Hi XG Community!

We've finished SFOS v17.5.0 GA. This release is available in stages. In first stage it will be available at MySophos. We then start with a small amount of slots and will increase those over time. Later it will be available to all other installations as well.

Please see the following link for further information regarding upgrade - KBA 123285 Sophos Firewall: How to upgrade the firmware.

What's New in XG Firewall v17.5

Here's a quick overview of the key new features in v17.5. For a more detailed description please refer to: Sophos-XG-firewall-v17.5-whats-new.pdf

Lateral Movement Protection

Lateral Movement Protection extends our Security Heartbeat automated threat isolation to prevent any threat from moving laterally or spreading across the network, even on the same subnet. The firewall instructs all healthy endpoints to completely isolate any unhealthy endpoints.

Synchronized User ID

Synchronized User ID utilizes Security Heartbeat™ to greatly streamline authentication for user-based policy enforcement and reporting in any Active Domain network by eliminating the need for any kind of server or client agent.

Education Features

Education Features such as per-user policy-based control over SafeSearch and YouTube restrictions, teacher enabled block-page overrides, and Chromebook authentication support.

Email Features

Sender Policy Framework (SPF) anti-spoofing protection and a new MTA based on Exim which closes a couple of top requested feature differences with SG Firewall is added.

IPS Protection

IPS is enhanced with greatly expanded categories enabling you to better optimize your performance and protection.

Management Enhancements

Management including enhanced firewall rule grouping with automatic group assignment, a custom column selection for the log viewer and revamped online help with learning content approach.

VPN and SD-WAN Failover and Failback

New IPSec failover and failback controls and SD-WAN link failback options.

Client Authentication

Client Authentication gets a major update with a variety of new enhancements such as per-machine deployment, a logout option, support for wake from sleep, and MAC address sharing.

Sophos Connect

Sophos Connect is our new IPSec VPN Client that’s free for all XG Firewall customers that makes remote VPN easy for users and supports Synchronized Security.

Additionally

Coming in a following Maintenance Release we have:

Wireless APX Access Point Support provides support for the new Wave 2 access points providing faster connectivity and added scalability.

Airgap Support for deployments where XG Firewall can’t get updates automatically via an internet connection (due to an “airgap” or physical isolation) – Patterns and Licenses can now be updated manually.

Sophos Central Management of XG Firewall With v17.5, XG Firewall is also joining Sophos Central. The Early Access Program for Sophos Central Management of XG Firewall is expected to start soon. You will be able to manage XG Firewall from within Sophos Central along with all your other Sophos Central products. And there’s a few great new features coming along with Sophos Central Management of XG Firewall: Secure access and management with single-sign-on through Sophos Central from anywhere Backup management and storage for your regularly scheduled firewall backups Firmware update management to make multiple firewall updates easy Light-touch deployment to enable easy remote setup of a new Firewall



Notes

Enforcement of search engine Safe Search and additional image filters is now configurable per-web policy and is no longer a global option. The settings have been moved from Web >> General Settings into the additional options that are available when editing a web policy. In addition, configuration for YouTube restrictions have been broken out into a separate option.

Product behaviour will be preserved on upgrade by automatically migrating the existing global settings to all existing web policies.The exceptions to this are the following built-in, uneditable policies: Allow All, Deny All and ClPA-Compliance. KBA 123589

Product behaviour will be preserved on upgrade by automatically migrating the existing global settings to all existing web policies.The exceptions to this are the following built-in, uneditable policies: Allow All, Deny All and ClPA-Compliance. KBA 123589 IPS now with Cisco Talos IPS library and more granular IPS categories KBA 133197

XG Firewall v17.5 has incorporated new Avira virus scan engine v4.x. When v17.5 will boot for the first time, it will download full (not incremental) Avira patterns approx. ~90 MB and reload virus scan engine. This may take a few seconds or minutes based on the bandwidth. In this duration, web and email traffic will be blocked. Blocked emails will stay in email spool and it shows reason as malware scan failed. However, these emails will be delivered once the engine is up after reload. KBA 133165

Issues Resolved

NC-39029 [Authentication] Show proper error message in UI if you enter an used port in Chromebook SSO configuration

NC-39212 [Authentication] CSD: make sure the userSessions map is not overwritten

NC-39532 [Authentication] Migration from 17.1 fails if host definition for "*.gstatic.com" exists

NC-39677 [Authentication] Success message shown in ui even though deleting a user fails

NC-37683 [Base System] cURL (libcurl) NTLM Authentication Code Buffer Overrun Vulnerability (CVE-2018-14618)

NC-39192 [CM-Join-to-cloud] Appropriate status should update on SF and Sophos Central once FW is remove from Central and register again

NC-36497 [Email] POP3 mails reach the proxy empty

NC-38052 [Email] Subject not displayed properly in mail log with sender generated password method

NC-38282 [Email] mail_sender opcode stuck in CSC

NC-38470 [Email] Some reason filters on mail log page are not working as expected

NC-38571 [Email] Port validation not working when adding new port in SMTP via CLI

NC-39233 [Email] Email delivery failed for some recipients when email containing 512 recipients

NC-39280 [Email] Error message 'Relay not permitted' when sending an inbound mail to email address base profile

NC-39379 [Email] Bad (malformed syntax) mails should be displayed separately from network failed emails on UI

NC-39454 [Email] Mail doesn't get formatted properly when file filter protection applied

NC-39513 [Email] Network type IP host should not allowed to add in exception policy

NC-39668 [Email] RDNS check should be applied to inbound emails only

NC-39737 [Email] Mail from header changed when wrong "Return-Path" used in smart host deployment

NC-39953 [Email] Email attachments get corrupted with BDAT

NC-40387 [Email] Avira update might fail on HA systems after upgrade to v17.5

NC-38505 [IPS] IPS policy backup is not created while applying signature upgrade

NC-39687 [IPS] IPS log filling up with entries and causing problems for legitimate traffic

NC-39083 [IPsec] IPsec: charon starts parsing fragmented messages before they are reassembled

NC-38832 [Network Services] Issue with wildcard FQDN based rule

NC-37817 [UI Framework] SAC tab not loaded because of OutOfMemory error

NC-39310 [UI Framework] Control Center: Icons for VPN and Connections have been switched

NC-38184 [Web] Check settings functionality is not working from device level of firewall manager(SFM)

NC-38844 [Web] Web Policy Override not working in HA(A-A) mode if traffic served from Aux appliance

NC-39039 [Web] When "Drop connection" feature is enabled, blocked/warned events are not logged correctly

Issues Resolved in EAP1

NC-32763 [Authentication] Importing users with .csv file having usernames with Thai characters creates junk character

NC-34340 [Authentication] Users not getting authenticated via Radius SSO

NC-37091 [Authentication] Show error when Chromebook SSO is not configured correctly

NC-37300 [Authentication] Create FQDN Hosts and Groups for Chromebook

NC-38381 [Authentication] "Record does not exist" error when trying to open created LDAP server

NC-36185 [Azure] Upgrade Linux VM Agent

NC-38176 [Base System] garner memory corruption affecting RED

NC-38471 [Base System] EULA not shown on GUI on Azure

NC-38473 [Base System] Reading of /proc/timer_list file leads to NMI watchdog soft lockups

NC-31499 [Email] Unable to send .eml attachments to specific domain

NC-32682 [Email] SPX generates password for same email recipient in different case

NC-32690 [Email] SPX encryption corrupting attachments by adding line breaks

NC-32754 [Email] XG not able to insert spool query

NC-33360 [Email] Add missing header fields in notification emails

NC-33391 [Email] Quarantine digest and released emails not sent

NC-33977 [Email] Unable to release unscannable quarantined emails

NC-34450 [Email] Fail to send email notifications

NC-35494 [Email] UI hangs when user selects specific date on SMTP quarantine page

NC-36612 [Email] Cross version import/export not working for exception policy

NC-37849 [Email] Console command 'subsystem-info' shows awarrensmtp and smtpd service with same name

NC-37945 [Email] Scanner crash on low end devices due to high number of forwarders

NC-38005 [Email] Improper IP reputation reject status message in mail log

NC-38013 [Email] Typo in Authentication Relay drop message

NC-38015 [Email] Emails moved to error queue when header part is big

NC-38021 [Email] Return-Path/Reply-To header ignored while sending failure notifications

NC-38252 [Email] Add support of email based routing and RBL scanning

NC-38257 [Email] No reason logged in mail logs for mails dropped due to file filter

NC-38297 [Email] Improper label in exception policy at device level from SFM

NC-38312 [Email] SFM pushes exception policy to firewalls even in legacy mode

NC-38391 [Email] Core dump in mail scanner

NC-38392 [Email] Notifications are logged with '0 bytes' in MailLogs

NC-38501 [Email] SPX fails to encrypt on hardware appliances when SPX reply portal is enabled template

NC-39024 [Email] Do not allow multi use for port 587

NC-32530 [Firewall] Post-Authentication SQL injection in Firewall User Interface

NC-34612 [Firewall] Appliance frequently rebooting when having IPv6 permitted networks for remote access SSLVPN

NC-34675 [Firewall] Live connections page not showing connection list

NC-35656 [Firewall] Internet access being lost, SFOS consuming all memory.

NC-35660 [Firewall] MAC address missing in export of MAC list having only one list member

NC-37274 [Firewall] SMTP MTA mode does not support TCP port 587

NC-37760 [Firewall] Misleading message when adding rule using automatic grouping and group has already 200 rules

NC-37992 [Firewall] Transferred data not shown in firewall rules when reaching tera bytes

NC-36318 [IPS, SFM-SCFM] Application filter policy rule not containing any application being pushed from SFM is not applied on SF

NC-36565 [IPS] Category replacement not working on export/import

NC-38347 [IPS] Category based IPS policy import not mapping to Talos categories

NC-30016 [IPsec] Merged IKE gets deleted when one connection is disabled in UI

NC-32269 [IPsec] GRE traffic forwarded through WAN interface after HA failover event

NC-34131 [IPsec] L2TP still connects after user was disabled

NC-38310 [IPsec] IPsec site-to-site tunnel not established with Cisco ASA and gateway type "Initiate the connection"

NC-39059 [Localization] Using "state" causes mistranslations

NC-36455 [Networking] WWAN is not connected automatically at boot time if the primary WAN link is disconnected/down

NC-36720 [Networking] Traffic might flow via backup gateway even hard gateway failback configured

NC-34149 [nSXLd] Keywords are not deleted when custom web category is deleted

NC-37809 [nSXLd] Proxy authentication is not cleared after config reload

NC-38125 [SSLVPN] Unable to edit SSLVPN (remote access) page

NC-35500 [UI Framework] Apache service start fails if webadmin certificate passphrase having single quote character

NC-35682 [WAF] Unable to edit and load business app rule for WAF

NC-37178 [Web] Name should not be pre-filled while creating new overrides

NC-37179 [Web] Improve UI for adding website domains to an Application Override

Issues Resolved in EAP0

NC-29648 [Base System] If Default CA is not configured, Generate CSR option should be disabled

NC-29906 [Base System] Unable to edit NTP server when 10 servers are configured

NC-30497 [Base System] [VMware] SFOS Guest OS detail shows wrong/missing

NC-30635 [Base System] Missing focus after closing dialog when editing default certificate

NC-31010 [Base System] Configuration import running into timeout on SG/XG 100 series appliances

NC-31100 [Base System] Upgrade notification pop-up does not work in some cases

NC-35536 [Base System] OpenSSL - Denial of service during forward secrecy setup (CVE-2018-0732)

NC-34154 [Clientless Access] Unable to connect RDP type bookmark with NLA

NC-34803 [Email] Possible denial-of-service due to secure client-initiated renegotiation

NC-35175 [Email] Sophos XG is not adding received-by header as per RFC 5321

NC-35256 [Email] Invalid XML is generated for Email -> General Settings -> Blocked Senders

NC-35915 [Email] "POP-IMAP Scanning" policy generated XML does not contain information of filter criteria "Source IP/Network Address"

NC-26440 [Firewall] Firewall rule dropping traffic when there is no user identity attached to the rule

NC-30989 [Firewall] CVE-2018-8897: Don't use IST entry for #BP stack

NC-31282 [Firewall] Firewall rule group entity name not sent to SFM upon insert/update/delete

NC-22889 [Hardware] XG85: poweroff command reboots the device instead of shutting it down

NC-21909 [IPsec] Do not show empty-value-warning on page entry

NC-30319 [IPsec] Backup fails import when containing IPv6 remotes

NC-30462 [IPsec] Site-to-Site connection not initiated after DHCPv6 interface update

NC-30618 [IPsec] New virtual IP on every Phase 1 rekey even though client requests same IP

NC-30794 [IPsec] NAT checkbox is always enabled in IE11

NC-30796 [IPsec] Local gateway selection shows invalid interface in IE11

NC-33410 [IPsec] VPN Connection Status shows 'Any' on both sides even when configured only on one side

NC-22604 [Logging] GUI alignment issue when sender name or subject is longer

NC-25714 [Logging] Firewall rule ID in log viewer not linking to actual rule anymore

NC-29974 [Network Services] Disconnect PPPoE interface doesn't update corresponding interface based DNS static entry

NC-30753 [Network Services] DGD service in stopped state and segmentation fault

NC-33876 [Network Services] IPset command shows wrong information for wildcard and FQDN Host

NC-30483 [Networking] Port and IP address may show "undefined" in WAN Link Manager "Failover Rules"

NC-30493 [Networking] Link status not updated in WAN Link Manager when RA client has no IP address

NC-30544 [Networking] Full and selective configuration import fails when bridge innterface configured in WAN zone

NC-31399 [Networking] Full backup import fails when bridge member interface is LAG

NC-33628 [Networking] LAG mode related configuration missing on configuration export

NC-34573 [Networking] Configuration changes of CFM not propagated to XG

NC-20785 [Reporting] PDF export of reports taking much time or failing completely

NC-26459 [Reporting, UI Framework] Reports for "Traffic Insight" not shown on dashboard

NC-29573 [Reporting] Sending of scheduled reports does not consider changes of daylight saving time

NC-31243 [Reporting] Table headers in reports span two lines and cannot be seen

NC-32490 [Reporting] Unable to click "PDF", "CSV", "Bookmark" or "Schedule" under "Report > Applicazioni & Web" when WebAdmin language is Italian

NC-28206 [SecurityHeartbeat] Heartbeat deamon does not handle all allowed MAC address formats correctly

NC-32459 [SecurityHeartbeat] Endpoint name in StoneWall message

NC-32580 [SecurityHeartbeat] Extend StoneWall protocols/messages

NC-34169 [SSLVPN] Fail to access SSLVPN (site-to-site) page after any tunnel modification

NC-30984 [Synchronized App Control] [SAC] improve usability

NC-30987 [Synchronized App Control] [SAC] no action "acknowledge" for acknowledged apps

NC-30988 [Synchronized App Control] [SAC] filter with deleted apps should be last in the dropdown field

NC-28064 [WAF] Form hardening sets block-reason only in case of GET requests

NC-25805 [Web] Handle non-compliant HTTP status code 999

NC-27519 [Web] Proxy continues to download files in batch mode even if client closes connection

NC-28851 [Web] Default Web policies contain duplicate rules

NC-29305 [Web] "Expect" header not handled correctly

NC-31837 [Web] Add "alert.hitmanpro.com" to proxy bypass list

NC-33650 [Web] Enabling web content cache for Sophos Updates blocks further updates

Download

To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA - Sophos Firewall: How to upgrade the firmware: KBA 123285.