XG Firewall release notes (2024)

NC-87676 WAF WAF may stop working after a backup is restored for firewalls that first started with a version earlier than 18.0 GA and are currently running a version later than 18.0 GA. If WAF does't start and reverseproxy.log shows the following message, contact Sophos Support:

Invalid encrypted key

NC-85454 PPPoE When more than one PPPoE link is configured on SFOS, and you upgrade the firmware to 18.5.MR2 build #380, passwords of the PPPoE links are lost for all but any one PPPoE link. So, only one PPPoE link remains functional after migration. The other links don't connect because of authentication failure. Edit the PPPoE interface configuration, update the password, and save the configuration. NC-85343 Network utils Unable to update interface name using the following terms: "port", "eth", or "ge". The names of physical and virtual interfaces, wireless networks, and IP tunnels can't start with system-reserved names, such as port, eth, ge, and xfrm, except when the Name is the same as the Hardware name. NC-85313 API framework No status code in API response. You must use one of the tags <Set>, <Get>, or <Remove>, after the <Login> tag. NC-85063 WAF WAF does not permit file uploads larger than 1 MB in OWA. Contact Sophos Support. NC-84972 Web

When you use the web proxy, files that undergo anti-virus scanning are stored in /tmp. If web caching is turned on (Web > General settings > Enable web content cache) the /tmp directory may run out of space. To determine if the issue affects the firewall, enter the following command:

df -h /tmp

If the availble space shows 0 MB, enter the following command:

du -c /tmp/0x1*

Non-zero length files can take up a significant portion of the partition. Large numbers of files that are of zero length don't cause the issue.

Do one of the following:

  • Go to Web > General settings, and clear the check box "Enable web content". This option is turned off by default.
  • Restart the firewall.
NC-84550 Reporting Local reports on Sophos Firewall differ from CFR reports. If the number of bytes transferred exceeds 32 bits, log viewer shows the truncated value. Will be resolved shortly. NC-84517 Firewall Firewall rule isn't applied to terminal server traffic from Server Protection SATC. The firewall must join the EAP for New Server Protection features and confirm the machine is added to EAP. See details. NC-84171 L2TP Multiple clients behind NATed device cause traffic issues. When these try to connect to Sophos Firewall, tunnels are established. However, ping from the first client drops after a few seconds. There's no ping from a client when the other client's ping works. Will be resolved shortly. NC-84054 SecuirtyHeartBeat Configuration migration fails due to invalid byte sequence.

Backup isn't restored if there's an error with the database tblappstoeps since it may contain an invalid byte sequence for encoding "UTF8".

Contact Sophos Support. NC-83527 SecurityHeartbeat Unable to register Firewall with Sophos Central account because Amazon certificate isn't present in /conf/.

To check if an Amazon certificate is present, enter the following command

openssl crl2pkcs7 -nocrl -certfile /conf/certificate/internalcas/cloud-ca.crt | openssl pkcs7 -print_certs -text -noout | grep Issuer

If Amazon CA isn't present, do as follows:

  1. mount -o rw,remount /
  2. cp ""/conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt.org""
  3. cp ""/_conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt""
  4. mount -o remount,ro /

These steps don't require downtime.

NC-83108 Config Migration Framework Upgrading from 18.0.MR6 to 18.5.MR1 results in a factory reset. Downgrade to the previous firmware and then upgrade to 18.5.MR2. Alternatively, you can upgrade to 18.5.GA and then to 18.5.MR1. NC-82331 Security Heartbeat From 18.5 MR2, Sophos Firewall encrypts certificate keys. So, when you upgrade to this version, the firewall refreshes the certificate used by synchronized endpoints to send a Security Heartbeat.

If DNS resolution to sophos.com fails, the endpoints may not get the new certificate from Sophos Central, and the heartbeat fails.

Do as follows:
  • Make sure the endpoints have network connectivity during the upgrade. They can then fetch the new certificate from Sophos Central.
  • If the endpoints are blocked from getting DNS resolution for sophos.com to download the new certificate, go to the corresponding firewall rule and temporarily clear the checkbox "Block clients with no heartbeat".
NC-81520 Hotspot Password isn't printed on the hotspot voucher for bridge to AP LAN and bridge to AP VLAN. Use a wireless network with Client traffic set to Separate zone instead. Do as follows:
  1. Go to Wireless > Wireless networks.
  2. Select the network you want and set Client traffic to Separate zone.
  3. Go to Hotspots and select the hotspot you want.
  4. Set Interfaces to this wireless network.
NC-81039 Licensing SFOS gets stuck after a restart. On the hardware, hyperthreading was turned on, stopping the kernel from starting. It only happens when SFOS RAM/CPU are lower than that purchased in the license and hyperthreading is turned on on Dell hardware. Turn off hyperthreading on the server. NC-73295 IPsec Child SA (Security Association) disconnects when idle setting is turned on in IPsec remote access. Under Idle settings, clear the checkbox for Disconnect when tunnel is idle.

Create a network rule below the user-based firewall rule. If an active user signs out and user-based rule no longer matches the traffic, the network rule matches, allowing traffic for active networks (child SAs). Then turn the idle setting back on.

NC-73174 Logging framework Log viewer shows the DDNS events forsuccess and failure twice. Known behavior NC-71401 Central Management Unable to register XG Series firewalls with Central Manager using email addresses with more than 50 characters. Enter an email address with fewer than 50 characters. NC-70369 Dynamic routing (OSPF) Auto-interface cost calculation doesn't work for OSPF. Go to Routing > OSPF > Override interface configuration. Click Select interface, clear the check box for Interface Cost and enter the cost. NC-69633 Email Wildcard SMTP exceptions for FQDN hosts appear on the exceptions list. However, when editing the exception, they aren't visible. Will be resolved shortly. NC-69491 Authentication Unable to access the web admin console after an auto-restart.

When a high number of RADIUS SSO users sign in simultaneously and the firewall restarts, sometimes the web admin console isn't available after the restart. However, LAN users can connect, and you can access the firewall through SSH.

Known behavior NC-69439 Web For the internet scheme web policy in devices migrating from CROS to SFOS, Policy tester doesn't show the web filter ID. Known behavior NC-69088 Unable to create Secure Storage Master Key on HA devices. On HA devices migrated to 18.0 MR3 or MR4, administrators are unable to create the Secure Storage Master Key.

If you have a configuration backup, reset the firewall to factory configuration. Upgrade to 18.0 MR4 or later version. Restore the backup. Rejoin HA.

If you don't want to reset to factory configuration, enter the following advanced shell commands:

  1. /bin/nsgenc reset -f
  2. /bin/nsgenc init
  3. reboot
  4. /bin/nsgenc status; echo $?

If the result is 1, restore the backup. Upgrade to 18.0 MR4 or later version. Rejoin HA.

If the result is 0, contact Sophos Support.

NC-68908 RED On the web admin console, SD-RED doesn't show LTE support. SD-RED supports LTE, but incorrectly shows 3G/UMTS failover on the web admin console.

Will be resolved shortly.

NC-68438 Web Web policy rule doesn't support users with the character "/" in the name. Known behavior NC-67790 DHCP DHCP doesn't assign multiple IP addresses to the same MAC address.

Example: For the captive portal to work over a bridged interface with a VLAN, the access point creates a virtual interface and needs an IP address from the VLAN. When the captive portal asks for an IP address over VLAN, the discover request comes with the interface's MAC address. If one scope is set to static and the other to dynamic, the IP assignment doesn't work.

Set both the DHCP scopes to dynamic or static. NC-67688 HA For 18.0 MR1, when the backup contained redundant information, it increased the backup size. If a larger backup is taken and restored, the /conf may be larger than expected. Run the following commands on the advanced shell:

rm -rf /conf/httpclient/httpclient

rm -rf /conf/iview_images/iview_images/

Take a backup again.

NC-65961 Web Log viewer for Firewall and Web filter shows Allowed for all port 80/443 traffic from WAN to WAN and LAN zones, although users initiating traffic from the WAN zone are shown a block page. Known behavior NC-65625 SSL VPN OpenSSL limits the CN (Common Name) to 64. OpenVPN limits the CN to 63 + 1 (null character). This limits the <username>@<domain name> length to 51 characters since a 12-character random string is added to the CN. Only use up to 51 characters for <username>@<domain name>. NC-63913 IPS policy When XG Series firewall is in FETCH mode in SFM, and users changethe Advanced threat setting using the template, the SFM event log shows a failure message. Known behavior NC-63535 Email Modifications aren't allowed to the block email senders list. On Email > General setting > Block senders, when users add a domain or email address, the error "Request could not be completed" appears and the domain or email address isn't added. Remove any of the domains or email addresses from the block senders list and add them again. NC-62786 VFP-Firewall Turning firewall-acceleration on or off bounces the ports. Will be resolved shortly. NC-60401 Central Management When you downgrade the firmware or reset a firewall registered with Sophos Central (and services accepted on Sophos Central), the firewall loses its central registration information.

When it's registered again and Central management is turned on, endpoints already known to Sophos Central and the Central Management API consider this a bad request since Central services have already been approved.

Deregister the firewall. For HA devices, deregister both firewalls from Sophos Central.

Sign in to Sophos Central., go to Firewall management and click Remove from Central for the firewall.

Alternatively, run the following command on the advanced shell:

/bin/central-register --register -u <email_of_central_account> -p <password_of_central_account> -s <serialnumber_of_firewall>

Once the registration passes, you can deregister the firewall from the Sophos Central console.

NC-60381 Firewall When heartbeat is set to block endpoints with a red status in the firewall rule configured for a bridge interface, and the firewall blocks the MAC address, it also blocks DHCP requests from the endpoints. Create a firewall rule with Rule position set to Top and Services set to DHCP. Don't specify the Synchronized Security Heartbeat settings. NC-60294 Authentication Users aren't removed immediately from the Live user list when they sign out using the Sophos Network Agent (iOS or Android) although the app disconnects immediately. Enter the following commands through the advanced shell:

echo 0 > /content/caaios

echo 0 > /content/caaand

restart access_server

NC-59839 Firewall Email logs for bounced emails may show IP addresses that aren't configured as the source address.

Log entries are generated for connection table entries rather than from routing. For conntrack creation, the firewall uses any gateway IP address as the original source address (example: Port4: 10.24.255.254). When routing is done on layer 3, the decision may be to route that connection through Port2, but the original source isn't changed.

Known behavior NC-59800 Firewall Creating new firewall rules above the automatic SMTP rule (Email MTA mode) may result in a mail queue on the firewall.

The firewall then accepts SMTP traffic but can't deliver the emails to the next hop. Mail queue and time-out errors appear on the /log/smtpd_main.log

This can happen with manually configured firewall rules that include SMTP service and automatically created firewall rules (example: with VPN connections).

Place manually created firewall rules for SMTP and automatically created rules below the automatic MTA rule.

If mails are already in queue on the firewall, before you reposition the firewall rules, contact Sophos Support for help in using the following script to correct the issue: /scripts/mail/replace_firewall_id.pl.

NC-58684 Firmware management Upgrade from 17.5.x to 18.0 and later takes about 50 minutes.

This is due to the additional checks for file system correction, which take longer based on the hard disk size and status.

Known behavior NC-56884 Wireless Built-in wireless stops broadcasting the SSID on 2.4 GHz and 5 GHz intermittently, and users can't see the SSID on their endpoints. Go to Wireless > Access points, and clear the check box for Dyn Chan. This turns off DCS (Dynamic channel selection) on 5 GHz. NC-55423 Network services (deprecated) Difference in data transfer traffic usage between WAN link manager and WAN zone report. For more information, see Difference between WAN link manager and WAN zone report. NC-54697 IPS Policy The show ips-settings command shows only eight firewall rules even when more are configured. The related database entry contains all the firewall rules. Will be resolved shortly. NC-54667 Authentication Sophos Firewall supports up to 3042 simultaneous Corporate Authentication Agent (CAA) connections. When the number of users exceeds the limit, the message "Failed to establish connection! Too many open files" appears in the access server log file.

The limit is only for users using CAA. Live user count for other authentication mechanisms aren't part of this limit.

Known behavior NC-53094 RED WAN gateway becomes active, causing RED site-to-site tunnels to flap.

When you configure multiple WAN gateways, actions that result in the backup gateway or the unused gateway for the RED tunnel to reconnect, cause all RED tunnels to reconnect.

Known behavior NC-52129 Email Avira is unable to scan encrypted split files. Use the Sophos antivirus engine. NC-51322 Email Chinese characters in the mail subject don't appear correctly within the quarantine digest email. Change the encoding used in the end user's mail client to UTF-8. NC-48871 L2TP Username with the special character "\" isn't authenticated when signing in with the domain through L2TP. Will be resolved shortly. NC-47523 Reporting Auxiliary HA device sends reports about its own scheduled report. Known behavior NC-47092 Firewall SSH session to a target behind an SFOS firewall appears with delay in the log viewer. Known behavior NC-46108 DHCP DHCP relay configured on an interface with a DHCP server configuration doesn't function. Expected behavior NC-44003 SNMP SNMP query for supportSubStatus and appExpiryDate returns unexpected values. Known behavior NC-43682 Email Mail queue is delayed or fails after update to 17.5.

A manual change to disable_offline_relate is lost during a firmware upgrade. Before the upgrade, if you've changed the /static/proxy/smtp/scanner.conf file to set the disable_offline_relate setting to No, the change is lost during a firmware update.

After the firmware upgrade is complete, edit the /static/proxy/smtp/scanner.conf file, and update disable_offline_relate. NC-42570 WAF, Web When LAN users want to access a web server deployed in the LAN zone and protected by a WAF rule, these requests don't work. Requests from the LAN zone reach the web server directly without passing the firewall. WAF rules control traffic for sites hosted on the WAN interface. For internal servers, configure the DNS server to resolve the domain to the backend server directly.

Alternatively, to host the site in the LAN zone through WAF, you need a second WAF rule that listens on the internal interface with a different, internal-only domain.

NC-42364 Networking (deprecated) IPsec route precedence isn't applied.

When system route_precedence is configured to give VPN routes higher priority than static routes, the firewall doesn't send the traffic through the IPsec tunnel. Instead, it routes the traffic through a matching static route. This occurs if a static or local route exists directing the traffic to a non-WAN zone. The route precedence command only applies to traffic destined for the WAN zone.

Manually create an IPsec route for the remote subnet.

Example: console> system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname <tunnelname>

Then press Tab twice to see the list of available tunnels.

NC-42227 Authentication clients Currently, Sophos Firewall devices don't support SATC (Sophos Authentication for Thin Client) with Edge browser. Known behavior NC-42226 SSL VPN Locally-signed certificates aren't supported as server certificates in SSL VPN. Only certificates signed by the local CA are supported. Example: ApplianceCertificate. NC-38227 RED Can't turn on RED functionality with DHCP from Network > DHCP. Go to Interfaces > RED for the RED device. Under RED network settings, turn on DHCP. NC-35231 ATP framework Limit of 128 characters to add a threat exception. Known behavior NC-35230 Wireless Can assign only 8 SSIDs or networks to an access point. Known behavior NC-33997 Authentication SSO client installation doesn't work with RDP sessions. Known behavior NC-33500 Web Unable to get the file scanned by Sandstorm. The captive portal shows a cannot reach page. This happens when there's an Any to Any firewall rule with Action set to Drop. Select a LAN or WAN zone instead of Any zone for the firewall rule with Action set to Drop. NC-30324 Firewall Internal hosts can't ping remote access SSL VPN. Give priority to static routes because SSL VPN routes are static routes. VPN routes represent IPsec routes. NC-29938 Networking (deprecated) Static routes won't apply to the system for connected networks, such as RED tunnels. So, you can't use them for route failover for these networks. Use SD-WAN routes for route failover. NC-29517 Date and time zone Time zone is different on the web admin and CLI consoles. Copy the content from /etc/zoneinfo/<timezone> to /conf/TZ. Then restart the firewall. NC-27906 Email In legacy mode, when you turn on greylisting on the server, emails are rejected because legacy Mode doesn't support retrying of emails. Failed emails are rejected with the following log message: 451 Temporary local problem, please try again! For more information, see How to work around the issue when legacy mode doesn't support email retry. NC-27452 WAF No support for Microsoft RDG protocol suite. WAF only supports RPC_IN_DATA and RPC_OUT_DATA. These are the only types supported when Pass Outlook Anywhere is turned on. NC-26865 Wireless Link/Activity LED glows on Port3 and Port4 even when the ports are disabed in XG 85(w), XG 125(w), and XG 135(w). Known behavior NC-25733 IPsec Can't see custom IPsec profiles that use a preshared key with aggressive mode after upgrading to 17.0 MR1 although the profile is in use in an IPsec connection. The firewall doesn't support preshared keys in aggressive mode. It only supports aggressive mode with RSA key and digital certificate. NC-22697 Web Citrix-based web application isn't working with Allow all web policy.

In transparent mode, Citrix clients aren't aware that there's an HTTP or HTTPS proxy in the middle. So, they start using a proprietary protocol (not HTTP or HTTPS) using the HTTP and HTTPS ports. The proxy doesn't understand this and waits for a client request while the Citrix client waits for the server to respond. So, launching a .ica file with Citrix web or application fails.

You need to punch a hole in the firewall. Do as follows:

For traffic from the LAN zone to the destination IP addresses of your URL in the WAN zone to launch the .ica file, create a LAN to WAN firewall rule with web policy set to None.

Then create a firewall rule with web policy set to Allow all from LAN to WAN.

NC-22372 Email Missing prefix subject with IMAP and many email clients.

With IMAP, some mail clients download only the root headers from the server. They download the complete email only when users click the email subject. Sophos Firewall doesn't scan headers for spam since headers don't have enough information to detect spam. The IMAP proxy scans emails for spam only when the mail client downloads the complete email. The firewall then scans and adds a prefix to the subject for spam. So, the spam prefix doesn't appear in the email client's folder view.

Known behavior NC-22206 Clientless access (HTTP and HTTPS) Bookmarks of websites that require NTLM authentication don't work with clientless authentication. Sophos Firewall doesn't support NTLM authentication with clientless web access. NC-19628 Authentication Sophos Firewall doesn't support browsing on IE11 in protective mode with SATC authentication. Known behavior NC-19479 Clientless access (HTTP and HTTPS) Can't access websites that require the destination domain in the URL host through clientless access. Example: CNN.com. Known behavior NC-19478 Clientless access (HTTP and HTTPS) Can't access websites with UTF-16 characters in the URL using bookmarks.

Clientless access needs HTML links to be rewritten within the response document to ensure that links work for users outside the proxy. The firewall doesn't rewrite URLs with UTF-16 encoded special characters. So, these sites won't open through clientless access. Example: http:\u002f\u002fportal.example.com

Known behavior NC-19476 Clientless access (HTTP and HTTPS) Can't access web servers containing JavaScript-based dynamically generated URLs through HTTP and HTTPS bookmarks. Known behavior NC-18385 WAF After successful form-based authentication, users are redirected to the defined path in the corresponding site path routing profile rather than to the original requested path. Known behavior NC-17808 Email Wrong decoding if a policy with Change prefix subject is configured with umlaut characters. Known behavior NC-17457 Networking (deprecated) Username for PPPoE interfaces is limited to 50 characters. Insert a dummy username using less than 50 characters on the web admin console for the PPPoE interface.

Go to the advanced shell and enter the following:

psql -U nobody -d corporate

Go to the corporate DB and enter the following:

corporate> update tblpppoeconf set "user"='john.doe@example.com'

Now disconnect the PPPoE connection and reconnect to bring the changes into effect.

NC-16462 Reporting When generating a custom report, only the results appearing on the current page are exported to HTML, PDF, and CSV formats. The full list isn't exported. Known behavior NC-14880 Web Safe search is enforced on all the policies without exception. Known behavior NC-13946 Authentication STAS users with special characters (',/") in the name don't appear. Sophos Firewall doesn't support usernames with these special characters. NC-13934 Reporting Auxiliary device sends only a few configured scheduled reports. If reports don't contain data in auxiliary devices, report notifications aren't sent. NC-13659 Security Heartbeat Host information for blocked sources is shown on ATP flipside but isn't updated. Manually reopen the flipside to see the change in host status. Example: Green, red, missing NC-13639 Captive portal Local users with names containing umlaut characters (example: ööööööö) can't sign in. They can sign in through AD and STAS.

Unable to create local users with special characters (UTF-8). Existing AD users with such names can't sign in.

Known behavior NC-13637 Routing (deprecated) Route precedence isn't followed for policy-based routing in RED site-to-site tunnels. Known behavior NC-13636 VPN (deprecated) Can't create L2TP connection with preshared key for mobile phones. Known behavior NC-13632 RED Unable to do offline provisioning of RED 50 device using USB device. Do online provisioning centrally. REDs are then upgraded to the latest firmware. You can then perform offline provisioning. NC-13618 Clientless access (HTTP and HTTPS) Unable to access the web admin console of a firewall by using bookmarks from the same firewall. Known behavior NC-13598 Firewall 10G SFP+ network cards on software appliances aren't recognized. Known behavior NC-9641 WAF Outlook Anywhere doesn't work when Common threat filter is turned on in the web server protection policy. RPC (Remote Procedural Call) doesn't work when Common threat filter is on. CTF checks the validity of HTTP requests and responses and compliance with HTTP standards and common practices. MS_RPC, the protocol underlying some of MS Outlook’s Anywhere feature doesn't meet all these rules and common practices.

Turn off Common threat filter in the web server protection policy.

NC-9132 WAF Websockets aren't supported for WAF. Known behavior NC-9124 Firewall STAS isn't working when AD servers are only reachable on WAN. Known behavior NC-9106 Framework part of base (deprecated) Mail notification isn't working with Microsoft Office365. Sophos Firewall supports STARTTLS and SSL/TLS to encrypt emails. However, for SMTP, it only supports PLAIN authentication, which Office 365 doesn't support.

Configure an intermediate relay to workaround this behavior.

NC-9102 Hotspot Custom logo doesn't appear on the hotspot sign-in page if the hotspot name contains whitespace. Don't use white spaces in hotspot names. NC-9063 Firewall Unable to create a hotspot through SFM with an HTML filename that has a space. Don't use spaces in filenames. NC-8891 VPN CHAP and CHAPV2 in L2TP and PPTP VPN with AD configuration isn't working. Use PAP as authentication method. NC-8888 VPN (deprecated) IPsec (site-to-site) between SFOS and SonicWall isn't working in aggressive mode. Use main mode. NC-43145 Hardware HA pair becomes unstable if you use the shared port as the dedicated link on XG 106 Don't use the shared port (Port 4) for the HA dedicated link. NC-43721 Hardware Half-duplex isn't working on the upper four ports of XG 125 and XG 135 Rev.3 Use ports 5, 6, 7, or 8 with half-duplex. NC-76186 Hardware-XG Series 4X10G Flexiport module with the Intel 700 series NVM data and driver isn't recognized. Known behavior NC-55068 Hardware XG 115 Rev.3 models show no HDMI output unless a monitor is connected before the device starts. Known behavior NC-53886 Hardware-SG and XG Series 40Gbit QSFP+ Flexiport module isn't recognized on SG/XG 430/450 firewalls. Known behavior
XG Firewall release notes (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Kieth Sipes

Last Updated:

Views: 5641

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.