SOPHOS XG: XG Firewall v18 MR-3 released

Sophos has released the longly awaited MR-3 with many good fixes in the package, read all here:

RELEASE NOTES from Sophos:

Enhancements in v18 MR-3

Security enhancements:

Several security and hardening enhancements – including SSMK (secure storage master key) for the encryption of sensitive data. Refer KB-000040174 for more details.
Granular option to enable/ disable captcha authentication from CLI

VPN Remote Access enhancements:

Increase in SSL VPN connection capacity across entire firewall line up; 6x increase for 2U HW. KB-000039345 is being updated with enhanced capacity.
Group support for Sophos Connect VPN client

Cloud – AWS/ Azure/ Nutanix enhancements:

Support for newer AWS instances – C5/ M5 and T3 (#)
Support for CloudFormation Templates removing the need to run installation wizard in some cases (#)
Virtual WAN Zone on custom gateway for post deployment single arm usage
- On single arm – single interface in AWS or Azure – admin can create multiple custom gateway and attached different zones to those gateways. This allows admin to create access and security rules for traffic going in to those zones.
XG Firewall is now Nutanix AHV and Nutanix Flow Ready. XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure.
Optimize cloud costs and improve security across multi-cloud environments with Cloud Optix. Automatic identification and risk-profiling of security and compliance risks across AWS, Azure and Google Cloud enables teams to fix security gaps and insecure deployments before they are compromised. Learn more.

(# available after a few days of release on community, once v18 MR-3 is available in the AWS marketplace)

Central management enhancements:

XG running in an HA configuration (either A-A or A-P) can now be managed by Sophos Central. Each firewall must be separately joined to the same Sophos Central account, and if grouped, both HA devices must be added to the same group.
Audit trail went live under the task queue

Central Firewall Reporting enhancements:

Earlier this month, we have released Save, schedule, export & download reports. Refer community post here.

Issues Resolved:

34 field reported issues including RED & HA cluster issues (list below)

Note: Upgrading from v17.5 MR13/ MR14/ MR14-1 to v18 MR-3 is now supported.

More on XG Firewall v18

Check out our recent blog and video series on how to make the most of the many great new capabilities in XG Firewall v18 such as the Xstream Architecture, TLS Inspection, FastPath acceleration, Zero-day threat protection, NAT, and much more.

We also have a new Sophos Techvids site for XG Firewall v18.

Get it now!

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.

For fresh installations, the download links will be updated right here very soon.

Things to know before upgrading

You can upgrade from SFOS 17.5 (MR6 to MR14-1) to v18 MR-3. Check out the relevant sections of the XG v18 release notes for details on:

Issues Resolved in v18 MR-3

NC-58229 [Authentication] Sophos AV and Avira AV Pattern updates failing
NC-51876 [Core Utils] Weak SSHv2 key exchange algorithms
NC-58144 [DNS] XG self reporting its own lookups in ATP causing flood of events
NC-54542 [Email] Email banner is added to incoming emails
NC-59396 [Email] Blocked senders are able to send the mails
NC-58159 [Firewall] Unable to ping the external IPs from auxiliary appliance console
NC-58356 [Firewall] Direct proxy traffic doesn’t work when RBVPN is configured.
NC-58402 [Firewall] Firewall reboots randomly.
NC-59399 [Firewall] ERROR(0x03): Failed to migrate config. Loading default.
NC-60713 [Firewall] Userportal hotspot voucher config gets timeout
NC-60848 [Firewall] HA cluster both nodes rebooting unexpectedly
NC-59063 [Firmware Management] Remove expired CAs from SFOS
NC-44455 [HA] System originated traffic is not flow from AUX when SNAT policy configured for system originated traffic
NC-62850 [HA] Filesystem oddity in /conf
NC-58295 [IPsec] Dropped due to TLS engine error: STREAM_INTERFACE_ERROR
NC-58416 [IPsec] IKE SA Re keying won’t be re-initiate itself after re-transmission time out of 5 attempts
NC-58499 [IPsec] Sophos Connect Client ”IP is supposed to be added in the “##ALL_IPSEC_RW “
NC-58687 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
NC-58075 [Netflow/IPFIX] Netflow data not sending interface ID
NC-55698 [nSXLd] Not able to add new domain in custom category
NC-62029 [PPPoE] PPPoE link does not reconnect after disconnecting
NC-57819 [RED] XG Site to Site RED Tunnel disconnects randomly also with MR10 and v18
NC-60240 [RED] Interfaces page is blank after adding SD-RED60 with PoE selected
NC-61509 [RED] RCA s2s red tunnel static routes disappear on FW update
NC-62161 [RED] RED connection with device becomes unstable after upgrading to v18.0 MR1 from v17.5 MR12
NC-59204 [SFM-SCFM] Task queue pending but never apply with XG86W appliance
NC-60599 [SFM-SCFM] Task queue pending but never apply due to no proper encoding
NC-62304 [SFM-SCFM] The notification e-mail sent from the XG displays the wrong Central Administrator
NC-61956 [UI Framework] WebAdmin Console and User Portal not accessible because space in certificate name
NC-62218 [UI Framework] Post-auth command injection via User Portal 1/2 (CVE-2020-17352)
NC-62222 [UI Framework] Post-auth command injection via User Portal 2/2 (CVE-2020-17352)
NC-58960 [Up2Date Client] HA: IPS service observed DEAD
NC-59064 [Web] Appliance goes unresponsive : Awarrenhttp high memory consumption
NC-60719 [WebInSnort] DPI engine causing website to intermittently load slowly

Here are some direct links to helpful resources:

Source: https://community.sophos.com/xg-firewall/b/blog/posts/xg-firewall-v18-mr3