The XG Firewall v18 Early Access Program (EAP) 3 firmware release is now available for download.

To get the latest release, go to the XG Firewall v18 EAP page. With EAP 3, we have moved to more secured firmware signing method, hence, you will see ".sig" extension for the firmware update files than the older ".gpg" extension.

Note: If you've already registered for the v18 EAP and upgraded your XG Firewall firmware, there's no need to re-register to gain access to the v18 EAP 3 release. You will see a notice in the firewall UI to upgrade through the Up2Date service.

We've updated the "Known Issues, Advice for Users, and Incomplete Features" document with new information.

Please remember, this is still an early build of the v18 release so there are some things we’d like to bring to your attention before you download the firmware and begin testing it.

We’ve attempted to make the build as bug-free as possible, however as is the nature of early access firmware we cannot guarantee it will be.

The firmware is continually being tuned for performance. Expect to see faster speeds in future builds.

As part of the EAP we’ll continue to add additional features into future builds. You can find the features in those later builds in the "What’s New in v18” document.

New Features and Highlights in SF v18 EAP 3

SD-WAN Application Routing and Synchronized SD-WAN

QuickHA mode and other High Availability (HA) Enhancements

Update HA configurations without breaking HA; includes downgrade firmware and modify Port monitoring list Deploy HA in single click using QuickHA mode - supports flexible order of configuring primary and auxiliary Keepalive request and attempts configurations to tune timeout for cross location HA Option to assign multiple IPs to Auxiliary unit Added cluster ID to eliminate VMAC conflict limitation Now supports option to use host/ hypervisor MAC to eliminate vSwitch Promiscuous mode limitation Now supports pre-emption/ Failback Eliminated downtime in case of upgrade using “Firmware Upgrade now and boot later” option HA synchronization now happens over SSH tunnel based secure communication

Flow Monitoring Improvements

Real time bandwidth on the Live connections screen; Analyze bw utilization for users, source IP and applications in a single view

Bridge Interface Enhancements

support ARP broadcasts, Spanning Tree Protocol (STP) traffic, and filter non-IP protocols by specifying the ethernet frame type

VLAN Filtering

DPI and SSL/TLS improvements (includes key issues addressed related to DPI and SSL/TLS) SSL/TLS rules can no longer include the ‘WAN’ zone as a source. We do not support the use case of decrypting inbound SSL/TLS connections from the Internet to an internal Web Server, which requires a different form of key/cert management. We removed this option to avoid confusion as there is rarely a need to do ‘outbound’ SSL/TLS decryption on connections originating outside the firewall. Fixed: Some log entries for blocked connections were taking up to 30 minutes to appear in the log Added a set of built-in FQDN host objects and groups for sites impacted by SafeSearch feature. SafeSearch enforcement by web policy only works in Proxy mode. These network can be used in firewall rules to direct Search Engine traffic through the Web Proxy while protecting other traffic with DPI mode. In the Control Center chart showing encrypted/decrypted connections, the ‘Decryption limit’ is no longer shown unless the actual traffic load is close to the limit. This fixes an issue where the scaling of the chart meant that it was not very informative for modest traffic loads. Revised the captions and layout of the Web options in Firewall Rule to help clarify how the various options relate. SSL/TLS log now shows the whole server cert fingerprint SSL/TLS rules list UI has filtering capability SSL/TLS rules can now use FQDN Host and Group objects (note that there is a known issue that prevents FQDN Host objects being added to a rule via the UI)

Improvements related to Sandstorm threat intelligence When Sandstorm is licensed and enabled, files that trigger virus detections will now be sent for static analysis Sandstorm Control Center widget displays a new set of counts to reflect the new functionality



Note: Route based VPN will be part of future EAP release.

Important Issues Resolved in SF v18 EAP 3

NC-53875 Fixed allocation issues resulting in IPS keeps getting restarted

NC-52853 Fixed garner core dump related to feedback channel in XG330

NC-52662 Fixed continuous receiving 'fw_fp_invalidate_microflows:459: Queueing invalidate work ffff8801ed1bb5c0' error in syslog.

NC-51952 WAF firewall rule update failed after migration from 17.5 MR8 to 18.0 EAP1

NC-50549 Drop packet does not show all the info for firewall rule ID 0 drop compare to v17.5

NC-53988 Kernel panic in XG450 appliance

key issues addressed related to DPI and SSL/TLS (detailed out in the section above)

Packet capture and connection list issues

Plus 200 issues and stability fixes are part of EAP 3

Getting Started

Once you’re ready to go, we’ve got some great resources to help you get started:

Things to Know Before Upgrading

Before upgrading to v18 EAP 3 from an earlier version, there are a few things to note:

You can upgrade to v18 EAP 3 from v17.5 MR6 or later MR versions of v17.5 including latest MR9; as well as from any earlier v18 EAP.

Rollback (firmware switch) is supported as usual. You can roll back to v17.5 MRx if you experience any issues during the v18 EAP. As an example, the active firmware on the firewall is v18, and the second firmware version is v17.5. Administrators can switch between these two and the configuration on each will stay as it is.

Backup and restore are supported as usual. SG Firewalls running SFOS, Cyberoam firewalls and XG Firewall backups can be restored on v18.

Due to a minimum memory requirement of 4GB of RAM, XG 85 and XG 105 models cannot upgrade to v18 and must remain on a 17.x version.

v18 firmware is not supported on Cyberoam models. However, Cyberoam firewall backups can be restored on an XG Firewall running v18.

Downgrading from v18 to older firmware - using v17.5 or earlier firmware file - is NOT supported. The Web console will the give appropriate message. v18 uses Grub boot loader. The changed bootloader cannot recognize v17 firmware. Administrators can still use the hardware ISO of v17.5 or an earlier version to get the firewall on an older firmware version and restore the downgraded firmware's backup.

Recommended upgrade process when you test multiple v18 early access releases:

This is applicable if you have upgraded to v18 from v17.5. When you further upgrade from v18-EAP(x) to v18-EAP(x+1), you can first switch to v17.5 and upgrade from v17.5 directly to v18-EAP(x+1). From there, you can then restore the backup of v18-EAP(x). This way you will always have v17.5 firmware in your second firmware slot, and leave an option open to roll back to v17.5 if needed.

Support

Please do not call the general Sophos Support Hotline for EAP issues.

Troubleshooting support for EAP versions is handled solely through the online Sophos Community EAP Forums.

Share Your Feedback

Communicating your experiences with the v18 EAP firmware is crucial to its success, so we want to hear from you! Please share your feedback via the Sophos Community or through your XG Firewall’s feedback mechanism in the user interface.

Thank you for taking the time to test the v18 EAP release. We’re excited about all the new features this release will bring to Sophos XG users and we appreciate your help making it happen!

Sincerely,

Your Sophos XG Firewall Product Team