Version 18.5 MR5 Build 509
Released on December 08, 2022
New features
This page describes the new features introduced. For details, see the help.
Malware engine: Upgraded the malware scan engines and associated components to a full 64-bit operation to ensure optimum performance and future support.
- Avira: The vendor of the second malware scan engine, Avira, won't provide detection updates in the current 32-bit form after December 31, 2022.
- Avira has been upgraded to the latest 64-bit AVD engine on the firewall. We recommend that customers using dual scan mode or Avira as the primary engine upgrade to one of the following versions as soon as possible:
- 19.5.x
- 19.0 MR1 and later
- 18.5 MR5
- If you can't upgrade, we recommend switching to just the Sophos engine for email and web malware scanning.
- Avira has been upgraded to the latest 64-bit AVD engine on the firewall. We recommend that customers using dual scan mode or Avira as the primary engine upgrade to one of the following versions as soon as possible:
- Sophos engine: Customers using only the Sophos engine aren't affected.
- RED unlock code: The RED provisioning server sends the unlock code to the email address specified on System services > RED when you add a RED device or delete it from the firewall. See the knowledgebase article Pop-up message and email for the RED unlock code.
Version 18.5 MR4 Build 418
Released on June 15, 2022
New features
This page describes the new features introduced. For details, see the help.
- Multicast forwarding:
- Introduced support for controlling the time-to-live (TTL) value in static multicast route forwarding. This can prevent multicast traffic from getting dropped because of expired TTL value at the time of forwarding. You can use the following CLI command: set routing multicast-decrement-ttl
- Increased the default multicast group limit to 250 to support more OSPF neighbors. You can change the multicast group limit using the following CLI command: set routing multicast-group-limit
- Cellular WAN: Added QMI driver support for Cellular WAN.
- Logs: Improved log file handling and CSC logging for better troubleshooting.
- Zero-day protection: An additional data center location for cloud-based machine learning file analysis is now available in the Asia-Pacific region in Sydney, Australia.
- Introduced several important security, performance, and reliability enhancements.
End-of-life
SSL VPN client: The legacy SSL VPN client reached end-of-life on January 31, 2022. It doesn't appear for download on the user portal any longer. Users can download the Sophos Connect client instead. See End-of-Life for Sophos SSL VPN client.
Version 18.5 MR3 Build 408
Released on March 24, 2022
New features
This page describes the new features introduced. For details, see the help.
DHCP options
You can configure DHCP IPv4 options and the boot server on the web admin console. This is in addition to the existing ability to configure it on the CLI.
When you configure Sophos Firewall as the DHCP server, you can also add DHCP and boot options to provide configuration parameters to DHCP clients. You can add custom and predefined DHCP options.
Enhancements
The version includes the following enhancements:
- Anti-spam engine: For anti-spam scanning, Email protection now uses the Sophos Anti-Spam Interface (SASI) in place of the anti-spam engine. SASI is already in use in Sophos Email. If you see false positives or false negatives, see how to submit a sample.
- Kernel dump: The firewall generates kernel dump reporting when there's a kernel crash, enabling improved root cause analysis and troubleshooting.
Version 18.5 MR2 Build 380
Released on November 29, 2021
Important point to consider before you upgrade to v18.5 MR2
An upgrade to 18.5 MR2 refreshes the firewall certificate used by endpoints to send a heartbeat to the firewall. To make sure that endpoints can download the refreshed certificate from Sophos Central after the firewall is upgraded to 18.5 MR2, see Security Heartbeat connection issue with 18.5 MR2.
FIPS 140-2 certification
You can configure Sophos Firewall to use a cryptography library that is certified for the Federal Information Processing Standard 140-2 (FIPS 140-2) level 1 for the following appliances:
- XGS series hardware
- Virtual machines
IPsec VPN
- IPsec VPN: Introduced support for GCM and suite-B ciphers for IPsec VPN. AES-GCM for IPsec significantly improves IPsec VPN performance.
- Remote access IPsec: Increased the maximum idle time-out to 6 hours for IPsec remote access connections.
- Route-based VPN: For route-based VPN connections with source NAT rules, MASQ now carries the xfrm IP address on the inner IP header and the WAN IP address on the outer header.
Authentication
- MFA with Time-based OTP (TOTP):
- We added MFA support for the built-in "admin" account and alert notifications for all administrator accounts not using MFA.
- We added the token initialization process for signing in to the web admin console as well as for existing users signing in to the user portal.
- We streamlined the MFA experience with easy-to-find and configure MFA settings on the web admin console.
- We removed the ability to view existing OTP secrets and QR codes for token recovery. Lost tokens must be deleted and re-initialized through the sign-in process.
- Users: Enhanced view of multiple group membership for Active Directory users. The web admin console now shows all the groups a user belongs to.
Certificates
- Removed the ability to download private keys for CSRs and uploaded certificates. So, you can't use CSRs and private keys generated on Sophos Firewall for external systems. You need to use other methods, such as tools built into operating systems.
- Shown useful information about the different types of certificate authorities.
- Made it easy to find locally-added certificates and certificates with private keys.
- Made it easy to copy or download a certificate's public key to check and confirm.
Consolidated Troubleshooting Report (CTR)
- Introduced the ability to capture the complete troubleshooting logs, including log file rotation in the CTR.
- Introduced the ability to generate the CTR from the backend.
- Eliminated time-out and console freeze during CTR generation.
Usability
- Sophos Assistant: Introduced Sophos Assistant, a new interactive help on the web admin console. The help flows guide you, making it easier to complete complex configurations.
- IPv6 web categorization for HTTPS requests: HTTPS requests that connect directly to an IPv6 address will now have the “IP address” web category instead of “Invalid URL”. This impacts both TLS policy selection and logging, and makes IPv6 connections consistent with how equivalent IPv4 connections are treated.
- Sophos Central: Introduced credential-free registration for Sophos Central.
- TLS exclusions: Added new domains to the TLS exclusion list: gotowebinar, ava.expertcity.com, cdn-apple, mzstatic, zoom.us, device.login.microsoftonline.com.
- ISO reimaging: Introduced visual indication of the status of ISO reimaging as follows:
- XGS Series desktop hardware: Status LEDs in the front.
- Other XGS Series hardware: On-device LCD screen.
- DDNS: Added support for Cloudflare DDNS provider.
- IPS switch: Added a global switch on Intrusion Prevention > IPS policies to turn on or turn off IPS protection. If you're currently using IPS, the switch is automatically set to On when you migrate to 18.5 MR2.
- Installation wizard: Provided a default option for a 2-port bridge rather than the previous single bridge configuration for all ports.
Enhancements
The enhancements introduced in 18.5 MR2 are as follows:
- Xstream Flow Processor driver update related to performance optimizations. The update is mandatory for XGS 4300, XGS 4500, XGS 5500, and XGS 6500 appliances.
- Upgraded JQuery to version 3.5.0.
- Introduced hardware reset on XGS 87 and XGS 107 appliances. Press and hold the hardware reset button to perform a factory reset to help recover from a bad configuration.
- The names of physical and virtual interfaces, wireless networks, and IP tunnels can't start with the system-reserved names, such as "port", "eth", and "ge" any longer.
Version 18.5 MR1-1 Build 365
Released on October 21, 2021
As part of the continual refinement of our hardware products, this release optimizes performance for the XGS 4300, XGS 4500, XGS 5500, and XGS 6500 models through an Xstream Flow Processor driver update.
This release doesn't include any other updates.
- The Xstream Flow Processor driver update related to performance optimization is mandatory for XGS 4300, XGS 4500, XGS 5500, and XGS 6500.
This release is available only to customers with these models. We recommend that all customers with these models apply this update as soon as possible.
18.5 MR1-1 is not available for other XGS Series models, XG Series models, or virtual and cloud deployments.
Version 18.5 MR1 Build 326
Released on August 10, 2021
Available on all form factors
Sophos Firewall OS 18.5 MR1 is available on all form factors as follows:
- XGS Series firewalls
- XG Series firewalls
- SG Series firewalls
- Virtual and software appliances
- Cloud platforms
18.5 MR1 supports the new Sophos Central Orchestration capabilities and many important security fixes and enhancements.
Central Orchestration subscription
The subscription is included in the new Xstream Protection license bundle and offers the following features:
- Central SD-WAN VPN Orchestration: Offers easy point-and-click site-to-site VPN orchestration from Sophos Central, automatically configuring the required tunnels and firewall access rules for the SD-WAN overlay network you want.
- Central Firewall Reporting Advanced: Offers 30-day data retention for full multiple firewall reporting in Sophos Central with access to all pre-packaged reports and flexible, custom report capabilities. You can save, schedule, and export your reports.
- Sophos MTR (Managed Threat Response) and XDR (Extended Detection and Response) connector: Allows us to use the Sophos Firewall intelligence and data as part of our Managed Threat Response 24/7 service. Alternatively, you can manage it as a cross-product, extended detection and response solution.
Other features and enhancements
- Upgrading through Sophos Central: You can schedule firmware upgrades from Sophos Central for XG Series firewalls 18.0 MR3 and later.
- DPI mode: Improved network performance for TLS traffic in DPI mode is now available for all form factors of Sophos Firewall.
- Resolved FragAttack vulnerabilities: We resolved these vulnerabilities recently discovered in the Wi-Fi specification for all internal and add-on Wi-Fi modules for XG series desktop series appliances. All other updates will follow as outlined in this advisory.
- Enhanced backup and restore: We've improved backup and restore operations across different models with accurate mapping of the management ports. Additionally, you can restore backups from 18.0 MR5 and earlier to 18.5 MR1. For more information, see the upgrade information section in this set of release notes.
- XGS Series reset button: You can press and hold the hardware reset button on XGS Series appliances (XGS 116 and higher models) to reset the firewall to factory configuration. You can use this for troubleshooting and to recover from a bad configuration.
- VPN tunnel logging: Improved logging for VPN tunnel flap events and IPsec IKEv2 rekeying.
- Sophos DDNS (myfirewall.co): We're discontinuing Sophos DDNS from January 31, 2022 and won't support new registrations for it from 18.5 MR1. For more information, see Discontinuing Sophos DDNS myfirewall.co.
Version 18.5 GA Build 289
Released on June 02, 2021
Launched new XGS Series hardware models
Sophos Firewall OS version 18.5 GA build 289 launches the XGS Series 1UL and 2U appliance models.
XGS Series models
- 1UL models: XGS 4300, XGS 4500
- 2U models: XGS 5500, XGS 6500
These models are in addition to the recently launched desktop and 1US models.
For the licensing, compatibility, and configuration details, see build 264 under previous versions.
For more information, see Compare models. Alternatively, contact your Sophos Partner.
Version 18.5 Build 264
Released on April 19, 2021
New features
This section contains the new features for 18.5 GA.
Flexibility and performance enhancements
- Version 18.0 delivered a data plane with a Virtual FastPath (VFP) to allow the offloading of trusted and previously security-verified traffic, using the same x86 CPU for the offloaded traffic. On the XGS Series, after inspecting the initial packets in a flow, the x86 CPU offloads trusted traffic to the Xstream FastPath, which runs on the Xstream Flow Processor and is specifically designed for FastPath operations.
- The Xstream Flow Processor delivers and retrieves packets directly to and from the DPI engine's main memory. These enhancements deliver a significant increase in the overall network performance with a 5x improvement in latency with the zero-copy operation and up to a 5x increase in SSL/TLS decryption performance versus the previous hardware models.
- The Xstream architecture saves cycles of the x86 clock by lowering memory bandwidth usage and allowing both processors to update the cache.
- Port density and diversity: XGS Series appliances offer an increased number of fixed ports and include some new port connectivity, such as Power over Ethernet (PoE), which is now built-in on some desktop models. They also offer a broad range of Flexi Port modules and add-on options to adapt and extend connectivity.
Licensing
- XGS Series standalone hardware purchases include the Base License.
- A new, simplified license scheme with two bundle options and à la carte license options are available for these devices. For more information, see Sophos Firewall.
XGS Series models
- Desktop models: XGS 87(w), XGS 107(w), XGS 116(w), XGS 126(w), XGS 136(w)
- 1US models: XGS 2100, XGS 2300, XGS 3100, XGS 3300
- 1UL models: These will be released shortly.
- 2U models: These will be released shortly.
For more information, see Compare models. Alternatively, contact your Sophos Partner.
Compatibility
The following accessories, software, and components are compatible with Sophos Firewall OS running on XGS Series hardware:
- SD-RED devices.
- RED 15, RED 15w, and RED 50.
- APX Series access points.
- Legacy access points: Both XGS and XG Series appliances support AP 100X.
- Clients, such as the Sophos Connect client, STAS.
- XGS 116w, XGS 126w, and XGS 136w models include a modular bay for an optional 3G/4G module.
- XGS 116w, XGS 126w, and XGS 136w support an optional second Wi-Fi 5 module.
- Wi-Fi models support Wi-Fi 5 and include a single radio for 2.4 or 5 GHz.
- The SFP VDSL2 module is compatible with all XGS and XG Series appliances with an SFP (small form-factor pluggable) port.
- A range of optional transceivers, including SFP and SFP+ is also available and is compatible with the XGS and XG Series models.
SFOS running on XGS Series hardware does not support the following accessories and components:
- APX 320X is currently not supported in SFOS on any platform. It is supported only in Sophos Central.
- Legacy access points: AP 15, AP 15C, AP 55, AP 55C, AP 100, AP 100C, AP 5, AP 10, AP 30, AP 50
- Flexi Port modules for XG Series hardware models.
- Desktop 3G/4G and Wi-Fi modules for XG Series hardware.
Backup and restore
- You can take configuration backups from the following versions and devices and restore them on XGS Series appliances:
- SFOS: Version 17.5 MR15 and earlier and version 18.0 MR4 and earlier.
- Cyberoam devices (running CROS and SFOS).
- SG devices (running SFOS).
- The shipped firmware version of SFOS on XGS Series appliances is a pre-production release of version 18.5 and does not allow you to restore configuration backups from the latest SFOS versions (17.5 MR15 and 18.0 MR4). You must first update the firmware to SFOS 18.5 GA before attempting to restore a configuration backup from one of these versions. The setup wizard will take you through the mandatory firmware upgrade to 18.5 GA. If the mandatory firmware upgrade in the wizard is skipped for some reason, when you sign in to the web admin console, a popup message appears asking you to upgrade to 18.5 GA. After the upgrade, you can restore backups from Backup and firmware > Backup and restore.
- You can restore backups from earlier versions of SFOS (17.5 MR14 and earlier, 18.0 MR3 and earlier) to the shipped firmware on the device through the setup wizard. However, we recommend upgrading the appliance to the GA release of 18.5 as part of the setup.
- To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.
Firmware and configuration
- SFLoader: The option to load firmware using SFLoader isn't available for the XGS Series appliances.
- High availability: You can't configure an HA pair using a combination of XGS and XG Series appliances. An HA pair requires the same firmware and hardware revision on both devices.
- Sandstorm protection has been renamed Zero-Day Protection to better reflect the features and benefits in the new licensing scheme launching with the XGS Series.
Product name change for XG Firewall
- The product formerly known as Sophos XG Firewall has been renamed Sophos Firewall. Sophos Firewall is the new overarching name for our core firewall product.
- The OS continues to be named Sophos Firewall OS (SFOS).
- Both XG Series and XGS Series appliances will be available for purchase with Sophos Firewall OS.
- Version 18.5 for XG Series hardware, virtual, software, and cloud deployments is expected to be available shortly.
Resolved issues
Version 18.5 MR5 Build 509
Issue ID | Component | Description |
---|---|---|
NC-108213 | API Framework, UI Framework | Post-auth code injection (CVE-2022-3696). |
NC-107999 | IPS Ruleset Management | HA cluster configuration fails, and the auxiliary device isn't ready when Network License isn't present. |
NC-107453 | WAF | WAF rules not working after HA failover. |
NC-107327 | WAF | Upgrade ModSecurity and OWASP CRS to the latest version. |
NC-106811 | Anti-spam service fails. Unable to start anti-spam service. | |
NC-106608 | IPsec | Duplicate SAs being created. |
NC-106424 | API Framework, UI Framework | A code injection vulnerability allowing remote code execution was discovered in the user portal and web admin console. We released the hotfixes for this issue. See Resolved RCE in Sophos Firewall (CVE-2022-3236). |
NC-103037 | XGS BSP | Failsafe issue due to NPU failure. |
NC-102979 | Backup-Restore | Backup restore fails from XG 310 to XG 230. |
NC-102919 | Static Routing | Static routes lost at the backend on the primary device in QuickHA. |
NC-102771 | Authentication XFOS Migration | Users unable to authenticate through CAA. |
NC-102737 | SSLVPN | Site-to-site and remote access SSL VPN not working since SSL VPN service is stuck in busy status. |
NC-101713 | Logging Framework | PG trigger entry not present for sign-in events when on-box reporting is off. |
NC-101703 | CDB-CFR, CM | Unable to open the firewall web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall. |
NC-101326 | SSLVPN | OS command injection through SSL VPN configuration upload (CVE-2022-3226). |
NC-101046 | IPS-DAQ | A specific website doesn't open in Firefox browser when SSL/TLS inspection is on due to the OCSP Must Staple extension. |
NC-101021 | Date/Time Zone | Time zone change allowed in Sophos Central on HA devices. |
NC-100716 | FQDN | Ipset sporadically not created for wildcard FQDN host. |
NC-100707 | IPsec | Wrong source IP address in IPsec routes. |
NC-100334 | WAF | Virtual host not removed if WAF rule is turned off. |
NC-100325 | WAF | Update API JSON fields for encrypted WAF secrets. |
NC-99962 | Wireless | Adjacent code injection in Wi-Fi controller (CVE-2022-3713). |
NC-99247 | SSLVPN | Unable to download SSL VPN site-to-site server configuration. |
NC-99152 | Logging Framework | Central reporting failed to initiate the mmap case when queue limit reached with no central connectivity. |
NC-98576 | IPS Ruleset Management | IPS pattern fails to update. Error shows get_ips_switch_status: Unable to get network license status. |
NC-97753 | IPS Engine, IPS Policy | Unable to Upgrade to 19 from 18.0.4. Duplicate configuration disable_decode_alerts in tblconfiguration table. |
NC-95353 | Static Routing | Static route to RED disappears in XGS (HA) with a restart. |
NC-95197 | RED | Appliance auto-restarts frequently in a day or two. |
NC-94734 | IPsec | PPPoE isn't connecting after random disconnect event if xfrm interface is created on PPPoE. |
NC-94603 | IPsec | IPsec tunnels flapping continuously. |
NC-94418 | Logging Framework (Central Reporting) | Reporting and logging to Sophos Central stops randomly. |
NC-94019 | Wireless | Wrong MAC-aging time for bridge interface Guest AP. |
NC-93847 | Authentication | Stored XSS in import group wizard (CVE-2022-3709). |
NC-92131 | IPS-DAQ-NSE | Unable to upload a large file with SSL/TLS inspection turned on in do-not-decrypt mode. |
NC-90247 | IPsec | IPsec VPN failback isn't working. |
NC-88628 | RED | RED UDP packets are forwarded to auxiliary device after HA switchover. |
NC-86937 | VFP-Firewall | Memory utilization increases continuously. |
NC-86819 | Firmware Management, Licensing | AWS instance stuck while starting it. |
NC-85961 | Authentication | Guest user is created on secondary appliance and not on primary appliance randomly. |
NC-84750 | IPsec | Auxiliary node sporadically receives IPsec packets. |
NC-84142 | Backup-Restore | Unable to delete VLAN interface. |
NC-81219 | CM | HA zero downtime upgrade isn't supported if firmware upgrade is scheduled on central management. |
NC-74241 | CaptivePortal | Stored XSS through captive portal customization (CVE-2022-4238). |
Version 18.5 MR4 Build 418
Issue ID | Component | Description |
---|---|---|
NC-91295 | Firewall | Zones' tab is empty after deleting a zone created on the second page. |
NC-90702 | SASI detection problems when too many hits are returned. | |
NC-90548 | SD-WAN routing | API call to ON/OFF SD-WAN route does the opposite in 18.0. |
NC-90024 | Firewall | Can't restore a backup or migrate when multiple local ACL rules are configured. |
NC-89996 | Logging | IPS policy redirection issue from Log viewer. |
NC-89401 | XGS BSP | Firmware upgrade from 18.5 MR.1 to 18.5. MR.2 or 18.5 MR.3 failed. |
NC-89218 | Core Utils | Resolved post-auth shell injection in the web admin console through OpenSSL (CVE-2022-1292). |
NC-89162 | Firewall | AutoReboot 0010:queued_spin_lock_slowpath+0x148/0x170. |
NC-89091 | API framework | Resolved multiple post-auth SQLi vulnerabilities in Webadmin (CVE-2022-1807). |
NC-89079 | CM | fwcm-eventd agent is not listening to the IP address UP event. |
NC-88404 | IPsec | Tunnel didn't come up automatically after an HA appliance was restarted. |
NC-88207 | Firmware Management | Firmware update fails when space is used in filename. |
NC-87665 | API framework, UI framework | Pre-auth RCE (CVE-2022-1040). |
NC-87659 | Wireless | Legacy AP roaming key decryption fails when fast transition is turned on. |
NC-87596 | SSLVPN | Site-to-site and remote access SSL VPN didn't work. |
NC-87240 | Avira engine error with axpx files. | |
NC-86690 | SD-WAN routing | SD-WAN FTP proxy traffic isn't working with transparent proxy. |
NC-86451 | IPS-DAQ-NSE | Unable to access web server through the firewall. SSL/TLS inspection error shown: "Dropped due to TLS internal error"." |
NC-86249 | IPsec | The "ANY" object in Strongswan doesn't equate to any IP address. |
NC-86093 | Firewall | Duplicate firewall rule group for the same set of firewall rules. |
NC-85547 | CaptivePortal | Sign-in message and sign-out option aren't showing up with custom captive portal. |
NC-85423 | SNMP | Kernel crash on XG125 with SNMP high memory consumption. |
NC-85412 | PPPoE | PPPoE issue on 18.5 MR2. |
NC-85383 | IPsec | Unable to connect using IPsec remote access due to invalid .scx file. |
NC-85346 | Smarthost authentication failed. Password decryption issue. | |
NC-85151 | Authentication | Firewall moved to a group on Sophos Central is added to the group, but complete synchronization fails with the message "Failed because of Invalid Parameters". |
NC-84951 | Network Utils | Route lookup on Diagnostics doesn't give results to any routes on the web admin console. |
NC-84604 | Wireless | Unable to restore backup from SG230 to XGS2300 due to access point database issue. |
NC-84231 | Core Utils | Receiving a duplicate copy of the same executive schedule reports. |
NC-84218 | Web | Can't turn on OTP for admin user that isn't user ID 3. |
NC-83662 | Web | Alert message on Users page for administrator accounts unprotected by multi-factor authentication shows a number that needs explanation. |
NC-83584 | WebInSnort | IPS segfault in libnsg_tcphold_preproc. |
NC-83581 | Gateway Management | Spelling correction is needed for the command session persistence. |
NC-83470 | Firewall, VFP-Firewall | Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG750 during connection rate test. |
NC-83469 | SSL VPN | Dashboard doesn't reflect remote users’ details. |
NC-83445 | IPsec | Constant IPsec flapping for VPNs pushed through Sophos Central SD-WAN orchestration. |
NC-83392 | CM (Join to Cloud) | Backup isn't generated with [] brackets. |
NC-83366 | SD-WAN routing | Turning off captcha on VPN zone isn't for RBVPN with SD-WAN routing. |
NC-83347 | Email, FQDN | Not able to add lx63.hoststar.hosting to email server under notification settings. |
NC-83177 | IPS ruleset management | Unable to toggle IPS switch in 18.5 MR2. |
NC-83065 | IPsec | System-generated traffic is impacted when route precedence is set to VPN and remote subnet to "Any". |
NC-82972 | CSC | HA active-active appliance stopped responding. |
NC-82566 | Firewall | Kernel crash after update to 18.5 MR2 - RIP:0010:_raw_read_lock_bh+0x14/0x30. |
NC-82332 | Firewall | Kernel panic - unable to handle kernel NULL pointer "ip_route_me_harder". |
NC-82225 | HA | Unable to establish HA correctly on fiber ports. |
NC-82215 | Firewall | Device freeze issue (0010:queued_spin_lock_slowpath+0x14b/0x170). |
NC-81956 | WebInSnort | HTTP and HTTPS traffic to internal server on 8080 is dropped by IPS tcphold. |
NC-81944 | IPsec | WWAN doesn't connect after a random disconnect event if XFRM interface is created on WWAN. |
NC-81768 | Backup-Restore | Backup couldn't be restored because of a duplicate key. |
NC-81517 | Firewall | Policy test for firewall isn't showing the correct results. |
NC-81492 | Interface management | Networkd service is dead, causing network outage. |
NC-81430 | CM, UI framework | User portal host injection. |
NC-81298 | Authentication | User authentication issue with captive portal. |
NC-81234 | Logging framework | Incorrect unit in live connections. |
NC-81207 | IPsec | Error while updating any VPN tunnel configuration. |
NC-81155 | SNMP | Duplicate entry in MIB file. |
NC-81131 | Reporting | Last access time isn't generated when a user's username has XSS payload. |
NC-81069 | Import fails for the entity "MtaBlockedSenders". | |
NC-80660 | DHCP | DHCP IP lease issue. |
NC-80178 | Error related to UTF-8 characters. | |
NC-80114 | IPsec | Exported configuration with VPN connection shows no encryption component. |
NC-80042 | RED | Unable to update system-host for RED tunnels. |
NC-79667 | SPX encrypted email body information is missing. | |
NC-79468 | Authentication | Outdated users stuck in Live Users. |
NC-79417 | Web | SSL/TLS rules can't be seen on the web admin console. |
NC-79361 | Backup-Restore | Unable to import backup due to tblconfiguration issue. |
NC-79354 | Web | skein segfault in connect_to_server. |
NC-79128 | IPsec | Memory increase to 90 percent over 20-25 days. |
NC-78646 | Backup-Restore | Firmware upgrade fails due to unique index. |
NC-78563 | WAF | WAF doesn't redirect the page to the proper domain when multiple domains are listed in the WAF rule. |
NC-78406 | IPsec | XFRM interface is shown as turned off even when the corresponding route-based VPN tunnel is connected and established. |
NC-78356 | IPsec | Clientless Bookmark to SSH server doesn't connect over site-to-site IPsec connection. |
NC-78292 | Web | Users aren't authenticated with Kerberos if they're members of a large number of groups. |
NC-77175 | Email attachment stripped when SPX is applied. | |
NC-76960 | IPS-DAQ | IPS service didn't start due to DAQ. |
NC-76758 | IPS-DAQ-NSE | Some TLS flows are delayed through a specific service provider. |
NC-76046 | Authentication | Maximum length for RADIUS server's shared secret. |
NC-74847 | Web | Snort crashes with segfault due to a blank conf file. |
NC-74228 | Can't display quarantine due to \x1E? in the subject. | |
NC-73975 | Firewall | FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2). |
NC-73873 | SNMP | SNMPD crash in netsnmp_add_varbind_to_cache. |
NC-73682 | SD-WAN routing | ping: sendto: Operation not permitted when the network is part of a policy route. |
NC-72341 | Backup-Restore | Unable to restore backup from CR50iNG to XG230. |
NC-71761 | Security | Resolved multiple XSS vulnerabilities (CVE-2021-25267). |
NC-71484 | Authentication | Password change places the user outside the group under SSL VPN profile. |
NC-71379 | MTA doesn't provide the full certificate chain. | |
NC-69997 | Notification test email has the wrong encoded subject when the web admin console language is set to Traditional Chinese or Simplified Chinese. | |
NC-66163 | Report received with garbled characters. | |
NC-62696 | Logging framework | Sentry reported a crash. |
NC-55945 | Authentication | Value of average live user in the users' graph of Diagnostics shouldn't be a floating point. |
NC-51929 | DDNS | DDNS doesn't apply to some new gTLD. |
NRF-517 | RED | SD-RED60: LAN switch VLAN configuration is lost after some time. |
NRF-509 | Firmware | AP not registering through RED15w tunnel. |
Version 18.5 MR3 Build 408
Issue ID | Component | Description |
---|---|---|
NC-89162 | Firewall | Appliance restarts automatically. |
NC-87165 | Core Utils | Fixed OpenSSL DoS vulnerability (CVE-2022-0778). |
NC-85549 | Wireless | SFOS becomes unresponsive after a restart if time-based SSID is configured. |
NC-85339 | Security | Resolved multiple XSS vulnerabilities through company name (CVE-2021-25268). |
NC-84281 | Authentication | Status column isn't shown on Authentication > Users. |
NC-84158 | Web | Sophos Central signs out XG Series Firewall administrator when the Add button for Users is clicked. |
NC-83584 | WebInSnort | IPS fault causing users to disconnect at peak users. |
NC-83430 | RED | RED causing massive network traffic after upgrading to 18.5 MR2. |
NC-83159 | CM | Serial number visibility. |
NC-82340 | NFP-Firewall | XGS 4500 kernel crash. |
NC-82042 | IPS-DAQ-NSE | Veeam agent unable to connect with the Veeam server when SSL TLS inspection is on. |
NC-81974 | IPS-DAQ | Snort soft lockup and device restart. |
NC-81492 | Interface management | Networkd service is down causing network outage. |
NC-80669 | Reporting | Deadlocks on report databases due to large amount of data, causing system instability. |
NC-80660 | DHCP | DHCP IP lease issue. |
NC-80027 | Reporting | Configuration doesn't migrate during upgrade due to duplicate table entry. |
NC-79695 | SSL VPN | SSL VPN site-to-site server connection file doesn't download. |
NC-79417 | Web | SSL/TLS rules can't be seen on the web admin console. |
NC-79178/NC-82999 | VFP-Firewall | XGS 4500 restarting due to hard drive issue. |
NC-79128 | IPsec | Memory usage increases to 90 percent over 20-25 days. |
NC-78294 | Authentication | CAA client repeatedly sends "Administrator disconnected you" message to users. |
NC-78127 | Certificates | Unable to upload CA certificate. |
NC-74847 | Web | Snort crashing with a segfault due to a blank conf file. |
NAF-53 | Firmware | Mesh APX restarts randomly, creating internet outages. |
NRF-517 | RED | SD-RED 60: LAN switch VLAN configuration is lost after some time. |
NRF-509 | Firmware | AP not registering through RED 15w tunnel. |
Version 18.5 MR2 Build 380
Issue ID | Component | Description |
---|---|---|
NC-80101 | Central management | Garner service remained in busy status. |
NC-79943 | IPS engine | IPS service was down. |
NC-79452 | XGS BSP | Slow upload speed for XGS 2100 over 1G interfaces with 100 Mbps speed. |
NC-79404 | Reporting | Log viewer wasn't returning results from /var/eventlogs/. |
NC-79386 | IPS ruleset management | Incorrect signature date shown on the IPS policy screen after migration. |
NC-79335 | IPS ruleset management | Incorrect placement of icon for loading IPS signatures. |
NC-79110 | Firewall | Couldn't restore backup from 17.5 MR16 to 18.0 MR6. |
NC-79029 | IPS engine | IPS was restarting with core dump. |
NC-78572 | Firewall | Constant restart of XG 750 HA pair. |
NC-78512 | RED | Split networks weren't reachable from the RED network for one RED device. |
NC-77938 | IPsec | Unable to deactivate the failover group. |
NC-77771 | VFP-Firewall | Kernel panic: Unable to handle kernel paging request at ffff88036e000000. |
NC-77729 | IPsec | IPsec tunnel not reconnecting after PPPoE reconnects. |
NC-77289 | Security, Web | db testpass wasn't always encrypted correctly. |
NC-77026 | Security Heartbeat | Heartbeat authenticated users get disconnected. |
NC-76742 | Firewall | XG Series appliance goes into failsafe mode after backup is uploaded. |
NC-76521 | Firewall | Firewall ID doesn't appear in the ID column. |
NC-76400 | IPsec | Apple iOS IPsec VPN client configuration issue. |
NC-76041 | Web | XGS 6500: AVD thread count anomaly. |
NC-75990 | IPsec | IPsec tunnel not coming up until service restarts. |
NC-75870 | HA | QuickHA page stops responding. The administrator isn't able to close it. |
NC-75844 | HA | Traffic issues in HA active-active mode. |
NC-75783 | Authentication | LDAP authentication with anonymous sign-in wasn't working. |
NC-75543 | IPsec | Tunnel wasn't established because traffic was passing through an incorrect interface. |
NC-75269 | Backup and restore | Firmware didn't upgrade from 18.0 MR4 to 18.0 MR5 in HA pair. |
NC-75175 | RED | RED service didn't restart because of corrupt entry in tblreddevice. |
NC-75159 | IPsec | IPsec failover wasn't working and required deactivating and then reactivating the failover group to bring the tunnel up. |
NC-75030 | IPsec | Charon crash in adopt_children_job.c execute. |
NC-74891 | IPsec | Email notifications received for auxiliary device in HA active-passive mode. |
NC-74864 | IPsec | Unable to download VPN iOS profile from the user portal when authentication type is certificate for the Sophos Connect client. |
NC-74791 | Quarantine digest sends email 6 minutes earlier than the configured time. | |
NC-74735 | HA | The auxiliary device restarts during HA failover. |
NC-74603 | Firewall | Log for denied attempt to sign in to the web admin console shows the destination port as custom port. |
NC-74593 | Logging framework (Central reporting) | Reports for the last one hour didn't load in the report generator. |
NC-74101 | Email delivery issue due to a Brazilian character. | |
NC-73926 | HA | Unable to access websites sometimes with HA active-active load balancing. |
NC-73800 | WebInSnort | Websites blocked when custom application control policy was applied. |
NC-73703 | IPsec | Unable to connect to the Sophos Connect client because of incorrect preshared key in KVM HA setup. |
NC-73617 | Static routing | Mandatory setting requirement when deleting static route through API. |
NC-73089 | VFP-Firewall | Ports not added to LAG. |
NC-73004 | SSLVPN | CVE-2020-15078 patch for OpenVPN 2.3.6. |
NC-72955 | Logging framework | Log viewer stopped working when active.db was damaged. |
NC-72949 | IPS-DAQ | Print jobs weren't working with the DPI engine. |
NC-72934 | IPsec | Child SA disconnected when the idle setting was turned on in the Sophos Connect client. |
NC-72920 | IPsec | xfrm packet loss on route-based IPsec VPN. |
NC-72851 | Application filter policy | Importing application filter policy changed the rules and their list of applications when any of the rules had selected Cloud application under Characteristics. |
NC-72694 | Web | SSL/TLS inspection didn't work for SMTP. |
NC-72664 | Authentication | XG Series appliance wasn't initiating a request to AD server on port 6677 after the appliance was restarted. |
NC-72545 | Support access | Duplicate support access ID was created during backup-restore. |
NC-72492 | Authentication | Guest users who had received a password once were later unable to get the password through SMS. |
NC-71595 | Firewall | DNAT rule wasn't working after migration from CROS to SFOS 17.5 MR15. |
NC-71555 | Getting certificate-related error when accessing the Outlook client with POP3 scanning rule configured on XG Series appliance. | |
NC-71216 | WebInSnort | Unable to access Microsoft TFS (Team Foundation Server) hosted on LAN network through SSL VPN. |
NC-70909 | HA | Service monitor failure results in an alert since the HA auxiliary device was shut down. |
NC-70877 | Authentication | Expired guest users received an SMS with a blank password. |
NC-70863 | Unable to delete quarantined email. | |
NC-70783 | RED | Web admin console access to the primary HA device was lost when a RED interface was saved. |
NC-70733 | WWAN | USB Dongle Huawei E8372 wasn't reconnecting after a power cycle. |
NC-70568 | Firmware management | Executive reports for the auxiliary device weren't received over email in time. |
NC-70320 | IPsec | Unable to make changes when Organizational Units (OU) are present. |
NC-70251 | IPS engine | IPS service was down after enabling HA active-passive mode. |
NC-70243 | Reporting | Report generation stopped after January 1, 2021. |
NC-70067 | Central management (Join to Cloud) | Central registration alert didn't disappear after registration. |
NC-70057 | Network Utilities | Intermittent WAN connectivity issue for firewall running on Azure. |
NC-70041 | SSL VPN | Incorrect count for remote users and connected users. |
NC-70030 | WebInSnort | Unable to show username using the custom block Page with the DPI engine. |
NC-69993 | IPsec | All IPsec tunnels were down, dead gateway detection stopped, and gateway was missing after 30 minutes. |
NC-69945 | Web | Awarrenhttp was down. |
NC-69456 | Firewall | The firewall went into failsafe mode after restoring a backup. |
NC-69335 | IPsec | Unable to delete an IPsec connection on the second page of the connection list. |
NC-69314 | IPS-DAQ-NSE | Connection dropped due to TLS engine error. |
NC-69303 | IPsec | IPsec connection configured with certificate doesn't connect. |
NC-69286 | VFP-Firewall | ICMP times out when firewall acceleration is turned on. |
NC-69111 | Authentication | Unable to export remote users from XG Series appliance. |
NC-68979 | Korean language is broken in the body of email that's encrypted with SPX. | |
NC-68839 | SSL VPN | All users aren't able to download the Sophos connect client from the user portal. |
NC-68614 | RED | SD-RED UI doesn't show LTE support. |
NC-68531 | IPsec | Showing an error when configuring remote access IPsec VPN. |
NC-68461 | IPsec | Kernel panic issue. |
NC-68324 | SD-WAN routing | FTP data connection issue with SD-WAN policy route. |
NC-68277 | RED | RED site-to-site tunnel failover doesn't always work. |
NC-68263 | UI framework | Unable to access the web admin console at times. |
NC-68228 | Configuration migration framework | High disk utilization. |
NC-68226 | WebInSnort | Google website not opening with DPI engine and application control. |
NC-68194 | Web | Unable to reset web quota. |
NC-68187 | DDNS | Unknown error while generating DynDNS IP address. |
NC-68176 | Not possible to use special characters in the password for an external email notification server. | |
NC-67997 | Authentication | csd service is in stopped status. |
NC-67952 | IPsec | ESP sequence number mismatch. |
NC-67803 | Logging framework | Live connection page wasn't loading. |
NC-67761 | CSC | System start fails when a large number of users are included in a single firewall rule. |
NC-67675 | HA | The firewall goes into failsafe mode if an interface is added in discover mode when HA is enabled. |
NC-67606 | Unable to update certificate in SMTP TLS settings using API. | |
NC-67340 | RED | All the RED 50s disconnect. |
NC-66980 | VFP-Firewall | The firewall restarts because of kernel panic. |
NC-66966 | Web | Unable to sign in to cPanel server with direct proxy. |
NC-66194 | High CPU utilization by mail scanner. | |
NC-66087 | Authentication | Active Directory group import failed in XG series appliance using 18.0. |
NC-66068 | DKIM signing not taking place for out-of-office, non-delivery reports, and bounced emails. | |
NC-65831 | The same email is shown for a different filter in the mail log. | |
NC-65567 | RED | Split networks aren't reachable if settings are changed in transparent/split mode. |
NC-65533 | Misleading message in notification settings for external mail server. | |
NC-65200 | Clientless access | No key recognition after pressing the Windows key in clientless access. |
NC-65198 | False positive for CCL with the term "credit card" in the body. | |
NC-64973 | CSC | Split networks weren't reachable if the definition name contained special characters. |
NC-63872 | DKIM verification was applied to outbound emails, and emails were getting quarantined. | |
NC-63177 | IPS-DAQ-NSE | DPI causing issue with SSL 2.0 client hello. |
NC-62880 | Logging framework | Sentry reported coredump in crformatter_free_data. |
NC-62245 | Authentication | OTP settings can't add groups as Organizational Units (OUs). |
NC-62169 | Wireless | Wireless APs aren't able to lease IP addresses in separate zone. |
NC-62120 | Interface management | Couldn't restore backup to a different appliance. |
NC-61909 | API framework | Mapping issue for i18n configuration and actual configuration name. |
NC-60855 | Web | Unable to restore backup from CROS 10.6.6 MR5 to 17.5 MR12. |
NC-54523 | Yahoo email account configured in email client wasn't working with IMAPS scanning. | |
NC-54308 | HSTS not offered on port 8094. | |
NC-50232 | Wireless | Built-in wireless stops broadcasting for LocalWiFi. |
NAF-53 | Firmware | Mesh APX device restarts at times, stopping internet access. |
NRF-517 | RED | SD-RED 60 loses VLAN configuration after RED pattern update to 3.0.006. |
NRF-509 | Firmware | AP isn't registering through the RED 15w tunnel. |
Version 18.5 MR1 Build 326
Issue ID | Component | Description |
---|---|---|
NC-69584 | Authentication, SSL VPN | Missing remote user details on Monitor and Analyze > Current activities. |
NC-76446 | WAF | SSL VPN doesn't work if it uses the port as WAF. |
NC-73734 | Date and time zone | Incorrect time zone in reports because /etc/timezone isn't updated after restoring a backup configuration. |
NC-73699 | SSL VPN | User configuration file isn't updated when user reconnects after an update to the permitted LAN networks. |
NC-73665 | Empty source/host field for email exceptions if you save and reopen the exception. | |
NC-73542 | DKIM signing broken in Exim 4.94. | |
NC-72494 | Firewall | When multiple packets are sent from the same origin to the same destination at the same time, the first packets are dropped. |
NC-72153 | Firewall | When FastPath is turned on, VLAN on bridge doesn't allow traffic. |
NC-71922 | Firewall | XGS 6500 restarts automatically. |
NC-71473 | Firewall | CLI shows the non-existent PortB4 in custom SNAT rule. |
NC-71033 | Firmware Management | For VM, applied the mandatory firmware, but the device didn't restart. |
NC-70461 | Firewall rule | IPv6 host group doesn't show an IPv6 address match when a network host is added to the host group. |
NC-69558 | Firewall | Unexpected restart of the primary device in an active-passive cluster. |
NC-69495 | Firewall | Frequent restart of an XG 210 device. |
NC-66067 | Firewall rule | Firewall rule filter for Unused status doesn't work. |
NC-58370 | Firewall | When users sign out, the event clears the firewall rule fields in conntrack for connections using network-based rules and packets drop. |
NC-72076 | HA | HA synchronization failure resulted in empty directory. |
NC-68595 | HA | Unable to establish HA using QuickHA mode. |
NC-72311 | Hotspot | Hotspot user is signed in with the previous password of the day. |
NC-69937 | Hotspot | Inconsistent hotspot voucher support for number of devices per voucher. |
NC-71126 | Interface management | Unable to add an alias to DMZ and LAN interfaces. Shows time-out error. |
NC-73379 | Policy routing | RTP stream forwarded to WAN instead of VPN. |
NC-71333 | Policy routing | Incoming VPN traffic doesn't follow SD-WAN policy route. |
NC-71151 | QoS | Unable to add or edit users when there's a traffic shaping policy with the name None. |
NC-71996 | SNMP | SNMPD memory usage increases until it fails. |
NC-73687 | SSL VPN | For remote access SSL VPN, push_reply packet doesn't include permitted LAN networks that have been updated. |
NC-71198 | Synchronized Application Control | Web admin console stops responding because of Synchronized Security application. |
NC-71443 | WAF | WAF license warning even when WAF subscription exists. |
NRF-486 | RED | 3G/4G module not working on RED 20 (Verizon). |
NRF-431 | RED | RED tunnel is up, but traffic isn't passing through SD-RED 60. |
NAF-53 | Firmware | Mesh APX restarts, stopping internet access for users. |
Version 18.5 GA Build 289
Issue ID | Component | Description |
---|---|---|
NC-69344 | IPS-DAQ-NSE | Bandwidth loss for TLS connections in DPI mode. |
NC-70718 | Authentication | Power cycle alert message required clarification. |
NC-69951 | Core Utilities | XG Series firewall on Azure: Couldn't upgrade from 17.5 MR12 to 18.0 MR4 because of failure in applying virtual license. |
NC-69302 | Date and time zone | Changing the NTP settings slowed XGS Series firewall. |
NC-71796 | Interface Management | Backup restore from XG450 to XGS4500 went to failsafe mode. |
NC-71610 | IPS-DAQ | Slow internet speed when FastPath is turned on. |
NC-71551 | NFP-Firewall | XGS6500: LAN zone to user zone traffic dropped intermittently. |
NC-71767 | UI framework | Browser tab header for the installation wizard showed XG Firewall. |
NC-71419 | UI framework | Frequent UI messages that the firewall is restarting. |
NRF-445 | Firmware | RED unable to connect to XG Firewall when an invalid FQDN is entered as the UTM hostname. |
NRF-447 | RED | RED 20 devices were unable to connect to XG Firewall. |
NRF-429 | RED | Slow speed through SD-RED 60. |
NRF-486 | RED | 3G/4G module not working on RED 20 (Verizon). |
NRF-431 | RED | SD-RED 60: Tunnel is up, but traffic doesn't flow. |
NRF-53 | Firmware | Mesh APX reboots randomly causing internet outage. |
Known issues
To see the known issues for the firewall, go to the Known issues list.
Set Choose your product to Sophos Firewall. Alternatively, enter a search term.
Upgrading firmware and restoring backups
Upgrading firmware
The upgrade details are as follows:
- Form factors:
- 18.5 MR5 to MR1 (excluding MR1-1): All form factors can upgrade to these versions.
- 18.5 MR1-1: Only some XGS Series firewalls can upgrade to this version.
- 18.5 GA: XG Series firewalls can't upgrade to this version.
- FIPS: Versions 18.5 MR2 to MR5 are FIPS-compliant.
Warning We strongly recommend that you migrate only to the approved versions listed in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.
Upgrade from | Upgrade to 18.5 | |||||||
---|---|---|---|---|---|---|---|---|
MR5 Build 509 (all form factors) | MR4 Build 418 (all form factors) | MR3 Build 408 (all form factors) | MR2 Build 380 (all form factors) | MR1-1 Build 365 (some XGS Series firewalls)* | MR1 Build 326 (all form factors) | GA Build 289 (Only XGS Series) | GA Build 264 (Only XGS Series) | |
18.5 MR4 Build 418 | ||||||||
18.5 MR3 Build 408 | ||||||||
18.5 MR2 Build 380 | ||||||||
18.5 MR1-1 Build 365 | ||||||||
18.5 MR1 Build 326 | ||||||||
18.5 GA Build 289 | ||||||||
18.5 GA Build 264 | ||||||||
18.0 MR6 Build 655 | ||||||||
18.0 MR5 | ||||||||
18.0 MR4 | ||||||||
18.0 MR3 | ||||||||
17.5 MR17 | ||||||||
17.5 MR16 | ||||||||
17.5 MR15 | ||||||||
17.5 MR14 |
* You can only migrate some XGS Series firewalls to 18.5 MR1-1. For details of the supported firewalls, see Supported platforms.
– You can downgrade only to compatible versions.
- Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls that are already using the following versions:
- 18.5.x
- 18.0 MR3 and later
- Rollback: You can roll back to the previous version if you want. The configuration won't change.
- Downgrade: You can downgrade from 18.5.x to 18.0.x. However, you can't downgrade from 18.5.x to 17.5 or earlier firmware versions. The web admin console will show an alert. All 18.5.x and 18.0.x versions use the Grub boot loader. The changed bootloader can't recognize 17.x firmware. However, you can install the hardware ISO of 17.5 or earlier if you want and restore the downgraded firmware's backup.
Security Heartbeat for upgrades to 18.5 MR2 and later
An upgrade to 18.5 MR2 and later versions refreshes the firewall certificate used by endpoints to send a heartbeat to the firewall. Endpoints must download the refreshed certificate from Sophos Central after the firewall is upgraded to one of these versions.
Make sure the endpoints have network connectivity. They can then fetch the new certificate from Sophos Central. If the endpoints are blocked from resolving sophos.com through the DNS to download the new certificate, the heartbeat will fail. Example: If you've selected "Block clients with no heartbeat" in the firewall rule, it prevents endpoints from connecting to (internal or external) DNS servers for resolution. For details, see Security Heartbeat connection issue with 18.5 MR2.
Restoring backups
To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.
You can restore backups as follows:
Backup from | Restore to 18.5* | ||||||
---|---|---|---|---|---|---|---|
MR5 Build 509 | MR4 Build 418 | MR3 Build 408 | MR2 Build 380 | MR1-1 and MR1** | GA Build 289 | GA Build 264 | |
18.5 MR4 | |||||||
18.5 MR3 | |||||||
18.5 MR2 | |||||||
18.5 MR1 and MR1-1 | |||||||
18.5 GA Build 289 | |||||||
18.5 GA Build 264 | |||||||
18.0 MR6 | |||||||
18.0 MR5 | |||||||
18.0 MR4 | |||||||
18.0 MR3 | |||||||
18.0 MR2 | |||||||
18.0 MR1 | |||||||
18.0 GA | |||||||
17.5 MR17 | |||||||
17.5 MR16 | |||||||
17.5 MR15 | |||||||
17.5 MR14 and earlier | |||||||
17.1 and earlier |
* You can restore backups with or without FIPS turned on to a compatible Sophos Firewall version. See details.
** You can restore a backup from 18.5 MR1 to 18.5 MR1-1 for some XGS series firewalls. For details of the supported firewalls, see Supported platforms.
Supported platforms
Versions 18.5 MR5 to MR1
Sophos Firewall OS versions 18.5 MR5 to MR1 are available on all form factors as follows:
- XGS Series firewalls
- XG Series firewalls
- SG Series firewalls
- Virtual and software appliances
- Cloud platforms
Version 18.5 MR1-1
Sophos Firewall OS 18.5 MR1-1 is only available on the following XGS Series firewalls:
- XGS 4300, XGS 4500, XGS 5500, and XGS 6500
Version 18.5 GA
18.5 GA is only available on the XGS Series hardware deployments.
For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.
Minimum RAM
18.5 and later versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to 18.5 and later:
- XG 85, XG 85w, XG 105, and XG 105w
- SG 105, SG 105w
Supported firmware versions
- Wi-Fi firmware 11.0.021 and earlier: 18.5.x versions support this Wi-Fi version.
- RED firmware 3.0.009 and earlier: 18.5.4 and later versions support this RED version.
Support
You can find technical support for Sophos products in the following ways:
- Visit the Sophos Community and search for other users who are experiencing the same problem.
- Visit Sophos Support.
- Find how-to, configuration, and troubleshooting videos in Sophos Techvids.
Legal notices
Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.