Hi XG Community!

We now have SFOS v17.1.0 GA available. Here's everything you need to know.

Right now, the release is available as manual upgrade to all SFOS versions via MySophos portal.

Please see the following KBA - Sophos Firewall: How to upgrade the firmware: KBA 123285

On-the-box upgrade (new firmware available pop-up & Check for new Firmware) will be made available a little later. Also, On-the-box upgrade will be released in a staged manner i.e. increasing the staged count incrementally over time.

What's New

Check out all the enhancements in XG Firewall v17.1 including the new Cloud Application Visibility feature in our XG Firewall v17.1 demo video.

Cloud App Visibility - brings the visibility pillar of CASB to XG Firewall, providing quick and easy Shadow IT discovery and visibility into data that may be at risk in cloud applications with great reporting on users and volume of data being uploaded and downloaded from cloud services.

- brings the visibility pillar of CASB to XG Firewall, providing quick and easy Shadow IT discovery and visibility into data that may be at risk in cloud applications with great reporting on users and volume of data being uploaded and downloaded from cloud services. Synchronized App Control - gets further enhancements in managing newly discovered applications, including options to search, filter, and delete applications. You’ll also see the category assigned to the discovered app in the list for easy reference.

- gets further enhancements in managing newly discovered applications, including options to search, filter, and delete applications. You’ll also see the category assigned to the discovered app in the list for easy reference. Email Security - adds user management over individual SMTP block and allow lists via the User Portal. Domains or email addresses added to the Allow list will bypass policies (except for malware or sandboxing enforcement) and adding domains or addresses to the block list will automatically quarantine emails from those senders. In addition, more flexible SMTP policy exceptions are supported to provide parity with Sophos SG UTM.

- adds user management over individual SMTP block and allow lists via the User Portal. Domains or email addresses added to the Allow list will bypass policies (except for malware or sandboxing enforcement) and adding domains or addresses to the block list will automatically quarantine emails from those senders. In addition, more flexible SMTP policy exceptions are supported to provide parity with Sophos SG UTM. SSL VPN Port Option - one of the most requested features on XG Firewall is the option to customize the SSL VPN listening port.

- one of the most requested features on XG Firewall is the option to customize the SSL VPN listening port. Firewall Enhancements - Enhancements have been made to the firewall and rule management to improve flexibility and streamline management even further. You can now double-click a firewall rule in the list to open it for editing. There's a new option to block Google QUIC's HTTPS over UDP forcing a fallback to TCP enabling full SSL inspection of the traffic. And there is now added flexibility in defining ACL exceptions to restrict access to services like the User Portal from a single alias, for example.

- Enhancements have been made to the firewall and rule management to improve flexibility and streamline management even further. You can now double-click a firewall rule in the list to open it for editing. There's a new option to block Google QUIC's HTTPS over UDP forcing a fallback to TCP enabling full SSL inspection of the traffic. And there is now added flexibility in defining ACL exceptions to restrict access to services like the User Portal from a single alias, for example. Wireless Enhancements - XG Firewall v17.1 provides wireless networking enhancements including the option to set the channel width for wireless radios in the GUI as well as Radius Accounting.

- XG Firewall v17.1 provides wireless networking enhancements including the option to set the channel width for wireless radios in the GUI as well as Radius Accounting. IPSec VPN IKEv2 Enhancements - XG Firewall v17 introduced new IKEv2 support for IPSec VPN connections and all stability and reliability enhancements, included in subsequent maintenance releases, are included with v17.1.

- XG Firewall v17 introduced new IKEv2 support for IPSec VPN connections and all stability and reliability enhancements, included in subsequent maintenance releases, are included with v17.1. New Hardware Support - Support for the latest XG Series desktop hardware connectivity and features, unveiled in an earlier maintenance release, is also included in XG Firewall v17.1

You can find the PDF of what's new here: Sophos XG Firewall v17.1 Whats New.pdf.

Notes

In case you are managing your Firewalls using SFM/CFM, Firewalls running SFOS 17.1 GA won’t accept application filter rules when applied from a device group or template. You can manage application rules from the device-level view in SFM/CFM until this limitation is addressed in SFOS 17.1 MR-1.

Issues Resolved

NC-31554 [Base System] Missing color indication for ATP widget

NC-31662 [Base System] Change of the XG Firewall login screen

NC-31484 [Email] Emails are not removed from spool after update to SF 17.0 MR8

NC-31514 [Firewall] Editing IPv6 host is not possible

NC-31030 [SSLVPN] Remove misleading message "Port 443 is already in use by User Portal"

NC-31615 [Web] Remove file type data columns in cloud application dashboard

Issues Resolved in Beta3 build

NC-30212 [Base System] Device displays fail message for SFM/CFM heartbeat

NC-29075 [Email] Unable to update mail spool if mail address contains special character (')

NC-29757 [Email] CVE-2011-1473: POP/IMAP - Secure Client-Initiated Renegotiation vulnerability

NC-30160 [Email] Option "Skip mails (for malware scan) greater than" is not working for outbound traffic

NC-30183 [Email] Notification test email fails with authentication when mail send without saving configuration

NC-30303 [Email] Possible authenticated remote code execution in mail_sender

NC-30649 [Email] Permissions for Email protection are not exported correctly

NC-29216 [Firewall] Separate out filter and NAT table chains for IPsec in two different services

NC-29505 [Firewall] Traffic shaping rule for firewall has wrong default policy association

NC-29776 [Firewall] After migrating from CR to SF DNAT rules stop working after every reboot

NC-29990 [Firewall] Import/Export of destination local acl always set to "any" if any port is selected before

NC-30037 [Firewall] Validation missing if IPv4 is selected as IP version

NC-30197 [Firewall] Firewall rule filter is not working from second page onwards

NC-30588 [Firewall] Policy Tester ignores IP host groups in the firewall rule

NC-30766 [Firewall] Unauthenticated XSS in diagnostics component

NC-30871 [Firewall] Japanese column header not displayed in the right place in Protect -> Firewall

NC-19980 [Framework(UI)] Filter search containing backslash char will not find the match

NC-30575 [Framework(UI)] VPN FO Group selection widget doesn't display correctly in Chrome

NC-28826 [HA] HA migration does not complete if dedicated link goes down during migration process

NC-29572 [IPsec] GUI allows admin to select external certificate for Remote Certificate for IPsec Connection for Remote Access

NC-30830 [IPsec] CVE-2018-10811 & memleak: Import upstream strongswan patches

NC-30979 [IPsec] IPsec route can disappear if two connections use the same

NC-29889 [Network Services] Unable to lease the IP to some users

NC-31017 [RED] RED S2S client does not work with routed server address

NC-29733 [Reporting] Showing unknown character for Current HA status under reports with HA

NC-29846 [Reporting] Sort by Users/Byte is not working on Cloud Applications page

NC-30155 [Reporting] Wrong label displayed for widget of Cloud Application

NC-30190 [Reporting] Records are not displaying in HTML export for "Records Per Chart 25 and more" for some widget of Cloud application

NC-28789 [Sandstorm] ExcludeSandstormFileTypes is not available in SandboxSettings XMLAPI data

NC-27461 [SFM-SCFM] Compatibility v17: Firewall UI issues at device level

NC-28913 [SFM-SCFM] Compatibility v17: Appliance unsync when applying L2TP (Remote Access) or IPSEC configuration

NC-29907 [SSLVPN] Not able to edit SSL VPN (Remote Access) policy

NC-30847 [SSLVPN] Unable to set user portal port to SSL VPN port

NC-29278 [Synchronized App Control] Renaming an Endpoint does not update SAC table

NC-29820 [Synchronized App Control] No new logs since 2 days - /tmp is full on XG85

NC-31020 [Synchronized App Control] Synchronized Application Control page is taking too long to load

NC-31229 [Synchronized App Control] SAC data table not loaded after migration to v17.1 Beta1

NC-30054 [UI] Device Access page showing error on Auxiliary machine

NC-29602 [WAF] API Get for SecurityPolicy does not return Traffic Shaping settings for the policy

NC-29876 [WAF] Website hosted over WAF taking more time to load when Common Threat Filter enabled

NC-30448 [WAF] Rewrite HTML for site path with special characters leads to memory allocation failure

NC-28699 [Web] Cloud Applications Control center widget - spacing issue

NC-28762 [Web] After power failure, Android devices captive portal does not disappear after logging in

NC-29002 [Web] API Import for WebFilterPolicy with dependent entities failed

NC-29164 [Web] Proxy drops HTTP Response when 100 and 200 in same packet

NC-29166 [Web] AV files served from cache are not scanned if 'scan av' flag enabled after file was cached

NC-29385 [Web] Data mismatch for Control Center and reporting widget for Cloud Application

NC-29479 [Web] Usercache is not updated when classification set through AppClassificationBatchAssignment

NC-29504 [Web] Captive Portal customization Reset to Defaults does not work

NC-29601 [Web] Policy Test Tool not working

NC-29809 [Web] When cloud dash board page contains more than 10 apps, some apps will not show app-icon warning exclamation triangle mark when changing app classification

NC-29984 [Web] WebFilterURLGroup API Doc is misleading

NC-30606 [Web] Fail to change application classification when changing to other languages

NC-30682 [Web] Cloud Applications page loading failed in XG85 appliance

NC-31042 [Web] Cloud Applications dashboard column names have overlapping text in French

NC-27033 [Wireless] Pending text is wrapping to next line for Wireless APs counter

NC-27535 [Wireless] UI is not displaying WiFi client's IP when multiple clients are connected to AP

NC-28763 [Wireless] UI displays AP as inactive even if AP was active

NC-28765 [Wireless] AP goes in inactive mode when used "2.4 Ghz and 5 Ghz" Frequency band

NC-29419 [Wireless] Not able to configure channel 12 and channel 13 on Desktop refresh devices

NC-29988 [Wireless] Wireless network update is not reflecting when it is assigned to LocalWiFi1(OptionalWiFi)

Issues Resolved in Beta2 build

NC-29977 [WAF] Reverse authentication: Access possible for empty protection profile

Issues Resolved in Beta1 build

NC-28797 [Access] User Edit page doesn't load for some users who are part of multiple groups

NC-26797 [API] HA devices update from MR2 to MR3 result in primary unit being factory reset

NC-22530 [Authentication] Webfilter policy is not working for auto-created AD user

NC-28175 [Authentication] Customer from NC-21823 has updated and getting segfault for access_server

NC-16090 [Base System] Source port changes to random over IPSec VPN

NC-25783 [Base System] Import certificate option is missing for CSR

NC-26328 [Base System] Additional CPU cores not detected in v17 after license upgrade

NC-27022 [Base System] Import from configuration failed due to too long certificate name

NC-27076 [Base System] Ping utility not working

NC-27263 [Base System] Incorrect interface speed is shown via SNMP

NC-28033 [Base System] Packet capture and connection list issue

NC-28220 [Base System] Garner active.db file size is too big in /tmp/eventlogs due to LogViewer output plug-in

NC-28566 [Base System] Garner service restarts

NC-27087 [Certificates] Default CA regeneration fails

NC-27853 [DDNS] DynDNS update does not happen in the configured time range

NC-28177 [DNS] Unable to resolve DNS of services.vip.symantec.com when registering it in Services/FQDN Host

NC-22864 [Firewall] Quick QUIC block

NC-22878 [Firewall] Allow user to edit rule while double clicking on the rule

NC-22927 [Firewall] NATPolicy API export fails when it contains NAT profile created on network

NC-26433 [Firewall] Captive Portal access issue for Android devices

NC-26560 [Firewall] One time schedule in firewall rule for VPN traffic doesn't block traffic when schedule expires

NC-27004 [Firewall] Unable to send email due to Default Internet Scheme Policy

NC-27164 [Firewall, Performance] LAN interface become unresponsive

NC-28025 [Firewall] Policy Tester ignores service groups in the firewall rule

NC-28710 [Firewall] Display of firewall rule in Firewall Group overlaps with display of action

NC-28756 [Firewall] Appliance inaccessible after the backup restore

NC-28785 [Firewall] Packet capture log is empty when opened via hyperlink in log viewer for IPv6

NC-28791 [Firewall] Sometimes VPN is not working when bridge has WAN interface

NC-28800 [Firewall] Firewall Rule ID is shown with an incorrect ID

NC-29379 [Firewall] HA Aux appliance goes in failsafe mode when failed to load LBS module (occurs only in specific IPv6 condition)

NC-29243 [Framework(UI)] Subnet creation is broken for IE11

NC-25854 [HA] Disable HA fails on auxiliary appliance when LAG interface is used as peer admin port and a bridge interface is also configured in SFOS

NC-29040 [Hotspot] File name containing space is not working for images/stylesheets and logos of hotspots

NC-26514 [IPS] IPS core dumps with appliances in HA (A-A)

NC-27549 [IPS] ATP Exception is getting removed automatically

NC-28602 [IPS] Filter alignments in Application Filter Policy Rule are displayed incorrect

NC-29174 [IPS] IPS Policies are not being pushed out via SFM template

NC-25380 [IPsec] Add an option to auto create a Firewall rule

NC-22604 [Logging] GUI alignment issue when sender name or subject is longer

NC-26357 [Logging] Log viewer is not loading after adding any filter and read/write goes high after activity

NC-21745 [Mail Proxy] i18n file name is not displayed in log viewer and on sandstorm activity page for sandstorm module

NC-25746 [Mail Proxy] CVE-2012-4929: SSL/TLS CRIME Vulnerability on port 8094

NC-26472 [Mail Proxy] AwarrenMTA: few mails appear on queue after delivery (DB connect fail)

NC-26930 [Mail Proxy] XG not able to update spool due to special characters in failure reason

NC-27240 [Mail Proxy] Unable to send emails due to auto routing to rcpt DNS in case of greylisting reply for MX

NC-27365 [Mail Proxy] Display issues with german umlauts in SPX Template

NC-28081 [Mail Proxy] Unable to save the SMTP policy when some MIME types are selected

NC-28364 [Mail Proxy] Email should be quarantined if scanning fails due to unscannable file

NC-28819 [Mail Proxy] Quarantined emails are not visible on SMTP Quarantine

NC-29018 [Mail Proxy] XG is unable to block email attachments when sent via Powershell v5.1

NC-29103 [Mail Proxy] Unable to release quarantine mails with special characters from spam digest

NC-29315 [Mail Proxy] CTIPD service should be stopped if Email or WAF subscription is not activated

NC-29319 [Mail Proxy] Unable to release false positive outbound spam emails

NC-29339 [Mail Proxy] CVE-2013-0169: Multiple SSL/TLS vulnerabilities - POP/IMAP

NC-29437 [Mail Proxy] Multi-level subdomain getting 501 syntax error while “Reject invalid HELO or missing RDNS” enabled

NC-29671 [Mail Proxy] AwarrenMTA restarts when used with high CCLs on certain mails

NC-21993 [Network Services] Static MAC-IP binding issue

NC-28815 [Network Services] CVE-2018-5732 and CVE-2018-5733: DHCP vulnerabilities

NC-27874 [Networking] IP address in static DHCP leases is shown incompletely

NC-28029 [Networking] Firewall configured as DHCP relay agent is generating flood on internal DHCP server

NC-28564 [Networking] Backup-Restore failed for different interface name devices when VDSL interface is configured

NC-29721 [Networking] HA failover is taking 10 minutes in v17.0 MR5

NC-28320 [nSXLd] URL Category Lookup provides different results for UI and command line

NC-27556 [PPTP] PPTP Remote Access fails when user name is not in lower case

NC-27881 [Qos] Unit for bandwidth parameter is incorrect on the Dashboard

NC-27942 [RED] XG red to XG red not connecting over MPLS network

NC-22787 [Reporting] Dashboard uses incorrect design for ATP and UTQ widgets

NC-22829 [Reporting] Reports section in Control Center gets stucked when "None" is configured as Admin Profile for "Reports Access"

NC-25786 [Reporting] Logo is not displayed properly in SAR report

NC-27046 [Reporting] "Search Key" filter not working for Google Search Engine

NC-28918 [Reporting] Unable to view Objectionable websites in Control Center and Reports

NC-29465 [Reporting] Not able to send mail digest - due to PG connections full

NC-26575 [SecurityHeartbeat] Heartbeat DB opcode sync command gets stuck

NC-27258 [SecurityHeartbeat] Ipset opcode stucks in HA setup

NC-28065 [SSLVPN] Port 8443 should be useable at any time when not used somewhere else

NC-28219 [SSLVPN] Site-Site SSLVPN: Routes aren't added with IP HOST Group in remote network

NC-23106 [Synchronized App Control] [SAC] Extended Filter/Search function in app Lists

NC-22122 [UI] CVE-2007-6750: Apache Partial HTTP Request Denial of Service Vulnerability for port 8443, 443, 4444

NC-26436 [WAF] Common Threat Filter should be disabled in default Outlook Anywhere Web Protection Policy

NC-28405 [WAF] Content gets lost when using form-hardening

NC-28944 [WAF] HTTPS Certificate Error when editing a Business Application Rule

NC-29483 [WAF] Creating IP host object inline leads to hanging SlowHTTP UI

NC-29650 [WAF] CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request

NC-18038 [Web] Page redirections for authentication (and others) should use hostname not IP

NC-25617 [Web] Log virus name for unscannable content as "Unscannable" in the Web Virus report

NC-25745 [Web] CVE-2016-2183, CVE-2016-6329: SWEET32 SSL/TLS Vulnerability and Triple DES on port 8090

NC-26136 [Web] Change link of Guest User Registration on Captive Portal page into https

NC-27893 [Web] Unable to use apostrophe character in Captive Portal settings

NC-28457 [Web] No response when clicking on Captive Portal login button

NC-28601 [Web] Dynamic app filter rules which do not contain any applications is enforced for all applications

NC-28695 [Web] Block and warnpage previews use wrong template

NC-28759 [Web] Awarrenhttp segfaults when killed while scanning

NC-28792 [Web] IPS fails to close connections which are blocked by an app filter (causing proxy to timeout after 60 sec)

NC-28899 [Web] 'Block HTTP' option disappears if switching from a dynamic category to a non-dynamic one for an activity

NC-29124 [Web] Possible buffer overflow in Web Proxy's warn-proceed transformer

NC-5395 [Wireless] Wrong interface status shown on auxiliary appliance for wireless network

NC-19851 [Wireless] Support Radius Accounting on Remote APs & Local Wifi models

NC-26278 [Wireless] IP addresses not visible in Wireless Client List

NC-27261 [Wireless] Wizard is failing in XG85W(old model) after configuring SSID from wireless config page of wizard

Download

To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA - Sophos Firewall: How to upgrade the firmware: KBA 123285.

Please note that v17.1 is not yet available for XG 85(w) devices. We expect to have support for the XG 85(w) in the next release. Thank you for your patience.

Check out all the enhancements in XG Firewall v17.1 including the new Cloud Application Visibility feature in our XG Firewall v17.1 demo video.