SOPHOS XG: SFOS 17.0.5 MR5 Released

Martin 01/02/2018

Sophos released MR5 today, MR4 was “skipped” due to it’s use was just for the factory to support new hardware:

It’s a big maintenance release as you can see. For my use case, I have a lot of IPSEC issues that I look forward to be fixed here 🙂

Release notes (From community: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-5-mr5-released):

Note: There are a few edge cases where some customers may still experience issues using multiple subnets with a single IPSec connection.  The team is working on those and all the last known issues should be addressed in MR6 which is expected to follow very soon.

Issues Resolved

  • NC-23258 [API] System debug logs should not contain sensitive information
  • NC-21429 [Authentication] Users don’t show the correct properties from their group after auto-creation
  • NC-21820 [Authentication] Make Access Server port (6060) use IP_PKTINFO
  • NC-22770 [Authentication] User role cannot change to Administrator for AD Users
  • NC-22935 [Authentication] Users are unable to login with CAA
  • NC-27199 [Authentication] Access Server crashes with eDirectory
  • NC-20765 [Base System] If several SNMP communities exist with same name in XG, all are deleted if you delete one
  • NC-22276 [Base System] SNMP Walk delivering inconsistent information
  • NC-22323 [Base System] Garner fails to log when multiple threads call gr_io simultaneously
  • NC-23073 [Base System] iView v3 doesn’t display any email usage data
  • NC-26730 [API, Base System] Unable to change admin password through API
  • NC-25793 [Clientless Access] File browser does not load if directory contains a hardlink
  • NC-25852 [Clientless Access] UI dialog doesn’t reset after closing and reopen
  • NC-21823 [Authentication, Firewall] Live users only displaying 8192 users
  • NC-22738 [Firewall, Performance] Firewall page load time increases after adding firewall groups
  • NC-22878 [Firewall] Allow user to edit rule while double clicking on the rule
  • NC-23254 [Firewall] In TAP mode, management interface doesn’t respond when same traffic is seen on TAP and MGMT
  • NC-25628 [Firewall] Appliance inaccessible after restoring backup file from 16.5 MR8 to 17 MR1
  • NC-25724 [Firewall] Special character “|” allowed in firewall rule name but then does not allow moving firewall rule within the group
  • NC-25965 [Firewall] Unable to delete a proxy-arp entry
  • NC-25970 [Framework(UI)] Change React.js to production mode in SFOS release builds
  • NC-23212 [HA] Wrong Dedicated Link value is displayed after saving HA Auxiliary configuration
  • NC-23077 [Hotspot] Changing hotspot customization type from Full to Basic or Basic to full, removes default voucher template
  • NC-26137 [Hotspot] Interfaces not listed correctly for hotspot configuration
  • NC-22572 [IPS] “Status” value is empty for IPS logs in log viewer
  • NC-26882 [IPS] User can not add IPS Policy Rules to SF with ‘Smart Filter’ option enabled in any IPS policy using SFM
  • NC-27230 [IPS] IPS service is in dead state
  • NC-23016 [IPsec] RSA connection not working without remote ID and remote gateway ‘*’
  • NC-26152 [IPsec] IKEv2 initiator does not try forever if rekeying tries = 0
  • NC-26338 [IPsec] VPN failover timeout takes too long
  • NC-26339 [IPsec] Remote access with IPsec/PSK can’t be established
  • NC-26354 [IPsec] IPsec UP notifications are being sent even though the tunnel is UP for IKEv2
  • NC-26582 [IPsec] IPSec tunnel not reinitiated after PPPoE reconnect
  • NC-26634 [IPsec] Add validation message for PSK connections with remote ‘*’
  • NC-26888 [IPsec] UI – Hostname beginning with a number for VPN remote gateway address is not accepted
  • NC-26988 [IPsec] VPN connection can’t be established if the PSK is very long
  • NC-26998 [IPsec] Webadmin is very slow after update to SF v17 MR3
  • NC-27030 [IPsec] System unresponsive after enabling non-establishing IPsec connections
  • NC-27255 [IPsec] 64 characters PSK gets truncated to 57 characters
  • NC-26100 [Logging] Typo in “Missing Heartbeat” in log viewer
  • NC-19417 [Mail Proxy] Emails have the banner as an attachment instead of inline in the message
  • NC-22816 [Mail Proxy] Unable to release quarantined emails – ‘Bad Request’ received
  • NC-23049 [Mail Proxy] “Release” link in quarantine digest not obeying configuration settings when SF in HA (A-A)
  • NC-25705 [Mail Proxy] Antivirus fails to start after downgrade from v17.0 MR2 to v16
  • NC-25808 [Mail Proxy] AwarrenMTA: few mails appear on queue after delivery (DB query fails due to special character)
  • NC-26061 [Mail Proxy] IP reputation check is skipped when clubbed with ‘recipient verification’ policy
  • NC-26750 [Mail Proxy] RBL scan should be skipped if IP address is in Allowed IP address list
  • NC-26773 [Mail Proxy] Incorrect values shown for disk utilization for SMTP quarantine
  • NC-21877 [Networking] Remove limit for static IP-MAC mapping in DHCP
  • NC-22792 [Networking] Full import export is failing due to specific invalid dhcp config
  • NC-25395 [Networking] Wrong port OUT marked while using of primary and secondary gateway
  • NC-23178 [nSXLd] URL categorization look up fails
  • NC-23206 [nSXLd] Unable to save domain info in customized web categories
  • NC-26080 [Reporting] “Internal Server Error” while accessing Web Admin
  • NC-25589 [SSLVPN] Username with ‘@’ is not displayed correctly in SSL VPN Client
  • NC-22961 [Synchronized App Control] Add customized apps to the “categorized” widget in control center
  • NC-25309 [Synchronized App Control] Timestamps for last occurrence should not show seconds
  • NC-25950 [Synchronized App Control] Endpoint name is shown wrong after upgrade to MR-2
  • NC-25953 [Synchronized App Control] Normalized path is shown instead of filename after upgrade to MR-2
  • NC-22750 [UI] Control Center – text wrapped and appears on two lines in Japanese language
  • NC-26242 [UI] Web Server Protection >> General Settings tab is not displayed in some languages
  • NC-26340 [Up2date Client] Message “New firmware available for AP” shown on dashboard although version is already installed
  • NC-21760 [WAF] Ruleid is not set in case of HTTPS host mismatch
  • NC-25461 [WAF] Additional cookie from WAF is added without HttpOnly detail
  • NC-25633 [WAF] Unable to edit/save WAF rule
  • NC-18732 [IPS, Web] Load average is going high on CR300iNG with SFOS v16.5 & v17.0 GA
  • NC-22030 [Web] Policy tester does not allow multicast addresses in the URL
  • NC-22752 [Web] Range requests cannot download files larger than 2GB
  • NC-22993 [Web] TeamViewer not working after upgrading to 16.5 MR7
  • NC-23061 [Web] Content Filter details are not displayed with languages other than English
  • NC-23082 [Web] Garner segfault occurred in feedback channel plug-in
  • NC-25356 [Web] High memory utilization increasing daily on XG430
  • NC-25370 [Web] Web Proxy does not work correctly when application filter is set to “Synchronized App Control”
  • NC-25397 [Web] Logout option disappears from Captive Portal page
  • NC-25582 [Web] Range header in requests should not be validated when AV scanning is not required
  • NC-25771 [Web] Gmail: Email attachment upload failed with HTTPS scanning
  • NC-26352 [Web] Outlook cert error in explicit mode on dns failures
  • NC-25687 [Wireless] Built-in AP is not broadcasting unless it is configured in a separate zone
  • NC-26380 [Wireless] Wrong wireless AP status displayed in Control Center

About the Author

Leave a Reply