Sophos Firewall release notes (2024)

Version 19.5 MR4 Build 718

Released on January 25, 2024

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

VPN enhancements

  • Remote access SSL VPN: Sophos Firewall is now compatible with OpenVPN 3.0 clients. Users can download the compatible configuration file from the user portal.
  • IPsec VPN: Phase-1 IKEv2 tunnels for IPsec VPN support GCM and suite-B ciphers. Phase-2 IKEv2 tunnels already offer these ciphers, ensuring full delivery of the stronger encryption.

ZTNA

  • The ZTNA gateway in the firewall supports scaled deployments with up to 5000 concurrent connections. It now supports 2.5 times more connections than earlier.

Other enhancements

  • Web: In the web proxy, we've refined the Pharming protection feature to address a potential vulnerability arising from modifications to the destination IP address during proxy DNS resolution. With the updated behavior, the firewall policy will now undergo re-evaluation using the DNS-resolved IP address from Pharming protection.
  • Logging: You can customize the delimiter in syslog event messages, offering flexibility in managing log data.
  • New SSD firmware: A firmware upgrade is available for specific SSD drives in some XGS Series appliance models. For more details, see KB-000045830.
  • Reporting: Storage threshold for on-box reporting has been lowered from 90 to 80 percent to prevent the /var partition from filling up.

Version 19.5 MR3 Build 652

Released on August 02, 2023

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

Important enhancements

  • Fixed issues: This release resolves 65+ important performance, reliability, and stability issues, and provides security fixes.
  • ZTNA Gateway: Sophos Firewall supports the upcoming release of Sophos ZTNA Gateway integration into the firewall. This greatly simplifies ZTNA deployment. ZTNA is an easy and secure way for remote workers to access systems or applications behind the firewall. With the integrated ZTNA gateway in Sophos Firewall, you don't need to deploy any additional applications on your network to support ZTNA secure access.

    The new ZTNA gateway capability will be enabled for early access as part of Sophos ZTNA in Sophos Central in September 2023.

  • New SSD firmware: Updated SSD firmware is available for select SSD models within the following 1U appliances: XGS 2100, 2300, 3100, 3300, and 4300

    The new firmware optimizes performance and reliability.

Other enhancements

  • Akamai SIA integration: With the Akamai Secure Internet Access (SIA) integration you can on-ramp traffic from Sophos Firewall to Akamai SIA SSE (Security Service Edge) using redundant and resilient SD-WAN over route-based IPsec VPN tunnels. For configuration details, go to Connect Akamai SIA and Sophos Firewall.
  • Cloudflare Magic WAN integration: You can on-ramp traffic from Sophos Firewall to CloudFlare Magic WAN using redundant and resilient SD-WAN over route-based IPsec VPN or GRE tunnels.​ For configuration details, go to Connect Cloudflare Magic WAN and Sophos Firewall.

Version 19.5 MR2 Build 624

Released on May 09, 2023

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

Important security and hardening enhancements

The release implements two security enhancements that help harden your firewall and follow the industry best practices to protect your firewall from attacks.

These changes impact access to the web admin console and user portal from the WAN zone.

Web admin console access from specific WAN IP addresses:

  • We strongly recommend turning off web admin console access from all WAN sources (the entire internet) to reduce the potential for a brute force or reconnaissance attack.
  • For remote management of your firewalls, we recommend using Sophos Central. It's free for customers.
  • If you must provide access to the web admin console from WAN, go to Administration > Device access, add a local service ACL exception rule, allowing specific IP addresses and networks.
  • Web admin console will no longer be available from all WAN sources. So, you won't be able to select WAN under HTTPS on Administration > Device access.

Note Existing deployments aren't impacted. If you've already turned on web admin console access from all WAN sources, the functionality continues to work after you upgrade to SFOS 19.5 MR2.

Unused WAN access to web admin console and user portal:

  • Web admin console and user portal access from all WAN sources will be turned off if there aren't any successful sign-ins from the WAN zone for 90 consecutive days. This applies to all deployments.
  • Access given to specific WAN IP addresses and networks through a Local service ACL exception rule isn't impacted. These sources will continue to have access even if there are no sign-ins.

This has been done to prevent instances where the access was turned on but remains unused, leaving the firewall potentially exposed on the internet to brute force and reconnaissance attacks.

Note If you've already turned it on before migration and are actively using it, the functionality will continue to work.

For details, see Best practices for securing your firewall.

IPsec how-to article list accessible from web admin console

Routing and NAT configurations for IPsec: A how-to article list is directly linked from Site-to-site VPN > IPsec to help with IPsec configurations that require routing and NAT. The list includes articles that address use cases, such as system-generated DHCP relay and authentication traffic and traffic to a host through an existing IPsec tunnel.

Other enhancements

The version offers the following enhancements:

Dynamic routing: The firewall now supports up to 4000 multicast groups providing additional scalability in dynamic routing deployments. This eliminates issues related to dynamic routes being unable to join multicast groups.

SD-RED: A new banner on the Wireless pages highlights the approaching End-of-Life (EOL) date for legacy RED 15, 15w, and RED 50 devices. EOL is on August 31, 2023.

You must upgrade your RED devices to the latest models, which offer higher performance and improved connectivity.

Version 19.5 MR1 Build 278

Released on February 15, 2023

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

New XGS 7500 and XGS 8500 Hardware appliances

The new XGS 7500 and XGS 8500 2U models are engineered from the core to provide the performance needed to target larger enterprise and campus edge deployments.

  • Up to 47% higher throughput for all key protection versus the next highest model.
  • Industry-leading ROI per Protected Mbps versus comparable competitive models.
  • Enterprise-Grade Acceleration with high-performance Xstream Flow Processors and CPUs to meet the needs of the most demanding networks.
  • High performance, high capacity with dual redundant Non-Volatile Memory express (NVMe) SSDs, and a significant RAM increase over our other 2U models.
  • High speed built-in connectivity with two QSFP28 ports on each model supporting port speeds of up to 40 Gbps on XGS 7500 and 100 Gbps on XGS 8500.
  • Up to 2x better power efficiency in combination with IPsec VPN than the industry average for comparable models.

More enhancements

The version offers the following enhancements:

  • 5G support: Supports Sierra EM9191 5G module for XGS 116(w), 126(w), and 136(w). Enables 5G cellular connectivity using the 5G sub-6 GHz bands supporting peak download rate up to 4.5 Gbps.
  • Xstream SD-WAN: Enhancements to SD-WAN route management. You can clone SD-WAN routes above or below the existing route, move a route to any position on the list, and create a route at the top or bottom of the list.
  • Firmware upgrade: A warning message will appear, alerting you to the risk of a factory reset if you try to upgrade to a firmware version that isn't supported for migration.
  • Backup management: The firmware version is included in the backup file's name to help you identify the version.

Version 19.5 GA Build 197

Released on November 17, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

Xstream architecture

  • SD-WAN:
    • SD-WAN load-balancing to maximize bandwidth use across multiple links. You can select load balancing as the routing strategy in SD-WAN profiles. You can use round-robin and session persistence based on source and destination IP addresses and connection criteria with gateway weights and SLAs. Ensures routing of application traffic across multiple links, including MPLS, WAN, VPN, and RED. See the help for Load balancing using SD-WAN profiles.
    • Real-time monitoring and logging with enhanced gateway performance diagnostics for SD-WAN profiles. Shows link performance with total connections and data transfer count. You can also reset the counts for troubleshooting. See the help for SD-WAN performance diagnostics.
  • IPsec VPN: Increased the maximum supported concurrent tunnels from 4,650 to 10,000. See the knowledge base article Supported VPN tunnels on SFOS 18.5, 19, and 19.5.

High availability

  • Cluster and device identification:
    • Added customizable node names to easily identify HA devices. The name is shown in the browser tab, drop-down widget, CLI, and notifications, allowing you to always identify the device.
    • Enhanced HA status panel with information about node names, licensing source, initial primary, current role and status, and status change time for troubleshooting.
    • Ability to set the HA cluster ID.
    • Clarifies which device is the primary and which the auxiliary plus their license requirements.
    • Persistent banner on the auxiliary device to easily identify the device.
    • HA widget moved to the admin drop-down on the upper-right making it always available for quick access. Shows the node names, a quick view of the cluster health, and the important cluster information.
    • Node name, device role, and enhanced HA information on the CLI. Shows the device role in the hash prompt for easy troubleshooting.
  • Redundant HA links:
    • Support for up to four interfaces for the dedicated HA link. You can configure the redundant links in QuickHA and interactive modes.
    • Automatically creates a LAG interface for multiple dedicated HA links selected in QuickHA mode.
    • Supports LAG and VLAN interfaces for the dedicated HA link.
  • Supports unbound interfaces as monitored ports if you've configured VLAN on them.
  • Clearer selection for the preferred primary device.

See the video for Sophos Firewall 19.5: High availability enhancements.

Dynamic routing

  • OSPFv3: Supports OSPFv3 protocol, enabling dynamic routing for IPv6 traffic.
  • Better routing decisions: OSPF and OSPFv3 use the configured interface speed, selecting higher-speed interfaces for routing.
  • BGP: Automatic router ID selection for BGP allows dynamic updates to the router ID.
  • Logs: Provides logs related to adjacency information for BGP, OSPF, and OSPFv3. See the help for BGP and OSPF commands.
  • Other enhancements are as follows:
    • Integrated a new dynamic routing engine for stable and future-ready capability.
    • Fully interoperable with other vendors.

Static routes

Allows you to configure administrative distance and metric for IPv4 static routes. See the help for Static route enhancements.

Important changes in routing behavior

We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. Changes from the earlier behavior are as follows:

  • BGP, OSPF, RIP configurations, by default, prevent network and route distribution to the peer if the interface link status is down. To change this default for only BGP, run the following command on the BGP CLI console: no bgp network import-check
  • BGP configurations, by default, prevent network and route distribution to the peer if SFOS and BGP network have a non-matching subnet. To change the default, run the following command on the BGP CLI console: no bgp network import-check
  • Zebra advanced shell CLI is NOT available due to the new dynamic routing engine. Static route configuration through the Zebra advanced shell CLI is NOT possible in v19.5 GA. You can add the same configuration on the SFOS web admin console on Routing > Static routes.

If you're upgrading or restoring the backup from an earlier version, the changes in behavior may bring network disruption. So, in some cases, the firewall won't allow you to upgrade to SFOS 19.5 GA. See the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.

PKI acceleration for inspected TLS flows

The DPI engine offloads PKI processing for X.509 certificate re-signing for inspected TLS flows to the crypto hardware on the Xstream Flow Processor. PKI offloading delivers higher overall performance with SSL/TLS decryption in the following XGS Series appliances:

  • 1UL (4300, 4500)
  • 2U (5500, 6500)

See the help for information on Architecture for offloading.

Quality of life enhancements

The version offers the following enhancements:

  • Azure AD SSO: Supports Azure AD SSO configuration for signing in to the web admin console. See the video for Sophos Firewall 19.5: Azure AD SSO.
  • Interfaces:
    • Interface speed: Detects the recommended link settings automatically. Supports advanced port configurations for high-speed interfaces, including FEC (Forward Error Correction) for high-speed 40G interface on XGS 5500 and 6500 appliances.
    • Interface breakout: Supports the breakout of 40G interfaces into 2 or 4 x 10G interfaces through DAC or fiber breakout cables.
  • RED unlock code: The RED provisioning server sends the unlock code to the email address specified on System services > RED when you add a RED device or delete it from the firewall. See the knowledgebase article Pop-up message and email for the RED unlock code.
  • Search: Search capability by name, type, and value for the default and custom objects for Hosts and services. See the video for Sophos Firewall 19.5: Search enhancements.
  • Log storage: Enhanced .log file storage for better troubleshooting with configurable rotation count and archiving, along with timestamp and size changes, for single or multiple log files.

Other changes

The "Always cache Sophos endpoint updates" setting on Web > General settings > Web content caching has been removed from the SFOS 19.5 GA release. Enhancements to the security and integrity of Endpoint update delivery have made this feature ineffective.

Resolved issues

Version 19.5 MR4 Build 718

Fixed issues listed by ID, component, and description.
Issue ID Component Description
NC-122760 AppFilter Policy Unable to update or push app filter policy from Sophos Central.
NC-119049 Authentication Access server crashes due to missing nsgencode multi-thread support.
NC-120582 Authentication Update event log message for brute force functionality.
NC-120875 Authentication AD group import stops responding when usernames have special characters.
NC-121619 Authentication Administrators' access to the web admin console is blocked after two wrong attempts when MFA is turned on for them.
NC-124603 Authentication Primary user group ID greater than 9999 causes captive portal to disconnect within five to ten seconds after sign-in.
NC-119334 Backup-Restore Backup download button is unresponsive.
NC-119857 CM Web admin console doesn't respond after going to the Sophos Central menu.
NC-125076 Dynamic Routing (BGP), Dynamic Routing (OSPF) Zebra restarts continuously when a broadcast IP address is set as the gateway IP address.
NC-116220 Email Awarrensmtp was in failed status, and inbound email wasn't delivered. No NDR was sent to senders on February 13, 2023.
NC-117638 Email Emails are quarantined even when sender's address is added to exceptions.
NC-117881 Email Anti-spam service is unresponsive.
NC-120967 Email Inbound and outbound emails are delayed after firmware upgrade to 19.5.2.
NC-122260 Email Email transport through smarthost is rejected with the user's two email addresses in `Return-Path:` and `From:` header after clicking Release and report in Quarantine digest.
NC-124102 Email Unable to turn off legacy TLS protocols.
NC-124414 Email SPX password exposure in plain text (CVE-2023-5552).
NC-124453 Email Not able to see, release, or delete emails from SMTP quarantine.
NC-125369 Email Exim: libspf2 vulnerability (CVE-2023-42118).
NC-120016 Firewall Local ACL doesn't work when the name has a backslash ( `\` ).
NC-119831 Firmware Management Factory reset of the primary device during an upgrade from 19.5.1 to 19.5.2.
NC-120434 Firmware Management Discrepancy in HA roles when auxiliary device is reset.
NC-120730 HA HA failover resulted in missing configuration.
NC-124105 HA Configuration changes in firewall show the following error: The Operation will take time to complete. The status can be viewed from the 'Log viewer' page".
NC-108238 Import-Export Framework Unable to export user configuration.
NC-119395 Interface Management Discrepancy between upper and lower case in MAC address filtering.
NC-119561 IPS-DAQ Inject buffer leak causes traffic outage.
NC-124957 IPS-DAQ FIN and RESET packets leave WAN interface with LAN IP address information.
NC-119321 IPS-DAQ-NSE Slow download speed with SSL/TLS inspection enabled even if TLS isn't being decrypted in the presence of large initial rxwin.
NC-116002 IPsec and SDWAN Routing Branch office users unable to receive emails, receive emails later, or IPsec traffic slows.
NC-121370 IPsec Memory usage increased after upgrade to SFOS 19.5.1 Build 278.
NC-123233 IPsec IPsec SA establishment interrupted sporadically.
NC-122131 IPS Engine IPS signature didn't block the detected SID.
NC-115455 IPS Policy IPS policies aren't working as expected.
NC-125251 IPS Ruleset Management Firewall rules using IPS count issue with read-only administrator profile.
NC-116448 L2TP A checkbox isn't visible on the top line of L2TP members.
NC-122180 Licensing Unable to access web admin console due to license sync issue.
NC-117777 Logging Framework Network traffic report calculation shows different values at different times.
NC-122033 Logging Framework WAN interface graph shows incorrect values for historical data when collected five minutes before or after the hour limit.
NC-123602 Logging Framework /conf partition gradually rises.
NC-123771 Logging Framework (Central Reporting) Central Report hub isn't showing the past 24-hour statistics from the firewall as SFOS is sending reports to Sophos Central at a very low rate.
NC-122699 nSXLd Adding a trailing period at the end of the domain bypassed web policies.
NC-117753 PPPoE Internet through PPPoE isn't working after HA failover.
NC-119722 RED RED data path traffic fails when client has multiple WAN links and picks the bad one for traffic.
NC-122511 RED Vulnerability detected on Port 3400.
NC-123969 RED Primary device automatically restarts and fails over to the auxiliary device.
NC-125221 RED Failure to establish site-to-site tunnels when RED server enforces TLS 1.2.
NC-124588 SecurityHeartbeat Certain heartbeat opcodes are always called with debug enabled even though CSC is not in debug mode in SFOS 20.0 EAP0.
NC-118923 SSLVPN Login security block only applies to administrators and not users.
NC-119051 SSLVPN Route quotas reached for SSL VPN server.
NC-120190 SSLVPN Site-to-site SSL VPN connections fail due to the absence of serveruser.conf file.
NC-123237 SSLVPN Grammar error on the web admin console for route-based VPN connection.
NC-123723 SSLVPN XG 86w doesn't reconnect SSL VPN after a restart.
NC-124647 SSLVPN Unable to connect SSL VPN since firmware upgraded to 19.5.3.
NC-126833 SSLVPN Traffic isn't passing through site-to-site SSL VPN tunnel, although the tunnel is up.
NC-120986 Static Routing After HA is disabled, the previous auxiliary device faces firmware update failure due to Zebra backend CLI routes.
NC-119425 Synchronized App Control Garner log filled with "usercache_output: cannot resolve appcatid 0".
NC-123712 UI Framework Web admin console freezes and becomes inaccessible.
NC-119192 VFP-Firewall Slow speed using VirtIO NICs.
NC-124909 VFP-Firewall Device seems to have restarted automatically.
NC-119052 WAF WAF protection policy display issue on the web admin console.
NC-121432 WAF /tmp doesn't remove files and runs out of space, causing AV scan failure.
NC-124519 WAF Form-based authentication doesn't work after upgrade from 19.5.2 to 19.5.3.
NC-121415 Web avd stops responding after pattern update because one thread doesn't release (even after the NC-114930 fix).
NC-124040 Web Unable to get proper "web activity category" report under "Blocked Web attempts".
NC-116339 Wireless Hostapd service dead after adding wireless network in the access point group.
NC-118913 Wireless AP firmware isn't automatically updated after an AP pattern update.
NC-119289 Wireless Hotspot voucher shows SSID WLAN password even after removing the SSID encryption from existing wireless network settings.
NC-119829 WWAN Verizon MiFi 4G USB modem (U620L) doesn't work after upgrade to 19.5.2.
NC-115457 XGS BSP Fiber interfaces are taking more time for negotiation in XGS than XG Series firewalls.

Version 19.5 MR3 Build 652

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-120519 CM Disabling Central Management doesn't work per the firewall's API document.
NC-120138 Email Excessively strict validation for email message ID.
NC-119898 IPsec XFRM tunnel remains disabled when both site-to-site and route-based VPN are simultaneously up on the same local remote gateway pair.
NC-119825 Certificates Unable to download Default certificate from Web > General settings. Signs out the administrator when they click the download button.
NC-119560 Authentication Wizard 19.5 MR2 mandatory firmware update causes the initial setup to start repeatedly.
NC-119525 Hotspot Valid until time on Hotspot sign-in shows time in UTC instead of Local system time.
NC-119374 WAF Error 404 on Authentication page after upgrading the firmware from 19.5.1 to 19.5.2
NC-119198 CM Unable to change administrator user account's password from Sophos Central Firewall Management.
NC-119183 Authentication Transaction failure in eDirectory authentication server.
NC-119047 IPsec SSL/TLS inspection isn't working for VPN users.
NC-118749 CM Specific API call doesn't seem to be working.
NC-118671 SSLVPN Android/IOS users aren't able to import SSL VPN ovpn file.
NC-118601 UI Framework The file ".eslintignore" is accessible from the UI.
NC-118204 Firewall, SDWAN Routing Static multicast packet changes reply destination when SD-WAN route is applied.
NC-117786 Reporting Security Audit Report score data differs between what is seen on the firewall versus what is received through email.
NC-117680 SecurityHeartbeat IPSET hb_green entry removed without cause.
NC-117675 Gateway Management DGD service stopped after power failure and didn't restart.
NC-117314 Core Utils SWAP memory usage is full.
NC-117243 RED Need to disable DHE cipher support for RED.
NC-117063 Firewall Allowed child connection is logged as dropped.
NC-116939 Firewall Pktcapd bpf filter causing auxiliary to restart.
NC-116899 Email Attachment going through, although it should be blocked based on extension/MIME.
NC-116890 Firewall NAT rule isn't getting marked after the firewall restarts
NC-116881 Authentication Uploading certificate file to the web admin console, when signed in through Azure AD SSO, results in sign-out.
NC-116880 Authentication SSH keys disappear when administrator has two-factor authentication enabled and added after sign-in using an administrator other than the default admin.
NC-116845 Email Occasional UT error in mailpoller.
NC-116602 Authentication Log viewer doesn't show source IP address for SSL VPN users with authentication failure.
NC-116531 SecurityHeartbeat Can't access resources for some time when heartbeat is configured.
NC-116527 Firewall Entities.xml shows additional firewall rule that isn't visible on the web admin console.
NC-116314 Interface Management Unable to delete or make changes to bridge interface.
NC-116312 CM Garner thread stuck in Central Management plugin.
NC-115982 CM Alert in Sophos Central: "Firewall has not checked in with Sophos Central for the past 5 minutes".
NC-115360 nSXLd Policy deleted from Sophos Central continues to appear in the firewall.
NC-114950 Authentication Unable to view usage with username "do'reilly" and web admin console stops responding.
NC-114930 Web AVD stops responding after pattern update because one thread doesn't release.
NC-114872 IPS-DAQ Certificate-based authentication failing to server with small RX win.
NC-114652 Logging Framework (Central Reporting) After 7200 files, sending files to Sophos Central stops with an error.
NC-114292 Static Routing Static routes stopped working after upgrading to 19.5 GA due to Netlink error.
NC-113458 Email MIME type recognition issues when Zero-day protection is turned on.
NC-113038 Email Mail communication stopped working after upgrading to 19.5 GA.
NC-113034 Hardware Lost device access to XGS appliances and logs aren't available.
NC-112136 Firewall RED connection interruption when firewall acceleration is turned on in XG 310.
NC-111476 FQDN Subdomain learning isn't working when non-SFOS DNS server is set for the client.
NC-111441 SSLVPN Remote access SSL VPN isn't working after upgrading to 19.0 MR1.
NC-111110 SDWAN Routing Import-export doesn't reflect changes in SD-WAN profiles.
NC-110927 Authentication Missing MFA enable-disable event logs.
NC-109626 HA Standalone HA device restarts. Too many open files.
NC-109625 Email Inbound emails from specific domains are quarantined because of DKIM verification failure.
NC-109623 Dynamic Routing (BGP) BGP - FRR doesn't advertise the configured networks if they aren't available in the routing table.
NC-109201 Firewall Device goes into failsafe mode after firmware upgrade to 19.0.1. Unable to apply firewall framework.
NC-108562 Core Utils Public key authentication for administrator can't be managed through Sophos Central.
NC-108450 Email Inbound emails with attachments aren't delivered because of malware scan failure.
NC-108378 Clientless Access Clientless access doesn't work if the name contains an umlaut character.
NC-108003 NFP-Firewall Memory utilization increases until the firewall stops responding.
NC-107975 Logging Framework Logging stopped on the device with the error database disk image is malformed.
NC-107708 Firewall Firewall restarts automatically. RIP: 0010:muser_match+0x747
NC-107481 Authentication Log viewer doesn't show source IP address for authenticated SSL VPN users.
NC-107329 IPS-DAQ Snort shows high CPU usage. Low bandwidth experienced.
NC-107325 VFP-Firewall Firewall becomes inaccessible.
NC-107178 SecurityHeartbeat Clarification required for license enforcement message in 19.0 MR1 and later.
NC-107042 IPsec IPsec VPN path MTU-related connection issues with IPsec acceleration.
NC-106738 Hotspot Sort functionality doesn't work properly in the user portal for hotspot vouchers.
NC-102256 Clientless Access Clientless VPN bookmark for RDP stops intermittently. Signs out the user.
NC-101163 Wireless After an update, separate zone SSID "ageing_time" parameter is reset to 0.
NC-94533 Certificates Attribute challenge password prevents issuing a certificate with No-IP.
NC-85114 Firmware Management "kworker" process taking high CPU continuously on XG 450.

Version 19.5 MR2 Build 624

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-115369 Dynamic Routing (OSPF) OSPF repeatedly flaps when running a continuous scan with ICMP echo in 19.5.
NC-115199 Web Couldn't turn on OTP for the administrator's account.
NC-115019 IPS-DAQ-NSE Primary device in HA becomes unresponsive.
NC-114627 Clientless Access Unable to connect to RDP over Clientless access SSL VPN when username includes a space.
NC-114586 WAF Unable to restore backup taken from Sophos Central.
NC-114411 IPS Engine IPS policy behavior issue when configured through Sophos Central management.
NC-114163 SSLVPN Connections from LAN to static SSL VPN IP address are routed through WAN on the XGS device.
NC-114104 AppFilter Policy Application filter policy set to block all applications doesn't set the risk level when configured through Sophos Central management.
NC-114092 Wireless Wireless APX stopped working with no traffic for Wi-Fi Clients after 19.5 GA upgrade.
NC-114075 SDWAN Routing Connectivity issue when using IPsec route-based VPN with SD-WAN routes and profiles.
NC-114057 Authentication Match known users option in firewall rule drops traffic because user identity isn't being marked.
NC-113902 WAF WAF isn't working after upgrading to 19.5 GA.
NC-113866 Static Routing 19.0 and 18.5 migration to 19.5 GA and MR1 blocked when routes are configured from the web admin console using PPPoE interface.
NC-113547 Email Invalid IP address causes an error for notification emails.
NC-113532 Authentication Unable to remove authorizers from data anonymization setting.
NC-113102 DHCP Unable to add static MAC address to a specific DHCP pool.
NC-113005 RED RED tunnels restarted due to a SIGPIPE issue.
NC-113004 Logging Framework Garner crashed at init_cache_tree during sync cache.
NC-112722 SDWAN Routing Garner failure logs for usercache output.
NC-112621 RED Unable to edit some RED interfaces.
NC-112528 VFP-Firewall Unable to upgrade HA pair to 19.5 GA.
NC-112492 Dynamic Routing (PIM) PIMD service shows DEAD status.
NC-112363 IPsec GUI inaccessible over IPsec RBVPN with traffic selectors in use.
NC-112117 RED Editing the details of a RED in XG Firewall caused the firewall to become unresponsive.
NC-112065 SSLVPN When Azure AD is selected as the authentication method, Services page becomes unresponsive.
NC-112058 RED Some reports aren't loading for RED tunnel on XG Firewall.
NC-111151 Clientless Access Clientless VPN bookmark for RDP becomes intermittently unresponsive.
NC-110897 Email Getting error logs when Antivirus mode is set to Sophos in WAF protection policy.
NC-110678 Logging Framework Live logs not appearing in log viewer.
NC-109689 FQDN Adding a new FQDN host object to the firewall causes the resolver to restart or become unresponsive and causes DNS resolution to fail during the time.
NC-109627 Wireless AP and APX devices go offline.
NC-107504 Logging Framework Unable to update the pattern file at AirGap sites.
NC-107388 DDNS DDNS logs appear every 5 minutes.
NC-106284 UI Framework Couldn't see the settings under Administration > Device access with read-only profile sign-in.
NC-103578 Web Web policy set to Warn with filetype policy and default action set to Block results in page block.
NC-102265 VFP-Firewall Kernel crash (_test_firewall+0x171). CPU is unresponsive.
NC-101846 Firewall Connections fail due to high number of sockets in FIN_WAIT status.
NC-100702 UI Framework Package.json URL works on the SSL VPN portal.
NC-95429 WWAN Sierra Wireless MC7430 Qualcomm® Snapdragon™ X7 LTE-A doesn't connect.

Version 19.5 MR1 Build 278

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-112906 Dynamic Routing (OSPF) OSPF doesn't redistribute the remote side network of L2TP tunnel.
NC-112211 SSLVPN /conf/certificate/openvpn directory is missing.
NC-112128 Email Release link settings can't be saved in Quarantine digest.
NC-111790 DHCP Unable to configure or edit interfaces.
NC-111476 FQDN Subdomain learning isn't working if a DNS server other than SFOS is set for the client.
NC-111441 SSLVPN Remote access SSL VPN isn't working after upgrading to 19.0.MR1.
NC-111423 FQDN FQDNs resolving with low TTL (2-5 seconds) are creating issues with wildcard FQDN host.
NC-111110 SDWAN Routing Import-export doesn't reflect changes in SD-WAN profiles.
NC-111023 Email Legacy email mode is crashing frequently.
NC-110927 Authentication MFA enable and disable event logs are missing.
NC-110203 Dynamic Routing (OSPF) 19.5 OSPF link detection behavior change from Quagga to FRR.
NC-109626 HA Standalone device rebooted-msync. Log shows "Too many open files".
NC-109623 Dynamic Routing (BGP) FRR doesn't advertise the configured networks if they aren't available in the RIB.
NC-109562 WAF Unable to update the WAF protection policy after selecting it for WAF rule.
NC-109245 WAF Can't skip CRS rules in application attacks group with exceptions.
NC-109201 Firewall Device goes into Failsafe mode after upgrading firmware to 19.0.1. Unable to apply Firewall Framework.
NC-108562 Core Utils Public key authentication for admin can't be managed through Sophos Central.
NC-108536 Firewall Firewall rules stopped working after backup-restore due to failure in XML API while creating firewall rule.
NC-108378 Clientless Access Clientless access doesn't work if the name contains an umlaut character.
NC-108318 Email Unable to click a few settings under Email > General settings after firmware update to version 19.
NC-108237 Email Spam emails are allowed with the error "spam scanning failed".
NC-108003 NFP-Firewall Memory utilization increases until the firewall stops responding.
NC-107975 Logging Framework Logging stopped on device with the error database disk image is malformed.
NC-107708 Firewall Firewall restarts automatically.
NC-107481 Authentication Logviewer isn't showing source IP address for authenticated SSL VPN users.
NC-107325 VFP-Firewall Firewall becomes inaccessible.
NC-107283 Email Awarrensmtp service isn't responding.
NC-107042 IPsec IPsec VPN path MTU-related connection issues with IPsec acceleration.
NC-106783 Email Unable to send or receive emails with certificate error for pop.ocn.ne.jp domain.
NC-106738 Hotspot Sort functionality doesn't work properly in the user portal for hotspot vouchers.
NC-101163 Wireless After an update, separate zone SSID's aging_time parameter is reset to 0.
NC-100418 nSXLd Internet down with the error nSXLd: Connection time-out while connecting to SXL server.
NC-95603 Email Legacy email mode stops responding every two minutes.
NC-94533 Certificates Attribute challenge password prevents issuing a certificate with No-IP.
NC-85114 Firmware Management "kworker" process is taking high CPU continuously on XG 450.

Version 19.5 GA Build 197

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID Component Description
NC-106424 API Framework, UI Framework A code injection vulnerability allowing remote code execution was discovered in the user portal and web admin console. We released the hotfixes for this issue. See Resolved RCE in Sophos Firewall (CVE-2022-3236).
NC-101326 SSL VPN OS command injection through SSL VPN configuration upload (CVE-2022-3226).
NC-108213 UI Framework Post-auth code injection (CVE-2022-3696).
NC-99962 Wireless Adjacent code injection in Wi-Fi controller (CVE-2022-3713).
NC-93847 Authentication Stored XSS in import group wizard (CVE-2022-3709).
NC-94664 Hotspot Post-auth read-only SQLi in user portal (CVE-2022-3711).
NC-102257 Firewall Post-auth read-only SQLi through API controller (CVE-2022-3710).
NC-89091 API Framework Resolved multiple post-auth SQLi vulnerabilities in the web admin console (CVE-2022-1807).
NC-97743 AppFilter Policy Unable to export application filter policy.
NC-74235 AppFilter Policy DOM-based XSS in AppFilterPolicyDetailEdit.js.
NC-107176 Authentication Web admin console SSO prevents language choice.
NC-79468 Authentication Outdated users not removed from the live user list.
NC-84910 Authentication STAS authentication stops working when the appliance restarts until the access server's restarted if AD is accessed through a static route.
NC-84924 Authentication Memory utilization increases to 90 percent and above in XGS 3100 due to the appcached service.
NC-85151 Authentication When the firewall is moved to a group on Sophos Central, it's added to the group but changes to "Error needs attention".
NC-85961 Authentication Guest user is created on secondary appliance but not on primary appliance sometimes.
NC-90151 Authentication Unable to authenticate with PUSH with Azure MFA.
NC-101852 Authentication Unable to add users with the same email address (Azure AD).
NC-102771 Authentication XFOS Migration Users unable to authenticate through CAA.
NC-102979 Backup-Restore Unable to restore backup from XG 310 to XG 230.
NC-85547 Captive Portal Sign-in message and sign-out option not appearing with custom captive portal.
NC-95926 CDB-CFR, Reporting Unable to generate reports.
NC-101703 CDB-CFR, CM Unable to open the firewall's web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall from Sophos Central.
NC-80305 Certificates Though CA isn't available on the pfx file, CA upload opcode gets called.
NC-103406 Certificates Migration from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365 fails.
NC-81219 CM Expected downtime for a firewall upgrade with HA on Sophos Central.
NC-81430 CM, UI Framework User portal host injection reported.
NC-89079 CM fwcm-eventd agent isn't listening to the IP address up event for SD-WAN connection group.
NC-83405 Core Utils Inconsistency with Security Audit Reports (SAR).
NC-84231 Core Utils Receiving a duplicate copy of the same executive schedule reports.
NC-98712 Core Utils Containment plan to handle production issue causing ten-second factory reset feature to not work on XGS Series appliances.
NC-89218 Core Utils Resolved post-auth shell injection in web admin console through OpenSSL (CVE-2022-1292).
NC-82972 CSC HA appliance stops responding.
NC-101021 Date/Time Zone Time zone change allowed in Sophos Central on HA appliances.
NC-80660 DHCP DHCP IP lease issue.
NC-92745 DNS kdump: stack guard page was hit, and appliance restarts repeatedly.
NC-101271 Dynamic Routing (BGP) BGP networks on the web admin console show ASCII characters instead of expected networks for config-type Cisco.
NC-106811 Email Unable to start anti-spam service.
NC-74248 Email Stored potential XSS in MailScanRuleManage.js
NC-83419 Email Inbound emails aren't delivered when SMTP scanning is turned on in the firewall rule.
NC-85346 Email Smarthost authentication didn't work. Related to password decryption failure.
NC-87240 Email Avira engine error with axpx files.
NC-90702 Email SASI detection problems when too many hits are returned.
NC-92840 Email RCA for email not received with an error "smtp_check_forward_reply: response arrived without any command".
NC-93380 Email Anti-spam not working after upgrade to SFOS 18.5.3.
NC-94362 Email SPX stops working after an unspecified period.
NC-95543 Email Mail logs page stuck in loading status.
NC-98296 Email Attachments getting corrupted while using SPX.
NC-98300 Email High CPU utilization due to Exim.
NC-99421 Email Email loop with AV scan failure.
NC-101300 Email Unable to send emails after upgrading to 18.5.4 due to malware scan failure.
NC-73975 Firewall FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2).
NC-77804 Firewall netlink: 153776 bytes leftover after parsing attributes in the following process: ipsetelite.
NC-81939 Firewall Not reflecting daylight savings time correctly.
NC-82215 Firewall Device freeze issue (0010:queued_spin_lock_slowpath+0x14b/0x170)
NC-82332 Firewall Kernel panic. Unable to handle kernel NULL pointer "ip_route_me_harder".
NC-82566 Firewall Kernel crash after update to 18.5 MR2. RIP:0010:_raw_read_lock_bh+0x14/0x30.
NC-83470 Firewall, VFP-Firewall Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG 750 during Connection rate test.
NC-83734 Firewall Inbound emails dropped at times with SMTP scanning turned on in HA load balancing.
NC-86093 Firewall Duplicate firewall rule group.
NC-89076 Firewall, VFP-Firewall Unable to access `www.radix.ad.jp` on the environment tagged VLAN with DPI configured.
NC-89162 Firewall Appliance restarts automatically. 0010:queued_spin_lock_slowpath+0x148/0x170.
NC-90024 Firewall Backup restore and migration fails when multiple local ACL rules are configured.
NC-91295 Firewall Zones tab showing blank after deleting zone created on second page.
NC-95861 Firewall Country blocking through firewall rule isn't working.
NC-97883 Firewall Unable to upgrade firmware or restore backup from 17.5.15 to 19.0 GA. Duplicate key value violates unique constraint "tblfirewallrule_unique_name".
NC-98089 Firewall Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA.
NC-100084 Firewall DNAT issue when multiple hosts are added.
NC-102308 Firewall Disabled load balancing NAT rules still sending out alerts for the rules.
NC-102436 Firewall Appliance access was lost, and local ACL rules stopped working after restoring backup.
NC-102614 Firewall Traffic not working with FastPath for bridge with logical members after migrating to 19.0 GA. Traffic shouldn't get offloaded.
NC-86819 Firmware Management, Licensing AWS instance stuck when starting it.
NC-88207 Firmware Management Firmware update fails when space is used in file name.
NC-94291 Firmware Management Small var partition created for VM image using aux disk.
NC-100716 FQDN ipset sporadically not created for wildcard FQDN host.
NC-100250 Gateway Management RCA: Unable to change DGD settings for a specific WAN port.
NC-82225 HA Unable to establish HA correctly on fiber ports.
NC-92282 HA System services page doesn't load.
NC-95351 HA HA failover isn't working due to automatic restart of the auxiliary device.
NC-100623 Hotspot Hotspot voucher creation fails.
NC-99801 Interface Management Unable to delete a LAG interface.
NC-101046 IPS-DAQ Website doesn't work due to OCSP must-staple in Firefox browser.
NC-86451 IPS-DAQ-NSE Unable to access web server through XG Firewall with SSL/TLS inspection error "Dropped due to TLS internal error".
NC-92131 IPS-DAQ-NSE Unable to upload a large file with SSL/TLS inspection turned on in do-not-decrypt mode.
NC-106834 IPS-DAQ-NSE Connection untrusted when browsing some sites.
NC-100699 IPsec SMB file transfer stops and doesn't recover with IPsec acceleration and policy-based VPN.
NC-106608 IPsec Duplicate SAs created.
NC-79128 IPsec Memory usage increased to 90 percent over 20-25 days.
NC-81207 IPsec Web admin console shows error when updating any VPN tunnel configuration.
NC-81944 IPsec WWAN doesn't connect after random disconnect event if xfrm interface is created on WWAN.
NC-83065 IPsec System generated traffic getting impacted when route precedence is set to VPN and remote subnet to Any.
NC-83445 IPsec Constant IPsec VPN flapping. Pushed through Central SD-WAN Orchestration.
NC-84750 IPsec Auxiliary device sporadically receives IPsec packets.
NC-85383 IPsec Unable to connect IPsec remote access due to invalid .scx file.
NC-88404 IPsec IPsec tunnel didn't come up automatically after the restart of a HA appliance.
NC-90247 IPsec IPsec VPN failback isn't working.
NC-94734 IPsec PPPoE isn't connecting after random disconnect event if xfrm interface is created on PPPoE.
NC-95239 IPsec Different gateway entry in IPsec configurations when using DDNS.
NC-95633 IPsec Unable to connect IPsec remote access due to invalid .scx file
NC-100707 IPsec Wrong source IP address in IPsec routes.
NC-101355 IPsec Migration from 19.0 GA to 19.0 MR1 fails.
NC-103733 IPsec Amazon VPC connection issue since BGP service keeps restarting.
NC-97753 IPS Engine, IPS Policy Unable to upgrade to 19.0 GA from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table.
NC-100681 IPS Engine Increase in snort memory usage with ATP pattern updates.
NC-107999 IPS Ruleset Management HA cluster configuration fails when there's no Network Protection license.
NC-83177 IPS Ruleset Management Unable to toggle IPS switch in 18.5 MR2.
NC-98576 IPS Ruleset Management IPS pattern not updating.
NC-99152 Logging Framework Central reporting: Couldn't initiate the mmap case when queue limit reached with no central connectivity.
NC-101713 Logging Framework PG trigger entry not present for sign-in events if on-appliance reporting is turned off.
NC-94418 Logging Framework (Central Reporting) Central reporting feature is stuck at write_data2_file.
NC-101716 NFP-Firewall Packet drop and slow file transfer with IPsec (IPsec acceleration) and NAT-T.
NC-97058 NFP-Firewall VPN traffic for specific tunnel periodically stops when IPsec acceleration is enabled.
NC-94128 NFP-Firewall Firewall stopped responding on specific port.
NC-90566 NFP-Firewall Traffic not traversing XGS Firewall for a specific configuration.
NC-98094 nSXLd Unable to categorize URLs and IP addresses using external URL database.
NC-85412 PPPoE PPPoE password issue.
NC-95197 RED Appliance auto-restarts frequently in a day or two.
NC-90839 RED Red interface disappears when changing the DHCP server configuration.
NC-88628 RED RED UDP packets are forwarded to the auxiliary device after HA switchover.
NC-76071 RED XGS-2100 - Interface doesn't have any IP address when same firmware is restored on the same hardware.
NC-94337 Reporting Migration failure to 19.0 GA - MaxNoTables24hr_tls exists.
NC-81131 Reporting Last access time isn't generated when there are users with username having XSS payload.
NC-86690 SDWAN Routing SD-WAN FTP proxy traffic not working with transparent proxy.
NC-86652 SDWAN Routing TFTP traffic doesn't follow SD-WAN routing.
NC-83366 SDWAN Routing Turning off captcha on VPN zone isn't working for route-based VPN with SD-WAN routing.
NC-93720 SecurityHeartbeat delay-missing-heartbeat-detection not synchronized on the auxiliary device.
NC-85423 SNMP Kernel fails on XG 125 with SNMP high memory consumption.
NC-74120 Spoofing Traffic through bridge will be blocked as IP_Spoof if spoof protection is turned on for the involved zone.
NC-102737 SSLVPN SSL VPN service stuck in busy status. Site-to-site and remote access SSL VPN affected.
NC-99247 SSLVPN Unable to download SSL VPN site-to-site server configuration.
NC-98574 SSLVPN Traffic isn't passing through site-to-site SSL VPN tunnel though tunnel is up.
NC-94661 SSLVPN Android and iOS users aren't able to import SSL VPN ovpn file.
NC-93919 SSLVPN SecurityHeartbeat_over_VPN object removed from SSL VPN policy after an SSL VPN global configuration change.
NC-88483 SSLVPN CVE: 2022-0547 openvpn deferred auth vulnerability.
NC-87596 SSLVPN Site-to-site and remote access SSL VPN not working.
NC-83469 SSLVPN Dashboard doesn't reflect the remote user's details.
NC-101075 Static routing Static route to RED disappears when XGS in HA 19.5 is restarted.
NC-93689 Up2Date Client Cosmetic issue with SASI pattern after firmware downgrade.
NC-100334 WAF Virtual host not removed if firewall rule is turned off.
NC-84146 WAF Warning about subject alternate not being part of domain.
NC-102093 Web Upgrading from 19.0 GA to 19.5 EAP0 can leave nasm directory in a bad status.
NC-100265 Web Expired certificates in certcache are being used rather than generating new ones.
NC-83584 WebInSnort IPS segfault in libnsg_tcphold_preproc.
NC-81956 WebInSnort HTTPS traffic to internal server on 8080 is dropped by ips tcphold.
NC-94019 Wireless Wrong Mac-aging time for bridge interface Guest AP.
NC-90684 Wireless Multiple APX 320s not Registering with XG Firewall. Not showing up in pending list.
NC-87659 Wireless Legacy AP roaming key decryption is failing when fast transition is turned on.
NC-85549 Wireless SFOS goes in bad status after a restart if time-based SSID is configured.
NC-84604 Wireless Unable to restore backup from SG 230 to XGS 2300 due to access point database issue.
NC-107453 WAF WAF rules not working on auxiliary appliance.

Known issues

To see the known issues for the firewall, go to the Known issues list.

Set Choose your product to Sophos Firewall. Alternatively, enter a search term.

Upgrading firmware and restoring backups

Upgrading firmware

Information about 19.5.x is as follows:

  • The version is available on all form factors.
  • The version isn't FIPS-compliant. See Firmware upgrades from FIPS-compliant versions.

Important change to consider if you're migrating from 18.5 to 19.5.x

Remote access SSL VPN IP lease range: After you upgrade from 18.5 versions to 19.5.x, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.

Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.5.x.

Note: The above requirement does not apply if you're migrating from 19.0 or later firmware to 19.5.x.

Versions you can upgrade from

We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

See how to upgrade.

Upgrading firmware
Upgrade from Upgrade to 19.5

(all form factors)

MR4 Build 718 MR3 Build 652 MR2 Build 624 MR1 Build 278 GA Build 197
19.5 MR3 Build 652
19.5 MR2 Build 624
19.5 MR1 Build 278
19.5 GA Build 197
19.0 MR3
19.0 MR2

Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.

Previously restored Cyberoam backup: If your appliance is using a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 19.5.x only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.5.x doesn't support appliance certificates with this algorithm.)

Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. This is a change from the earlier behavior. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x. So, in some cases, the firewall won't allow you to upgrade to SFOS 19.5.x. For details, see the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.

Restoring backups

You can restore backups from any supported earlier version to 19.5.x.

To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.

Supported platforms

Version 19.5

Sophos Firewall OS versions 19.5.x are available on all form factors as follows:

  • XGS Series firewalls
  • XG Series firewalls
  • SG Series firewalls
  • Virtual and software appliances
  • Cloud platforms

For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.

Minimum RAM

19.5.x versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to these versions:

  • XG 85, XG 85w, XG 105, and XG 105w
  • SG 105, SG 105w

Supported firmware versions

19.5.x versions support the following firmware versions:

  • Wi-Fi firmware 11.0.021 and earlier
  • RED firmware 3.0.009 and earlier
  • Sophos Connect 2.3 MR-1 and earlier

Support

You can find technical support for Sophos products in the following ways:

  • To ask or answer questions, subscribe to blogs, and see recommended reads, visit Sophos Community.
  • Find how-to, configuration, and troubleshooting videos at Sophos Techvids video hub.
  • Visit Sophos Support.

Legal notices

Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall release notes (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Merrill Bechtelar CPA

Last Updated:

Views: 5647

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.