The XG Firewall v18 Early Access Program (EAP) 2 firmware release is now available for download. To get the latest release, go to the XG Firewall v18 EAP page.

Note: if you've already registered for the v18 EAP and upgraded your XG Firewall firmware, there's no need to re-register to gain access to the v18 EAP 2 release. You will see a notice in the firewall UI to upgrade through the Up2Date service.

We've updated the "Known Issues, Advice for Users, and Incomplete Features" document with new information.

Please remember, this is still an early build of the v18 release so there are some things we’d like to bring to your attention before you download the firmware and begin testing it.

Upgrade to EAP 2 may take more than usual time depending on the number of TLS session cache files on the disk The cleanup of TLS session cache files could take between 3 and 20 minutes on top of the normal upgrade process, but this could take longer if there are more of these cached files on the disk. It is therefore recommended (example - time critical deployment) to cleanup the cache files manually during off hours. The instruction for manual clean up can be found in “Advice for users” under known issues list

If you are upgrading HA cluster, both devices in the cluster will reboot simultaneously once, as we are moving to SSH tunnel based secure communication between devices in the cluster. Admin will also get appropriate alert on UI before he can proceed.

We’ve attempted to make the build as bug-free as possible, however as is the nature of early access firmware we cannot guarantee it will be.

The firmware is continually being tuned for performance. Expect to see faster speeds in future builds.

As part of the EAP we’ll continue to add additional features into future builds. You can find the features in those later builds in the "What’s New in v18” document.

Important Issues Resolved in SF v18 EAP 2

NC-50214 [DHCP] DHCP server dead with specific configuration

NC-48712 [Email] Antivirus service in stopped state, cannot recover it

NC-51717 [DDNS, Email] DDNS uses wrong IP when interface is configured with PPPoE + Alias

NC-37775 [Firewall] Configuring over 20 time schedulers on the various firewall rules is causing CSC freeze

NC-50712 [Firewall] NAT Rules UI error

NC-47482 [Firmware Management] Firmware mismatch issue - both firmware slots showing same firmware

NC-52441 [Firmware Management] Some time firmware 'install' opcode getting timeout and installation failed

NC-51568 [IPS-DAQ] Coredump in snort

NC-52085 [IPS-DAQ] Wget not working for IPv6 sites in bridge mode - SSL decrypt not working

NC-49919 [IPsec] Dgd service stopped and unable to start

NC-51956 [Web] Slow browsing with DPI Mode - System with 4gb RAM

NC-52710 Gateway status was showing down after upgrading to EAP1 Refresh

NC-52642 "Last 24 hours Memory" Usage Report Bubble show wrong figure

NC-52684 /tmp full : Appliance storing backup frequently at /tmp/backup

Plus 200+ issues and stability fixes are part of EAP 2

New Features and Highlights in SF v18 EAP 2

User based uplink selection in the SDWAN policy routes

Sandstorm threat intelligence detailed report is now available

VLAN members in bridge

Improved Firewall and NAT rule management Advanced filter now has exclusion, proxy, HTTP scanning options Firewall exclusion config is now seen on the manage page Move firewall rule to <nth> position (across the pages) Retain filter on firewall page (session wise) Add / Detach multiple rule to a Group Policy test tool error correction Linked NAT Added Hide linked rule option on NAT manage page Linked NAT rules can be filtered from NAT type filter Auto-populated linked NAT details Added Override SNAT config icon with the tool tip on NAT rule manage page Added Health Check interval (on UI) on NAT Policy page

A part of HA enhancement (other improvements have been planned in EAP 3) Added cluster ID to eliminate VMAC conflict limitation Now supports option to use host/ hypervisor MAC to eliminate vSwitch Promiscuous mode limitation Now supports pre-emption/ Failback Eliminated downtime in case of upgrade using “Firmware Upgrade now and boot later” option HA synchronization now happens over SSH tunnel based secure communication

CLI option to enable-disable policy route trigger on reply traffic and system generated traffic

Port agnostic protocol identification for HTTP and SMTP in Snort

Getting Started

Once you’re ready to go, we’ve got some great resources to help you get started:

Things to Know Before Upgrading

Before upgrading to v18 EAP 2 from an earlier version, there are a few things to note:

Upgrade to EAP 2 may take more than usual time depending on the number of TLS session cache files on the disk The cleanup of TLS session cache files could take between 3 and 20 minutes on top of the normal upgrade process, but this could take longer if there are more of these cached files on the disk. It is therefore recommended (example - time critical deployment) to cleanup the cache files manually during off hours. The instruction for manual clean up can be found in “Advice for users” under known issues list

If you are upgrading HA cluster, both devices in the cluster will reboot simultaneously once, as we are moving to SSH tunnel based secure communication between devices in the cluster. Admin will also get appropriate alert on UI before he can proceed.

You can upgrade to v18 EAP 2 from v17.5 MR6 or later MR versions of v17.5 including latest MR9; as well as from any earlier v18 EAP.

Rollback (firmware switch) is supported as usual. You can roll back to v17.5 MRx if you experience any issues during the v18 EAP. As an example, the active firmware on the firewall is v18, and the second firmware version is v17.5. Administrators can switch between these two and the configuration on each will stay as it is.

Backup and restore are supported as usual. SG Firewalls running SFOS, Cyberoam firewalls and XG Firewall backups can be restored on v18.

Due to a minimum memory requirement of 4GB of RAM, XG 85 and XG 105 models cannot upgrade to v18 and must remain on a 17.x version.

v18 firmware is not supported on Cyberoam models. However, Cyberoam firewall backups can be restored on an XG Firewall running v18.

Downgrading from v18 to older firmware - using v17.5 or earlier firmware file - is NOT supported. The Web console will the give appropriate message. v18 uses Grub boot loader. The changed bootloader cannot recognize v17 firmware. Administrators can still use the hardware ISO of v17.5 or an earlier version to get the firewall on an older firmware version and restore the downgraded firmware's backup.

Recommended upgrade process when you test multiple v18 early access releases:

This is applicable if you have upgraded to v18 from v17.5. When you further upgrade from v18-EAP(x) to v18-EAP(x+1), you can first switch to v17.5 and upgrade from v17.5 directly to v18-EAP(x+1). From there, you can then restore the backup of v18-EAP(x). This way you will always have v17.5 firmware in your second firmware slot, and leave an option open to roll back to v17.5 if needed.

Support

Please do not call the general Sophos Support Hotline for EAP issues.

Troubleshooting support for EAP versions is handled solely through the online Sophos Community EAP Forums.

Share Your Feedback

Communicating your experiences with the v18 EAP firmware is crucial to its success, so we want to hear from you! Please share your feedback via the Sophos Community or through your XG Firewall’s feedback mechanism in the user interface.

Thank you for taking the time to test the v18 EAP release. We’re excited about all the new features this release will bring to Sophos XG users and we appreciate your help making it happen!

Sincerely,

Your Sophos XG Firewall Product Team