SSO configuration for signing in to the web admin console. See the video for Sophos Firewall 19.5: Azure AD SSO.
- Interfaces:
- Interface speed: Detects the recommended link settings automatically. Supports advanced port configurations for high-speed interfaces, including FEC (Forward Error Correction) for high-speed 40G interface on XGS 5500 and 6500 appliances.
- Interface breakout: Supports the breakout of 40G interfaces into 2 or 4 x 10G interfaces through DAC or fiber breakout cables.
- RED unlock code: The RED provisioning server sends the unlock code to the email address specified on System services > RED when you add a RED device or delete it from the firewall. See the knowledgebase article Pop-up message and email for the RED unlock code.
- Search: Search capability by name, type, and value for the default and custom objects for Hosts and services. See the video for Sophos Firewall 19.5: Search enhancements.
- Log storage: Enhanced .log file storage for better troubleshooting with configurable rotation count and archiving, along with timestamp and size changes, for single or multiple log files.
Other changes
The "Always cache Sophos endpoint updates" setting on Web > General settings > Web content caching has been removed from the SFOS 19.5 GA release. Enhancements to the security and integrity of Endpoint update delivery have made this feature ineffective.
Resolved issues
Version 19.5 MR4 Build 718
Issue ID | Component | Description |
---|---|---|
NC-122760 | AppFilter Policy | Unable to update or push app filter policy from Sophos Central. |
NC-119049 | Authentication | Access server crashes due to missing nsgencode multi-thread support. |
NC-120582 | Authentication | Update event log message for brute force functionality. |
NC-120875 | Authentication | AD group import stops responding when usernames have special characters. |
NC-121619 | Authentication | Administrators' access to the web admin console is blocked after two wrong attempts when MFA is turned on for them. |
NC-124603 | Authentication | Primary user group ID greater than 9999 causes captive portal to disconnect within five to ten seconds after sign-in. |
NC-119334 | Backup-Restore | Backup download button is unresponsive. |
NC-119857 | CM | Web admin console doesn't respond after going to the Sophos Central menu. |
NC-125076 | Dynamic Routing (BGP), Dynamic Routing (OSPF) | Zebra restarts continuously when a broadcast IP address is set as the gateway IP address. |
NC-116220 | Awarrensmtp was in failed status, and inbound email wasn't delivered. No NDR was sent to senders on February 13, 2023. | |
NC-117638 | Emails are quarantined even when sender's address is added to exceptions. | |
NC-117881 | Anti-spam service is unresponsive. | |
NC-120967 | Inbound and outbound emails are delayed after firmware upgrade to 19.5.2. | |
NC-122260 | Email transport through smarthost is rejected with the user's two email addresses in `Return-Path:` and `From:` header after clicking Release and report in Quarantine digest. | |
NC-124102 | Unable to turn off legacy TLS protocols. | |
NC-124414 | SPX password exposure in plain text (CVE-2023-5552). | |
NC-124453 | Not able to see, release, or delete emails from SMTP quarantine. | |
NC-125369 | Exim: libspf2 vulnerability (CVE-2023-42118). | |
NC-120016 | Firewall | Local ACL doesn't work when the name has a backslash ( `\` ). |
NC-119831 | Firmware Management | Factory reset of the primary device during an upgrade from 19.5.1 to 19.5.2. |
NC-120434 | Firmware Management | Discrepancy in HA roles when auxiliary device is reset. |
NC-120730 | HA | HA failover resulted in missing configuration. |
NC-124105 | HA | Configuration changes in firewall show the following error: The Operation will take time to complete. The status can be viewed from the 'Log viewer' page". |
NC-108238 | Import-Export Framework | Unable to export user configuration. |
NC-119395 | Interface Management | Discrepancy between upper and lower case in MAC address filtering. |
NC-119561 | IPS-DAQ | Inject buffer leak causes traffic outage. |
NC-124957 | IPS-DAQ | FIN and RESET packets leave WAN interface with LAN IP address information. |
NC-119321 | IPS-DAQ-NSE | Slow download speed with SSL/TLS inspection enabled even if TLS isn't being decrypted in the presence of large initial rxwin. |
NC-116002 | IPsec and SDWAN Routing | Branch office users unable to receive emails, receive emails later, or IPsec traffic slows. |
NC-121370 | IPsec | Memory usage increased after upgrade to SFOS 19.5.1 Build 278. |
NC-123233 | IPsec | IPsec SA establishment interrupted sporadically. |
NC-122131 | IPS Engine | IPS signature didn't block the detected SID. |
NC-115455 | IPS Policy | IPS policies aren't working as expected. |
NC-125251 | IPS Ruleset Management | Firewall rules using IPS count issue with read-only administrator profile. |
NC-116448 | L2TP | A checkbox isn't visible on the top line of L2TP members. |
NC-122180 | Licensing | Unable to access web admin console due to license sync issue. |
NC-117777 | Logging Framework | Network traffic report calculation shows different values at different times. |
NC-122033 | Logging Framework | WAN interface graph shows incorrect values for historical data when collected five minutes before or after the hour limit. |
NC-123602 | Logging Framework | /conf partition gradually rises. |
NC-123771 | Logging Framework (Central Reporting) | Central Report hub isn't showing the past 24-hour statistics from the firewall as SFOS is sending reports to Sophos Central at a very low rate. |
NC-122699 | nSXLd | Adding a trailing period at the end of the domain bypassed web policies. |
NC-117753 | PPPoE | Internet through PPPoE isn't working after HA failover. |
NC-119722 | RED | RED data path traffic fails when client has multiple WAN links and picks the bad one for traffic. |
NC-122511 | RED | Vulnerability detected on Port 3400. |
NC-123969 | RED | Primary device automatically restarts and fails over to the auxiliary device. |
NC-125221 | RED | Failure to establish site-to-site tunnels when RED server enforces TLS 1.2. |
NC-124588 | SecurityHeartbeat | Certain heartbeat opcodes are always called with debug enabled even though CSC is not in debug mode in SFOS 20.0 EAP0. |
NC-118923 | SSLVPN | Login security block only applies to administrators and not users. |
NC-119051 | SSLVPN | Route quotas reached for SSL VPN server. |
NC-120190 | SSLVPN | Site-to-site SSL VPN connections fail due to the absence of serveruser.conf file. |
NC-123237 | SSLVPN | Grammar error on the web admin console for route-based VPN connection. |
NC-123723 | SSLVPN | XG 86w doesn't reconnect SSL VPN after a restart. |
NC-124647 | SSLVPN | Unable to connect SSL VPN since firmware upgraded to 19.5.3. |
NC-126833 | SSLVPN | Traffic isn't passing through site-to-site SSL VPN tunnel, although the tunnel is up. |
NC-120986 | Static Routing | After HA is disabled, the previous auxiliary device faces firmware update failure due to Zebra backend CLI routes. |
NC-119425 | Synchronized App Control | Garner log filled with "usercache_output: cannot resolve appcatid 0". |
NC-123712 | UI Framework | Web admin console freezes and becomes inaccessible. |
NC-119192 | VFP-Firewall | Slow speed using VirtIO NICs. |
NC-124909 | VFP-Firewall | Device seems to have restarted automatically. |
NC-119052 | WAF | WAF protection policy display issue on the web admin console. |
NC-121432 | WAF | /tmp doesn't remove files and runs out of space, causing AV scan failure. |
NC-124519 | WAF | Form-based authentication doesn't work after upgrade from 19.5.2 to 19.5.3. |
NC-121415 | Web | avd stops responding after pattern update because one thread doesn't release (even after the NC-114930 fix). |
NC-124040 | Web | Unable to get proper "web activity category" report under "Blocked Web attempts". |
NC-116339 | Wireless | Hostapd service dead after adding wireless network in the access point group. |
NC-118913 | Wireless | AP firmware isn't automatically updated after an AP pattern update. |
NC-119289 | Wireless | Hotspot voucher shows SSID WLAN password even after removing the SSID encryption from existing wireless network settings. |
NC-119829 | WWAN | Verizon MiFi 4G USB modem (U620L) doesn't work after upgrade to 19.5.2. |
NC-115457 | XGS BSP | Fiber interfaces are taking more time for negotiation in XGS than XG Series firewalls. |
Version 19.5 MR3 Build 652
Issue ID | Component | Description |
---|---|---|
NC-120519 | CM | Disabling Central Management doesn't work per the firewall's API document. |
NC-120138 | Excessively strict validation for email message ID. | |
NC-119898 | IPsec | XFRM tunnel remains disabled when both site-to-site and route-based VPN are simultaneously up on the same local remote gateway pair. |
NC-119825 | Certificates | Unable to download Default certificate from Web > General settings. Signs out the administrator when they click the download button. |
NC-119560 | Authentication | Wizard 19.5 MR2 mandatory firmware update causes the initial setup to start repeatedly. |
NC-119525 | Hotspot | Valid until time on Hotspot sign-in shows time in UTC instead of Local system time. |
NC-119374 | WAF | Error 404 on Authentication page after upgrading the firmware from 19.5.1 to 19.5.2 |
NC-119198 | CM | Unable to change administrator user account's password from Sophos Central Firewall Management. |
NC-119183 | Authentication | Transaction failure in eDirectory authentication server. |
NC-119047 | IPsec | SSL/TLS inspection isn't working for VPN users. |
NC-118749 | CM | Specific API call doesn't seem to be working. |
NC-118671 | SSLVPN | Android/IOS users aren't able to import SSL VPN ovpn file. |
NC-118601 | UI Framework | The file ".eslintignore" is accessible from the UI. |
NC-118204 | Firewall, SDWAN Routing | Static multicast packet changes reply destination when SD-WAN route is applied. |
NC-117786 | Reporting | Security Audit Report score data differs between what is seen on the firewall versus what is received through email. |
NC-117680 | SecurityHeartbeat | IPSET hb_green entry removed without cause. |
NC-117675 | Gateway Management | DGD service stopped after power failure and didn't restart. |
NC-117314 | Core Utils | SWAP memory usage is full. |
NC-117243 | RED | Need to disable DHE cipher support for RED. |
NC-117063 | Firewall | Allowed child connection is logged as dropped. |
NC-116939 | Firewall | Pktcapd bpf filter causing auxiliary to restart. |
NC-116899 | Attachment going through, although it should be blocked based on extension/MIME. | |
NC-116890 | Firewall | NAT rule isn't getting marked after the firewall restarts |
NC-116881 | Authentication | Uploading certificate file to the web admin console, when signed in through Azure AD SSO, results in sign-out. |
NC-116880 | Authentication | SSH keys disappear when administrator has two-factor authentication enabled and added after sign-in using an administrator other than the default admin. |
NC-116845 | Occasional UT error in mailpoller. | |
NC-116602 | Authentication | Log viewer doesn't show source IP address for SSL VPN users with authentication failure. |
NC-116531 | SecurityHeartbeat | Can't access resources for some time when heartbeat is configured. |
NC-116527 | Firewall | Entities.xml shows additional firewall rule that isn't visible on the web admin console. |
NC-116314 | Interface Management | Unable to delete or make changes to bridge interface. |
NC-116312 | CM | Garner thread stuck in Central Management plugin. |
NC-115982 | CM | Alert in Sophos Central: "Firewall has not checked in with Sophos Central for the past 5 minutes". |
NC-115360 | nSXLd | Policy deleted from Sophos Central continues to appear in the firewall. |
NC-114950 | Authentication | Unable to view usage with username "do'reilly" and web admin console stops responding. |
NC-114930 | Web | AVD stops responding after pattern update because one thread doesn't release. |
NC-114872 | IPS-DAQ | Certificate-based authentication failing to server with small RX win. |
NC-114652 | Logging Framework (Central Reporting) | After 7200 files, sending files to Sophos Central stops with an error. |
NC-114292 | Static Routing | Static routes stopped working after upgrading to 19.5 GA due to Netlink error. |
NC-113458 | MIME type recognition issues when Zero-day protection is turned on. | |
NC-113038 | Mail communication stopped working after upgrading to 19.5 GA. | |
NC-113034 | Hardware | Lost device access to XGS appliances and logs aren't available. |
NC-112136 | Firewall | RED connection interruption when firewall acceleration is turned on in XG 310. |
NC-111476 | FQDN | Subdomain learning isn't working when non-SFOS DNS server is set for the client. |
NC-111441 | SSLVPN | Remote access SSL VPN isn't working after upgrading to 19.0 MR1. |
NC-111110 | SDWAN Routing | Import-export doesn't reflect changes in SD-WAN profiles. |
NC-110927 | Authentication | Missing MFA enable-disable event logs. |
NC-109626 | HA | Standalone HA device restarts. Too many open files. |
NC-109625 | Inbound emails from specific domains are quarantined because of DKIM verification failure. | |
NC-109623 | Dynamic Routing (BGP) | BGP - FRR doesn't advertise the configured networks if they aren't available in the routing table. |
NC-109201 | Firewall | Device goes into failsafe mode after firmware upgrade to 19.0.1. Unable to apply firewall framework. |
NC-108562 | Core Utils | Public key authentication for administrator can't be managed through Sophos Central. |
NC-108450 | Inbound emails with attachments aren't delivered because of malware scan failure. | |
NC-108378 | Clientless Access | Clientless access doesn't work if the name contains an umlaut character. |
NC-108003 | NFP-Firewall | Memory utilization increases until the firewall stops responding. |
NC-107975 | Logging Framework | Logging stopped on the device with the error database disk image is malformed. |
NC-107708 | Firewall | Firewall restarts automatically. RIP: 0010:muser_match+0x747 |
NC-107481 | Authentication | Log viewer doesn't show source IP address for authenticated SSL VPN users. |
NC-107329 | IPS-DAQ | Snort shows high CPU usage. Low bandwidth experienced. |
NC-107325 | VFP-Firewall | Firewall becomes inaccessible. |
NC-107178 | SecurityHeartbeat | Clarification required for license enforcement message in 19.0 MR1 and later. |
NC-107042 | IPsec | IPsec VPN path MTU-related connection issues with IPsec acceleration. |
NC-106738 | Hotspot | Sort functionality doesn't work properly in the user portal for hotspot vouchers. |
NC-102256 | Clientless Access | Clientless VPN bookmark for RDP stops intermittently. Signs out the user. |
NC-101163 | Wireless | After an update, separate zone SSID "ageing_time" parameter is reset to 0. |
NC-94533 | Certificates | Attribute challenge password prevents issuing a certificate with No-IP. |
NC-85114 | Firmware Management | "kworker" process taking high CPU continuously on XG 450. |
Version 19.5 MR2 Build 624
Issue ID | Component | Description |
---|---|---|
NC-115369 | Dynamic Routing (OSPF) | OSPF repeatedly flaps when running a continuous scan with ICMP echo in 19.5. |
NC-115199 | Web | Couldn't turn on OTP for the administrator's account. |
NC-115019 | IPS-DAQ-NSE | Primary device in HA becomes unresponsive. |
NC-114627 | Clientless Access | Unable to connect to RDP over Clientless access SSL VPN when username includes a space. |
NC-114586 | WAF | Unable to restore backup taken from Sophos Central. |
NC-114411 | IPS Engine | IPS policy behavior issue when configured through Sophos Central management. |
NC-114163 | SSLVPN | Connections from LAN to static SSL VPN IP address are routed through WAN on the XGS device. |
NC-114104 | AppFilter Policy | Application filter policy set to block all applications doesn't set the risk level when configured through Sophos Central management. |
NC-114092 | Wireless | Wireless APX stopped working with no traffic for Wi-Fi Clients after 19.5 GA upgrade. |
NC-114075 | SDWAN Routing | Connectivity issue when using IPsec route-based VPN with SD-WAN routes and profiles. |
NC-114057 | Authentication | Match known users option in firewall rule drops traffic because user identity isn't being marked. |
NC-113902 | WAF | WAF isn't working after upgrading to 19.5 GA. |
NC-113866 | Static Routing | 19.0 and 18.5 migration to 19.5 GA and MR1 blocked when routes are configured from the web admin console using PPPoE interface. |
NC-113547 | Invalid IP address causes an error for notification emails. | |
NC-113532 | Authentication | Unable to remove authorizers from data anonymization setting. |
NC-113102 | DHCP | Unable to add static MAC address to a specific DHCP pool. |
NC-113005 | RED | RED tunnels restarted due to a SIGPIPE issue. |
NC-113004 | Logging Framework | Garner crashed at init_cache_tree during sync cache. |
NC-112722 | SDWAN Routing | Garner failure logs for usercache output. |
NC-112621 | RED | Unable to edit some RED interfaces. |
NC-112528 | VFP-Firewall | Unable to upgrade HA pair to 19.5 GA. |
NC-112492 | Dynamic Routing (PIM) | PIMD service shows DEAD status. |
NC-112363 | IPsec | GUI inaccessible over IPsec RBVPN with traffic selectors in use. |
NC-112117 | RED | Editing the details of a RED in XG Firewall caused the firewall to become unresponsive. |
NC-112065 | SSLVPN | When Azure AD is selected as the authentication method, Services page becomes unresponsive. |
NC-112058 | RED | Some reports aren't loading for RED tunnel on XG Firewall. |
NC-111151 | Clientless Access | Clientless VPN bookmark for RDP becomes intermittently unresponsive. |
NC-110897 | Getting error logs when Antivirus mode is set to Sophos in WAF protection policy. | |
NC-110678 | Logging Framework | Live logs not appearing in log viewer. |
NC-109689 | FQDN | Adding a new FQDN host object to the firewall causes the resolver to restart or become unresponsive and causes DNS resolution to fail during the time. |
NC-109627 | Wireless | AP and APX devices go offline. |
NC-107504 | Logging Framework | Unable to update the pattern file at AirGap sites. |
NC-107388 | DDNS | DDNS logs appear every 5 minutes. |
NC-106284 | UI Framework | Couldn't see the settings under Administration > Device access with read-only profile sign-in. |
NC-103578 | Web | Web policy set to Warn with filetype policy and default action set to Block results in page block. |
NC-102265 | VFP-Firewall | Kernel crash (_test_firewall+0x171). CPU is unresponsive. |
NC-101846 | Firewall | Connections fail due to high number of sockets in FIN_WAIT status. |
NC-100702 | UI Framework | Package.json URL works on the SSL VPN portal. |
NC-95429 | WWAN | Sierra Wireless MC7430 Qualcomm® Snapdragon™ X7 LTE-A doesn't connect. |
Version 19.5 MR1 Build 278
Issue ID | Component | Description |
---|---|---|
NC-112906 | Dynamic Routing (OSPF) | OSPF doesn't redistribute the remote side network of L2TP tunnel. |
NC-112211 | SSLVPN | /conf/certificate/openvpn directory is missing. |
NC-112128 | Release link settings can't be saved in Quarantine digest. | |
NC-111790 | DHCP | Unable to configure or edit interfaces. |
NC-111476 | FQDN | Subdomain learning isn't working if a DNS server other than SFOS is set for the client. |
NC-111441 | SSLVPN | Remote access SSL VPN isn't working after upgrading to 19.0.MR1. |
NC-111423 | FQDN | FQDNs resolving with low TTL (2-5 seconds) are creating issues with wildcard FQDN host. |
NC-111110 | SDWAN Routing | Import-export doesn't reflect changes in SD-WAN profiles. |
NC-111023 | Legacy email mode is crashing frequently. | |
NC-110927 | Authentication | MFA enable and disable event logs are missing. |
NC-110203 | Dynamic Routing (OSPF) | 19.5 OSPF link detection behavior change from Quagga to FRR. |
NC-109626 | HA | Standalone device rebooted-msync. Log shows "Too many open files". |
NC-109623 | Dynamic Routing (BGP) | FRR doesn't advertise the configured networks if they aren't available in the RIB. |
NC-109562 | WAF | Unable to update the WAF protection policy after selecting it for WAF rule. |
NC-109245 | WAF | Can't skip CRS rules in application attacks group with exceptions. |
NC-109201 | Firewall | Device goes into Failsafe mode after upgrading firmware to 19.0.1. Unable to apply Firewall Framework. |
NC-108562 | Core Utils | Public key authentication for admin can't be managed through Sophos Central. |
NC-108536 | Firewall | Firewall rules stopped working after backup-restore due to failure in XML API while creating firewall rule. |
NC-108378 | Clientless Access | Clientless access doesn't work if the name contains an umlaut character. |
NC-108318 | Unable to click a few settings under Email > General settings after firmware update to version 19. | |
NC-108237 | Spam emails are allowed with the error "spam scanning failed". | |
NC-108003 | NFP-Firewall | Memory utilization increases until the firewall stops responding. |
NC-107975 | Logging Framework | Logging stopped on device with the error database disk image is malformed. |
NC-107708 | Firewall | Firewall restarts automatically. |
NC-107481 | Authentication | Logviewer isn't showing source IP address for authenticated SSL VPN users. |
NC-107325 | VFP-Firewall | Firewall becomes inaccessible. |
NC-107283 | Awarrensmtp service isn't responding. | |
NC-107042 | IPsec | IPsec VPN path MTU-related connection issues with IPsec acceleration. |
NC-106783 | Unable to send or receive emails with certificate error for pop.ocn.ne.jp domain. | |
NC-106738 | Hotspot | Sort functionality doesn't work properly in the user portal for hotspot vouchers. |
NC-101163 | Wireless | After an update, separate zone SSID's aging_time parameter is reset to 0. |
NC-100418 | nSXLd | Internet down with the error nSXLd: Connection time-out while connecting to SXL server. |
NC-95603 | Legacy email mode stops responding every two minutes. | |
NC-94533 | Certificates | Attribute challenge password prevents issuing a certificate with No-IP. |
NC-85114 | Firmware Management | "kworker" process is taking high CPU continuously on XG 450. |
Version 19.5 GA Build 197
Issue ID | Component | Description |
---|---|---|
NC-106424 | API Framework, UI Framework | A code injection vulnerability allowing remote code execution was discovered in the user portal and web admin console. We released the hotfixes for this issue. See Resolved RCE in Sophos Firewall (CVE-2022-3236). |
NC-101326 | SSL VPN | OS command injection through SSL VPN configuration upload (CVE-2022-3226). |
NC-108213 | UI Framework | Post-auth code injection (CVE-2022-3696). |
NC-99962 | Wireless | Adjacent code injection in Wi-Fi controller (CVE-2022-3713). |
NC-93847 | Authentication | Stored XSS in import group wizard (CVE-2022-3709). |
NC-94664 | Hotspot | Post-auth read-only SQLi in user portal (CVE-2022-3711). |
NC-102257 | Firewall | Post-auth read-only SQLi through API controller (CVE-2022-3710). |
NC-89091 | API Framework | Resolved multiple post-auth SQLi vulnerabilities in the web admin console (CVE-2022-1807). |
NC-97743 | AppFilter Policy | Unable to export application filter policy. |
NC-74235 | AppFilter Policy | DOM-based XSS in AppFilterPolicyDetailEdit.js. |
NC-107176 | Authentication | Web admin console SSO prevents language choice. |
NC-79468 | Authentication | Outdated users not removed from the live user list. |
NC-84910 | Authentication | STAS authentication stops working when the appliance restarts until the access server's restarted if AD is accessed through a static route. |
NC-84924 | Authentication | Memory utilization increases to 90 percent and above in XGS 3100 due to the appcached service. |
NC-85151 | Authentication | When the firewall is moved to a group on Sophos Central, it's added to the group but changes to "Error needs attention". |
NC-85961 | Authentication | Guest user is created on secondary appliance but not on primary appliance sometimes. |
NC-90151 | Authentication | Unable to authenticate with PUSH with Azure MFA. |
NC-101852 | Authentication | Unable to add users with the same email address (Azure AD). |
NC-102771 | Authentication XFOS Migration | Users unable to authenticate through CAA. |
NC-102979 | Backup-Restore | Unable to restore backup from XG 310 to XG 230. |
NC-85547 | Captive Portal | Sign-in message and sign-out option not appearing with custom captive portal. |
NC-95926 | CDB-CFR, Reporting | Unable to generate reports. |
NC-101703 | CDB-CFR, CM | Unable to open the firewall's web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall from Sophos Central. |
NC-80305 | Certificates | Though CA isn't available on the pfx file, CA upload opcode gets called. |
NC-103406 | Certificates | Migration from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365 fails. |
NC-81219 | CM | Expected downtime for a firewall upgrade with HA on Sophos Central. |
NC-81430 | CM, UI Framework | User portal host injection reported. |
NC-89079 | CM | fwcm-eventd agent isn't listening to the IP address up event for SD-WAN connection group. |
NC-83405 | Core Utils | Inconsistency with Security Audit Reports (SAR). |
NC-84231 | Core Utils | Receiving a duplicate copy of the same executive schedule reports. |
NC-98712 | Core Utils | Containment plan to handle production issue causing ten-second factory reset feature to not work on XGS Series appliances. |
NC-89218 | Core Utils | Resolved post-auth shell injection in web admin console through OpenSSL (CVE-2022-1292). |
NC-82972 | CSC | HA appliance stops responding. |
NC-101021 | Date/Time Zone | Time zone change allowed in Sophos Central on HA appliances. |
NC-80660 | DHCP | DHCP IP lease issue. |
NC-92745 | DNS | kdump: stack guard page was hit, and appliance restarts repeatedly. |
NC-101271 | Dynamic Routing (BGP) | BGP networks on the web admin console show ASCII characters instead of expected networks for config-type Cisco. |
NC-106811 | Unable to start anti-spam service. | |
NC-74248 | Stored potential XSS in MailScanRuleManage.js | |
NC-83419 | Inbound emails aren't delivered when SMTP scanning is turned on in the firewall rule. | |
NC-85346 | Smarthost authentication didn't work. Related to password decryption failure. | |
NC-87240 | Avira engine error with axpx files. | |
NC-90702 | SASI detection problems when too many hits are returned. | |
NC-92840 | RCA for email not received with an error "smtp_check_forward_reply: response arrived without any command". | |
NC-93380 | Anti-spam not working after upgrade to SFOS 18.5.3. | |
NC-94362 | SPX stops working after an unspecified period. | |
NC-95543 | Mail logs page stuck in loading status. | |
NC-98296 | Attachments getting corrupted while using SPX. | |
NC-98300 | High CPU utilization due to Exim. | |
NC-99421 | Email loop with AV scan failure. | |
NC-101300 | Unable to send emails after upgrading to 18.5.4 due to malware scan failure. | |
NC-73975 | Firewall | FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2). |
NC-77804 | Firewall | netlink: 153776 bytes leftover after parsing attributes in the following process: ipsetelite. |
NC-81939 | Firewall | Not reflecting daylight savings time correctly. |
NC-82215 | Firewall | Device freeze issue (0010:queued_spin_lock_slowpath+0x14b/0x170) |
NC-82332 | Firewall | Kernel panic. Unable to handle kernel NULL pointer "ip_route_me_harder". |
NC-82566 | Firewall | Kernel crash after update to 18.5 MR2. RIP:0010:_raw_read_lock_bh+0x14/0x30. |
NC-83470 | Firewall, VFP-Firewall | Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG 750 during Connection rate test. |
NC-83734 | Firewall | Inbound emails dropped at times with SMTP scanning turned on in HA load balancing. |
NC-86093 | Firewall | Duplicate firewall rule group. |
NC-89076 | Firewall, VFP-Firewall | Unable to access `www.radix.ad.jp` on the environment tagged VLAN with DPI configured. |
NC-89162 | Firewall | Appliance restarts automatically. 0010:queued_spin_lock_slowpath+0x148/0x170. |
NC-90024 | Firewall | Backup restore and migration fails when multiple local ACL rules are configured. |
NC-91295 | Firewall | Zones tab showing blank after deleting zone created on second page. |
NC-95861 | Firewall | Country blocking through firewall rule isn't working. |
NC-97883 | Firewall | Unable to upgrade firmware or restore backup from 17.5.15 to 19.0 GA. Duplicate key value violates unique constraint "tblfirewallrule_unique_name". |
NC-98089 | Firewall | Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA. |
NC-100084 | Firewall | DNAT issue when multiple hosts are added. |
NC-102308 | Firewall | Disabled load balancing NAT rules still sending out alerts for the rules. |
NC-102436 | Firewall | Appliance access was lost, and local ACL rules stopped working after restoring backup. |
NC-102614 | Firewall | Traffic not working with FastPath for bridge with logical members after migrating to 19.0 GA. Traffic shouldn't get offloaded. |
NC-86819 | Firmware Management, Licensing | AWS instance stuck when starting it. |
NC-88207 | Firmware Management | Firmware update fails when space is used in file name. |
NC-94291 | Firmware Management | Small var partition created for VM image using aux disk. |
NC-100716 | FQDN | ipset sporadically not created for wildcard FQDN host. |
NC-100250 | Gateway Management | RCA: Unable to change DGD settings for a specific WAN port. |
NC-82225 | HA | Unable to establish HA correctly on fiber ports. |
NC-92282 | HA | System services page doesn't load. |
NC-95351 | HA | HA failover isn't working due to automatic restart of the auxiliary device. |
NC-100623 | Hotspot | Hotspot voucher creation fails. |
NC-99801 | Interface Management | Unable to delete a LAG interface. |
NC-101046 | IPS-DAQ | Website doesn't work due to OCSP must-staple in Firefox browser. |
NC-86451 | IPS-DAQ-NSE | Unable to access web server through XG Firewall with SSL/TLS inspection error "Dropped due to TLS internal error". |
NC-92131 | IPS-DAQ-NSE | Unable to upload a large file with SSL/TLS inspection turned on in do-not-decrypt mode. |
NC-106834 | IPS-DAQ-NSE | Connection untrusted when browsing some sites. |
NC-100699 | IPsec | SMB file transfer stops and doesn't recover with IPsec acceleration and policy-based VPN. |
NC-106608 | IPsec | Duplicate SAs created. |
NC-79128 | IPsec | Memory usage increased to 90 percent over 20-25 days. |
NC-81207 | IPsec | Web admin console shows error when updating any VPN tunnel configuration. |
NC-81944 | IPsec | WWAN doesn't connect after random disconnect event if xfrm interface is created on WWAN. |
NC-83065 | IPsec | System generated traffic getting impacted when route precedence is set to VPN and remote subnet to Any. |
NC-83445 | IPsec | Constant IPsec VPN flapping. Pushed through Central SD-WAN Orchestration. |
NC-84750 | IPsec | Auxiliary device sporadically receives IPsec packets. |
NC-85383 | IPsec | Unable to connect IPsec remote access due to invalid .scx file. |
NC-88404 | IPsec | IPsec tunnel didn't come up automatically after the restart of a HA appliance. |
NC-90247 | IPsec | IPsec VPN failback isn't working. |
NC-94734 | IPsec | PPPoE isn't connecting after random disconnect event if xfrm interface is created on PPPoE. |
NC-95239 | IPsec | Different gateway entry in IPsec configurations when using DDNS. |
NC-95633 | IPsec | Unable to connect IPsec remote access due to invalid .scx file |
NC-100707 | IPsec | Wrong source IP address in IPsec routes. |
NC-101355 | IPsec | Migration from 19.0 GA to 19.0 MR1 fails. |
NC-103733 | IPsec | Amazon VPC connection issue since BGP service keeps restarting. |
NC-97753 | IPS Engine, IPS Policy | Unable to upgrade to 19.0 GA from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table. |
NC-100681 | IPS Engine | Increase in snort memory usage with ATP pattern updates. |
NC-107999 | IPS Ruleset Management | HA cluster configuration fails when there's no Network Protection license. |
NC-83177 | IPS Ruleset Management | Unable to toggle IPS switch in 18.5 MR2. |
NC-98576 | IPS Ruleset Management | IPS pattern not updating. |
NC-99152 | Logging Framework | Central reporting: Couldn't initiate the mmap case when queue limit reached with no central connectivity. |
NC-101713 | Logging Framework | PG trigger entry not present for sign-in events if on-appliance reporting is turned off. |
NC-94418 | Logging Framework (Central Reporting) | Central reporting feature is stuck at write_data2_file. |
NC-101716 | NFP-Firewall | Packet drop and slow file transfer with IPsec (IPsec acceleration) and NAT-T. |
NC-97058 | NFP-Firewall | VPN traffic for specific tunnel periodically stops when IPsec acceleration is enabled. |
NC-94128 | NFP-Firewall | Firewall stopped responding on specific port. |
NC-90566 | NFP-Firewall | Traffic not traversing XGS Firewall for a specific configuration. |
NC-98094 | nSXLd | Unable to categorize URLs and IP addresses using external URL database. |
NC-85412 | PPPoE | PPPoE password issue. |
NC-95197 | RED | Appliance auto-restarts frequently in a day or two. |
NC-90839 | RED | Red interface disappears when changing the DHCP server configuration. |
NC-88628 | RED | RED UDP packets are forwarded to the auxiliary device after HA switchover. |
NC-76071 | RED | XGS-2100 - Interface doesn't have any IP address when same firmware is restored on the same hardware. |
NC-94337 | Reporting | Migration failure to 19.0 GA - MaxNoTables24hr_tls exists. |
NC-81131 | Reporting | Last access time isn't generated when there are users with username having XSS payload. |
NC-86690 | SDWAN Routing | SD-WAN FTP proxy traffic not working with transparent proxy. |
NC-86652 | SDWAN Routing | TFTP traffic doesn't follow SD-WAN routing. |
NC-83366 | SDWAN Routing | Turning off captcha on VPN zone isn't working for route-based VPN with SD-WAN routing. |
NC-93720 | SecurityHeartbeat | delay-missing-heartbeat-detection not synchronized on the auxiliary device. |
NC-85423 | SNMP | Kernel fails on XG 125 with SNMP high memory consumption. |
NC-74120 | Spoofing | Traffic through bridge will be blocked as IP_Spoof if spoof protection is turned on for the involved zone. |
NC-102737 | SSLVPN | SSL VPN service stuck in busy status. Site-to-site and remote access SSL VPN affected. |
NC-99247 | SSLVPN | Unable to download SSL VPN site-to-site server configuration. |
NC-98574 | SSLVPN | Traffic isn't passing through site-to-site SSL VPN tunnel though tunnel is up. |
NC-94661 | SSLVPN | Android and iOS users aren't able to import SSL VPN ovpn file. |
NC-93919 | SSLVPN | SecurityHeartbeat_over_VPN object removed from SSL VPN policy after an SSL VPN global configuration change. |
NC-88483 | SSLVPN | CVE: 2022-0547 openvpn deferred auth vulnerability. |
NC-87596 | SSLVPN | Site-to-site and remote access SSL VPN not working. |
NC-83469 | SSLVPN | Dashboard doesn't reflect the remote user's details. |
NC-101075 | Static routing | Static route to RED disappears when XGS in HA 19.5 is restarted. |
NC-93689 | Up2Date Client | Cosmetic issue with SASI pattern after firmware downgrade. |
NC-100334 | WAF | Virtual host not removed if firewall rule is turned off. |
NC-84146 | WAF | Warning about subject alternate not being part of domain. |
NC-102093 | Web | Upgrading from 19.0 GA to 19.5 EAP0 can leave nasm directory in a bad status. |
NC-100265 | Web | Expired certificates in certcache are being used rather than generating new ones. |
NC-83584 | WebInSnort | IPS segfault in libnsg_tcphold_preproc. |
NC-81956 | WebInSnort | HTTPS traffic to internal server on 8080 is dropped by ips tcphold. |
NC-94019 | Wireless | Wrong Mac-aging time for bridge interface Guest AP. |
NC-90684 | Wireless | Multiple APX 320s not Registering with XG Firewall. Not showing up in pending list. |
NC-87659 | Wireless | Legacy AP roaming key decryption is failing when fast transition is turned on. |
NC-85549 | Wireless | SFOS goes in bad status after a restart if time-based SSID is configured. |
NC-84604 | Wireless | Unable to restore backup from SG 230 to XGS 2300 due to access point database issue. |
NC-107453 | WAF | WAF rules not working on auxiliary appliance. |
Known issues
To see the known issues for the firewall, go to the Known issues list.
Set Choose your product to Sophos Firewall. Alternatively, enter a search term.
Upgrading firmware and restoring backups
Upgrading firmware
Information about 19.5.x is as follows:
- The version is available on all form factors.
- The version isn't FIPS-compliant. See Firmware upgrades from FIPS-compliant versions.
Important change to consider if you're migrating from 18.5 to 19.5.x
Remote access SSL VPN IP lease range: After you upgrade from 18.5 versions to 19.5.x, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.
Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.5.x.
Note: The above requirement does not apply if you're migrating from 19.0 or later firmware to 19.5.x.
Versions you can upgrade from
We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.
See how to upgrade.
Upgrade from | Upgrade to 19.5 (all form factors) | ||||
---|---|---|---|---|---|
MR4 Build 718 | MR3 Build 652 | MR2 Build 624 | MR1 Build 278 | GA Build 197 | |
19.5 MR3 Build 652 | |||||
19.5 MR2 Build 624 | |||||
19.5 MR1 Build 278 | |||||
19.5 GA Build 197 | |||||
19.0 MR3 | |||||
19.0 MR2 |
Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.
Previously restored Cyberoam backup: If your appliance is using a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 19.5.x only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.5.x doesn't support appliance certificates with this algorithm.)
Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. This is a change from the earlier behavior. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x. So, in some cases, the firewall won't allow you to upgrade to SFOS 19.5.x. For details, see the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.
Restoring backups
You can restore backups from any supported earlier version to 19.5.x.
To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.
Supported platforms
Version 19.5
Sophos Firewall OS versions 19.5.x are available on all form factors as follows:
- XGS Series firewalls
- XG Series firewalls
- SG Series firewalls
- Virtual and software appliances
- Cloud platforms
For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.
Minimum RAM
19.5.x versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to these versions:
- XG 85, XG 85w, XG 105, and XG 105w
- SG 105, SG 105w
Supported firmware versions
19.5.x versions support the following firmware versions:
- Wi-Fi firmware 11.0.021 and earlier
- RED firmware 3.0.009 and earlier
- Sophos Connect 2.3 MR-1 and earlier
Support
You can find technical support for Sophos products in the following ways:
- To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
- Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
- Visit Sophos Support.
Legal notices
Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.