NC-87676 | WAF | WAF may stop working after a backup is restored for firewalls that first started with a version earlier than 18.0 GA and are currently running a version later than 18.0 GA. | If WAF does't start and reverseproxy.log shows the following message, contact Sophos Support: Invalid encrypted key |
NC-85454 | PPPoE | When more than one PPPoE link is configured on SFOS, and you upgrade the firmware to 18.5.MR2 build #380, passwords of the PPPoE links are lost for all but any one PPPoE link. So, only one PPPoE link remains functional after migration. The other links don't connect because of authentication failure. | Edit the PPPoE interface configuration, update the password, and save the configuration. |
NC-85343 | Network utils | Unable to update interface name using the following terms: "port", "eth", or "ge". | The names of physical and virtual interfaces, wireless networks, and IP tunnels can't start with system-reserved names, such as port, eth, ge, and xfrm, except when the Name is the same as the Hardware name. |
NC-85313 | API framework | No status code in API response. | You must use one of the tags <Set>, <Get>, or <Remove>, after the <Login> tag. |
NC-85063 | WAF | WAF does not permit file uploads larger than 1 MB in OWA. | Contact Sophos Support. |
NC-84972 | Web | When you use the web proxy, files that undergo anti-virus scanning are stored in /tmp. If web caching is turned on (Web > General settings > Enable web content cache) the /tmp directory may run out of space. To determine if the issue affects the firewall, enter the following command: df -h /tmp If the availble space shows 0 MB, enter the following command: du -c /tmp/0x1* Non-zero length files can take up a significant portion of the partition. Large numbers of files that are of zero length don't cause the issue. | Do one of the following: - Go to Web > General settings, and clear the check box "Enable web content". This option is turned off by default.
- Restart the firewall.
|
NC-84550 | Reporting | Local reports on Sophos Firewall differ from CFR reports. If the number of bytes transferred exceeds 32 bits, log viewer shows the truncated value. | Will be resolved shortly. |
NC-84517 | Firewall | Firewall rule isn't applied to terminal server traffic from Server Protection SATC. | The firewall must join the EAP for New Server Protection features and confirm the machine is added to EAP. See details. |
NC-84171 | L2TP | Multiple clients behind NATed device cause traffic issues. When these try to connect to Sophos Firewall, tunnels are established. However, ping from the first client drops after a few seconds. There's no ping from a client when the other client's ping works. | Will be resolved shortly. |
NC-84054 | SecuirtyHeartBeat | Configuration migration fails due to invalid byte sequence. Backup isn't restored if there's an error with the database tblappstoeps since it may contain an invalid byte sequence for encoding "UTF8". | Contact Sophos Support. |
NC-83527 | SecurityHeartbeat | Unable to register Firewall with Sophos Central account because Amazon certificate isn't present in /conf/. | To check if an Amazon certificate is present, enter the following command openssl crl2pkcs7 -nocrl -certfile /conf/certificate/internalcas/cloud-ca.crt | openssl pkcs7 -print_certs -text -noout | grep Issuer If Amazon CA isn't present, do as follows: - mount -o rw,remount /
- cp ""/conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt.org""
- cp ""/_conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt""
- mount -o remount,ro /
These steps don't require downtime. |
NC-83108 | Config Migration Framework | Upgrading from 18.0.MR6 to 18.5.MR1 results in a factory reset. | Downgrade to the previous firmware and then upgrade to 18.5.MR2. Alternatively, you can upgrade to 18.5.GA and then to 18.5.MR1. |
NC-82331 | Security Heartbeat | From 18.5 MR2, Sophos Firewall encrypts certificate keys. So, when you upgrade to this version, the firewall refreshes the certificate used by synchronized endpoints to send a Security Heartbeat. If DNS resolution to sophos.com fails, the endpoints may not get the new certificate from Sophos Central, and the heartbeat fails. | Do as follows: - Make sure the endpoints have network connectivity during the upgrade. They can then fetch the new certificate from Sophos Central.
- If the endpoints are blocked from getting DNS resolution for sophos.com to download the new certificate, go to the corresponding firewall rule and temporarily clear the checkbox "Block clients with no heartbeat".
|
NC-81520 | Hotspot | Password isn't printed on the hotspot voucher for bridge to AP LAN and bridge to AP VLAN. | Use a wireless network with Client traffic set to Separate zone instead. Do as follows: - Go to Wireless > Wireless networks.
- Select the network you want and set Client traffic to Separate zone.
- Go to Hotspots and select the hotspot you want.
- Set Interfaces to this wireless network.
|
NC-81039 | Licensing | SFOS gets stuck after a restart. On the hardware, hyperthreading was turned on, stopping the kernel from starting. It only happens when SFOS RAM/CPU are lower than that purchased in the license and hyperthreading is turned on on Dell hardware. | Turn off hyperthreading on the server. |
NC-73295 | IPsec | Child SA (Security Association) disconnects when idle setting is turned on in IPsec remote access. | Under Idle settings, clear the checkbox for Disconnect when tunnel is idle. Create a network rule below the user-based firewall rule. If an active user signs out and user-based rule no longer matches the traffic, the network rule matches, allowing traffic for active networks (child SAs). Then turn the idle setting back on. |
NC-73174 | Logging framework | Log viewer shows the DDNS events forsuccess and failure twice. | Known behavior |
NC-71401 | Central Management | Unable to register XG Series firewalls with Central Manager using email addresses with more than 50 characters. | Enter an email address with fewer than 50 characters. |
NC-70369 | Dynamic routing (OSPF) | Auto-interface cost calculation doesn't work for OSPF. | Go to Routing > OSPF > Override interface configuration. Click Select interface, clear the check box for Interface Cost and enter the cost. |
NC-69633 | Email | Wildcard SMTP exceptions for FQDN hosts appear on the exceptions list. However, when editing the exception, they aren't visible. | Will be resolved shortly. |
NC-69491 | Authentication | Unable to access the web admin console after an auto-restart. When a high number of RADIUS SSO users sign in simultaneously and the firewall restarts, sometimes the web admin console isn't available after the restart. However, LAN users can connect, and you can access the firewall through SSH. | Known behavior |
NC-69439 | Web | For the internet scheme web policy in devices migrating from CROS to SFOS, Policy tester doesn't show the web filter ID. | Known behavior |
NC-69088 | Unable to create Secure Storage Master Key on HA devices. | On HA devices migrated to 18.0 MR3 or MR4, administrators are unable to create the Secure Storage Master Key. | If you have a configuration backup, reset the firewall to factory configuration. Upgrade to 18.0 MR4 or later version. Restore the backup. Rejoin HA. If you don't want to reset to factory configuration, enter the following advanced shell commands: - /bin/nsgenc reset -f
- /bin/nsgenc init
- reboot
- /bin/nsgenc status; echo $?
If the result is 1, restore the backup. Upgrade to 18.0 MR4 or later version. Rejoin HA. If the result is 0, contact Sophos Support. |
NC-68908 | RED | On the web admin console, SD-RED doesn't show LTE support. | SD-RED supports LTE, but incorrectly shows 3G/UMTS failover on the web admin console. Will be resolved shortly. |
NC-68438 | Web | Web policy rule doesn't support users with the character "/" in the name. | Known behavior |
NC-67790 | DHCP | DHCP doesn't assign multiple IP addresses to the same MAC address. Example: For the captive portal to work over a bridged interface with a VLAN, the access point creates a virtual interface and needs an IP address from the VLAN. When the captive portal asks for an IP address over VLAN, the discover request comes with the interface's MAC address. If one scope is set to static and the other to dynamic, the IP assignment doesn't work. | Set both the DHCP scopes to dynamic or static. |
NC-67688 | HA | For 18.0 MR1, when the backup contained redundant information, it increased the backup size. If a larger backup is taken and restored, the /conf may be larger than expected. | Run the following commands on the advanced shell: rm -rf /conf/httpclient/httpclient rm -rf /conf/iview_images/iview_images/ Take a backup again. |
NC-65961 | Web | Log viewer for Firewall and Web filter shows Allowed for all port 80/443 traffic from WAN to WAN and LAN zones, although users initiating traffic from the WAN zone are shown a block page. | Known behavior |
NC-65625 | SSL VPN | OpenSSL limits the CN (Common Name) to 64. OpenVPN limits the CN to 63 + 1 (null character). This limits the <username>@<domain name> length to 51 characters since a 12-character random string is added to the CN. | Only use up to 51 characters for <username>@<domain name>. |
NC-63913 | IPS policy | When XG Series firewall is in FETCH mode in SFM, and users changethe Advanced threat setting using the template, the SFM event log shows a failure message. | Known behavior |
NC-63535 | Email | Modifications aren't allowed to the block email senders list. On Email > General setting > Block senders, when users add a domain or email address, the error "Request could not be completed" appears and the domain or email address isn't added. | Remove any of the domains or email addresses from the block senders list and add them again. |
NC-62786 | VFP-Firewall | Turning firewall-acceleration on or off bounces the ports. | Will be resolved shortly. |
NC-60401 | Central Management | When you downgrade the firmware or reset a firewall registered with Sophos Central (and services accepted on Sophos Central), the firewall loses its central registration information. When it's registered again and Central management is turned on, endpoints already known to Sophos Central and the Central Management API consider this a bad request since Central services have already been approved. | Deregister the firewall. For HA devices, deregister both firewalls from Sophos Central. Sign in to Sophos Central., go to Firewall management and click Remove from Central for the firewall. Alternatively, run the following command on the advanced shell: /bin/central-register --register -u <email_of_central_account> -p <password_of_central_account> -s <serialnumber_of_firewall> Once the registration passes, you can deregister the firewall from the Sophos Central console. |
NC-60381 | Firewall | When heartbeat is set to block endpoints with a red status in the firewall rule configured for a bridge interface, and the firewall blocks the MAC address, it also blocks DHCP requests from the endpoints. | Create a firewall rule with Rule position set to Top and Services set to DHCP. Don't specify the Synchronized Security Heartbeat settings. |
NC-60294 | Authentication | Users aren't removed immediately from the Live user list when they sign out using the Sophos Network Agent (iOS or Android) although the app disconnects immediately. | Enter the following commands through the advanced shell: echo 0 > /content/caaios echo 0 > /content/caaand restart access_server |
NC-59839 | Firewall | Email logs for bounced emails may show IP addresses that aren't configured as the source address. Log entries are generated for connection table entries rather than from routing. For conntrack creation, the firewall uses any gateway IP address as the original source address (example: Port4: 10.24.255.254). When routing is done on layer 3, the decision may be to route that connection through Port2, but the original source isn't changed. | Known behavior |
NC-59800 | Firewall | Creating new firewall rules above the automatic SMTP rule (Email MTA mode) may result in a mail queue on the firewall. The firewall then accepts SMTP traffic but can't deliver the emails to the next hop. Mail queue and time-out errors appear on the /log/smtpd_main.log This can happen with manually configured firewall rules that include SMTP service and automatically created firewall rules (example: with VPN connections). | Place manually created firewall rules for SMTP and automatically created rules below the automatic MTA rule. If mails are already in queue on the firewall, before you reposition the firewall rules, contact Sophos Support for help in using the following script to correct the issue: /scripts/mail/replace_firewall_id.pl. |
NC-58684 | Firmware management | Upgrade from 17.5.x to 18.0 and later takes about 50 minutes. This is due to the additional checks for file system correction, which take longer based on the hard disk size and status. | Known behavior |
NC-56884 | Wireless | Built-in wireless stops broadcasting the SSID on 2.4 GHz and 5 GHz intermittently, and users can't see the SSID on their endpoints. | Go to Wireless > Access points, and clear the check box for Dyn Chan. This turns off DCS (Dynamic channel selection) on 5 GHz. |
NC-55423 | Network services (deprecated) | Difference in data transfer traffic usage between WAN link manager and WAN zone report. | For more information, see Difference between WAN link manager and WAN zone report. |
NC-54697 | IPS Policy | The show ips-settings command shows only eight firewall rules even when more are configured. The related database entry contains all the firewall rules. | Will be resolved shortly. |
NC-54667 | Authentication | Sophos Firewall supports up to 3042 simultaneous Corporate Authentication Agent (CAA) connections. When the number of users exceeds the limit, the message "Failed to establish connection! Too many open files" appears in the access server log file. The limit is only for users using CAA. Live user count for other authentication mechanisms aren't part of this limit. | Known behavior |
NC-53094 | RED | WAN gateway becomes active, causing RED site-to-site tunnels to flap. When you configure multiple WAN gateways, actions that result in the backup gateway or the unused gateway for the RED tunnel to reconnect, cause all RED tunnels to reconnect. | Known behavior |
NC-52129 | Email | Avira is unable to scan encrypted split files. | Use the Sophos antivirus engine. |
NC-51322 | Email | Chinese characters in the mail subject don't appear correctly within the quarantine digest email. | Change the encoding used in the end user's mail client to UTF-8. |
NC-48871 | L2TP | Username with the special character "\" isn't authenticated when signing in with the domain through L2TP. | Will be resolved shortly. |
NC-47523 | Reporting | Auxiliary HA device sends reports about its own scheduled report. | Known behavior |
NC-47092 | Firewall | SSH session to a target behind an SFOS firewall appears with delay in the log viewer. | Known behavior |
NC-46108 | DHCP | DHCP relay configured on an interface with a DHCP server configuration doesn't function. | Expected behavior |
NC-44003 | SNMP | SNMP query for supportSubStatus and appExpiryDate returns unexpected values. | Known behavior |
NC-43682 | Email | Mail queue is delayed or fails after update to 17.5. A manual change to disable_offline_relate is lost during a firmware upgrade. Before the upgrade, if you've changed the /static/proxy/smtp/scanner.conf file to set the disable_offline_relate setting to No, the change is lost during a firmware update. | After the firmware upgrade is complete, edit the /static/proxy/smtp/scanner.conf file, and update disable_offline_relate. |
NC-42570 | WAF, Web | When LAN users want to access a web server deployed in the LAN zone and protected by a WAF rule, these requests don't work. Requests from the LAN zone reach the web server directly without passing the firewall. | WAF rules control traffic for sites hosted on the WAN interface. For internal servers, configure the DNS server to resolve the domain to the backend server directly. Alternatively, to host the site in the LAN zone through WAF, you need a second WAF rule that listens on the internal interface with a different, internal-only domain. |
NC-42364 | Networking (deprecated) | IPsec route precedence isn't applied. When system route_precedence is configured to give VPN routes higher priority than static routes, the firewall doesn't send the traffic through the IPsec tunnel. Instead, it routes the traffic through a matching static route. This occurs if a static or local route exists directing the traffic to a non-WAN zone. The route precedence command only applies to traffic destined for the WAN zone. | Manually create an IPsec route for the remote subnet. Example: console> system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname <tunnelname> Then press Tab twice to see the list of available tunnels. |
NC-42227 | Authentication clients | Currently, Sophos Firewall devices don't support SATC (Sophos Authentication for Thin Client) with Edge browser. | Known behavior |
NC-42226 | SSL VPN | Locally-signed certificates aren't supported as server certificates in SSL VPN. | Only certificates signed by the local CA are supported. Example: ApplianceCertificate. |
NC-38227 | RED | Can't turn on RED functionality with DHCP from Network > DHCP. | Go to Interfaces > RED for the RED device. Under RED network settings, turn on DHCP. |
NC-35231 | ATP framework | Limit of 128 characters to add a threat exception. | Known behavior |
NC-35230 | Wireless | Can assign only 8 SSIDs or networks to an access point. | Known behavior |
NC-33997 | Authentication | SSO client installation doesn't work with RDP sessions. | Known behavior |
NC-33500 | Web | Unable to get the file scanned by Sandstorm. The captive portal shows a cannot reach page. This happens when there's an Any to Any firewall rule with Action set to Drop. | Select a LAN or WAN zone instead of Any zone for the firewall rule with Action set to Drop. |
NC-30324 | Firewall | Internal hosts can't ping remote access SSL VPN. | Give priority to static routes because SSL VPN routes are static routes. VPN routes represent IPsec routes. |
NC-29938 | Networking (deprecated) | Static routes won't apply to the system for connected networks, such as RED tunnels. So, you can't use them for route failover for these networks. | Use SD-WAN routes for route failover. |
NC-29517 | Date and time zone | Time zone is different on the web admin and CLI consoles. | Copy the content from /etc/zoneinfo/<timezone> to /conf/TZ. Then restart the firewall. |
NC-27906 | Email | In legacy mode, when you turn on greylisting on the server, emails are rejected because legacy Mode doesn't support retrying of emails. Failed emails are rejected with the following log message: 451 Temporary local problem, please try again! | For more information, see How to work around the issue when legacy mode doesn't support email retry. |
NC-27452 | WAF | No support for Microsoft RDG protocol suite. | WAF only supports RPC_IN_DATA and RPC_OUT_DATA. These are the only types supported when Pass Outlook Anywhere is turned on. |
NC-26865 | Wireless | Link/Activity LED glows on Port3 and Port4 even when the ports are disabed in XG 85(w), XG 125(w), and XG 135(w). | Known behavior |
NC-25733 | IPsec | Can't see custom IPsec profiles that use a preshared key with aggressive mode after upgrading to 17.0 MR1 although the profile is in use in an IPsec connection. | The firewall doesn't support preshared keys in aggressive mode. It only supports aggressive mode with RSA key and digital certificate. |
NC-22697 | Web | Citrix-based web application isn't working with Allow all web policy. In transparent mode, Citrix clients aren't aware that there's an HTTP or HTTPS proxy in the middle. So, they start using a proprietary protocol (not HTTP or HTTPS) using the HTTP and HTTPS ports. The proxy doesn't understand this and waits for a client request while the Citrix client waits for the server to respond. So, launching a .ica file with Citrix web or application fails. | You need to punch a hole in the firewall. Do as follows: For traffic from the LAN zone to the destination IP addresses of your URL in the WAN zone to launch the .ica file, create a LAN to WAN firewall rule with web policy set to None. Then create a firewall rule with web policy set to Allow all from LAN to WAN. |
NC-22372 | Email | Missing prefix subject with IMAP and many email clients. With IMAP, some mail clients download only the root headers from the server. They download the complete email only when users click the email subject. Sophos Firewall doesn't scan headers for spam since headers don't have enough information to detect spam. The IMAP proxy scans emails for spam only when the mail client downloads the complete email. The firewall then scans and adds a prefix to the subject for spam. So, the spam prefix doesn't appear in the email client's folder view. | Known behavior |
NC-22206 | Clientless access (HTTP and HTTPS) | Bookmarks of websites that require NTLM authentication don't work with clientless authentication. | Sophos Firewall doesn't support NTLM authentication with clientless web access. |
NC-19628 | Authentication | Sophos Firewall doesn't support browsing on IE11 in protective mode with SATC authentication. | Known behavior |
NC-19479 | Clientless access (HTTP and HTTPS) | Can't access websites that require the destination domain in the URL host through clientless access. Example: CNN.com. | Known behavior |
NC-19478 | Clientless access (HTTP and HTTPS) | Can't access websites with UTF-16 characters in the URL using bookmarks. Clientless access needs HTML links to be rewritten within the response document to ensure that links work for users outside the proxy. The firewall doesn't rewrite URLs with UTF-16 encoded special characters. So, these sites won't open through clientless access. Example: http:\u002f\u002fportal.example.com | Known behavior |
NC-19476 | Clientless access (HTTP and HTTPS) | Can't access web servers containing JavaScript-based dynamically generated URLs through HTTP and HTTPS bookmarks. | Known behavior |
NC-18385 | WAF | After successful form-based authentication, users are redirected to the defined path in the corresponding site path routing profile rather than to the original requested path. | Known behavior |
NC-17808 | Email | Wrong decoding if a policy with Change prefix subject is configured with umlaut characters. | Known behavior |
NC-17457 | Networking (deprecated) | Username for PPPoE interfaces is limited to 50 characters. | Insert a dummy username using less than 50 characters on the web admin console for the PPPoE interface. Go to the advanced shell and enter the following: psql -U nobody -d corporate Go to the corporate DB and enter the following: corporate> update tblpppoeconf set "user"='john.doe@example.com' Now disconnect the PPPoE connection and reconnect to bring the changes into effect. |
NC-16462 | Reporting | When generating a custom report, only the results appearing on the current page are exported to HTML, PDF, and CSV formats. The full list isn't exported. | Known behavior |
NC-14880 | Web | Safe search is enforced on all the policies without exception. | Known behavior |
NC-13946 | Authentication | STAS users with special characters (',/") in the name don't appear. | Sophos Firewall doesn't support usernames with these special characters. |
NC-13934 | Reporting | Auxiliary device sends only a few configured scheduled reports. | If reports don't contain data in auxiliary devices, report notifications aren't sent. |
NC-13659 | Security Heartbeat | Host information for blocked sources is shown on ATP flipside but isn't updated. | Manually reopen the flipside to see the change in host status. Example: Green, red, missing |
NC-13639 | Captive portal | Local users with names containing umlaut characters (example: ööööööö) can't sign in. They can sign in through AD and STAS. Unable to create local users with special characters (UTF-8). Existing AD users with such names can't sign in. | Known behavior |
NC-13637 | Routing (deprecated) | Route precedence isn't followed for policy-based routing in RED site-to-site tunnels. | Known behavior |
NC-13636 | VPN (deprecated) | Can't create L2TP connection with preshared key for mobile phones. | Known behavior |
NC-13632 | RED | Unable to do offline provisioning of RED 50 device using USB device. | Do online provisioning centrally. REDs are then upgraded to the latest firmware. You can then perform offline provisioning. |
NC-13618 | Clientless access (HTTP and HTTPS) | Unable to access the web admin console of a firewall by using bookmarks from the same firewall. | Known behavior |
NC-13598 | Firewall | 10G SFP+ network cards on software appliances aren't recognized. | Known behavior |
NC-9641 | WAF | Outlook Anywhere doesn't work when Common threat filter is turned on in the web server protection policy. | RPC (Remote Procedural Call) doesn't work when Common threat filter is on. CTF checks the validity of HTTP requests and responses and compliance with HTTP standards and common practices. MS_RPC, the protocol underlying some of MS Outlook’s Anywhere feature doesn't meet all these rules and common practices. Turn off Common threat filter in the web server protection policy. |
NC-9132 | WAF | Websockets aren't supported for WAF. | Known behavior |
NC-9124 | Firewall | STAS isn't working when AD servers are only reachable on WAN. | Known behavior |
NC-9106 | Framework part of base (deprecated) | Mail notification isn't working with Microsoft Office365. | Sophos Firewall supports STARTTLS and SSL/TLS to encrypt emails. However, for SMTP, it only supports PLAIN authentication, which Office 365 doesn't support. Configure an intermediate relay to workaround this behavior. |
NC-9102 | Hotspot | Custom logo doesn't appear on the hotspot sign-in page if the hotspot name contains whitespace. | Don't use white spaces in hotspot names. |
NC-9063 | Firewall | Unable to create a hotspot through SFM with an HTML filename that has a space. | Don't use spaces in filenames. |
NC-8891 | VPN | CHAP and CHAPV2 in L2TP and PPTP VPN with AD configuration isn't working. | Use PAP as authentication method. |
NC-8888 | VPN (deprecated) | IPsec (site-to-site) between SFOS and SonicWall isn't working in aggressive mode. | Use main mode. |
NC-43145 | Hardware | HA pair becomes unstable if you use the shared port as the dedicated link on XG 106 | Don't use the shared port (Port 4) for the HA dedicated link. |
NC-43721 | Hardware | Half-duplex isn't working on the upper four ports of XG 125 and XG 135 Rev.3 | Use ports 5, 6, 7, or 8 with half-duplex. |
NC-76186 | Hardware-XG Series | 4X10G Flexiport module with the Intel 700 series NVM data and driver isn't recognized. | Known behavior |
NC-55068 | Hardware | XG 115 Rev.3 models show no HDMI output unless a monitor is connected before the device starts. | Known behavior |
NC-53886 | Hardware-SG and XG Series | 40Gbit QSFP+ Flexiport module isn't recognized on SG/XG 430/450 firewalls. | Known behavior |