Software-update: Sophos XG Firewall 18.0 MR4 / 17.5 MR15

Sophos heeft nieuwe versies vrijgegeven van zijn XG Firewall met 18.0 MR4 en 17.5 MR15 als versienummers. Deze software wordt zowel op fysieke hardware als in een soft-appliance voor VMware, Hyper-V, Xen en KVM geleverd. Naast de betaalde varianten voor bedrijven biedt Sophos deze firewall voor thuisgebruik zonder kosten aan, zoals op deze pagina te lezen is. Voor de verschillende image- en updatebestanden kun je terecht op het MySophos-portaal. De lijsten met veranderingen van deze uitgaves zien er als volgt uit:

Enhancements in XG Firewall v18 MR4

High Availability

• Improved FastPath performance for Active-Passive pairs
• HA support in Amazon Web Services using the AWS Transit Gateway (coming soon to the AWS marketplace)
• Improved high availability setup and upgrades

VPN Enhancements

• New advanced options for IPSec remote access (replacing scadmin)
• Sophos Connect VPN client downloads now available from the user portal
• Enforcement of TLS 1.2 for SSL VPN on site-to-site and remote-access connections

Security and other Enhancements

• Stronger password hash – which will prompt you to change your password when upgrading to take full advantage of this important feature
• Password complexity have been enabled for all the passwords
• Web Filtering – Websites that are identified as containing child sexual abuse content by the Internet Watch Foundation (IWF) will be automatically blocked when any web filtering is enabled. See https://www.iwf.org.uk/ for more information on the IWF.
• Cloud Optix integration – Cloud Optix is now XG Firewall aware enabling the two solutions to work better together (full details).
• Synchronized Application Control – a new option will automatically clean up discovered apps that are over a month old
• Authentication – users can now be created for RADIUS using UPN format
• 70 field reported issues have been resolved (see the list below)

New Sophos Central Enhancements

• New Partner Dashboard enabling Sophos partners to do group policy management across their customer base – make a change once and have it automatically replicate across multiple firewalls
• New Group Policy Import enables one firewall to define the group policy during group setup making it easy to migrate from legacy CFM or SFM platforms
• Scheduled Firmware Updates enables MR4 to be the first firmware you schedule using this new option
• Full HA Support enabling easier management and improved fail-over support

Issues resolved in v18 MR4

• NC-59149 [API Framework] CSC hangs as all 16 workers remains busy
• NC-50703 [Authentication] Access server restarted with coredump using STAS and Chrome SSO
• NC-54576 [Authentication] Sophos Connect connections exhausting virtual IP pool
• NC-57273 [Authentication] Create users for RADIUS in UPN format
• NC-59129 [Authentication] Authentication Failed due to SSL VPN (MAC BINDING) - Logging does not carry any information for the cause.
• NC-61017 [AWS] AWS: TX-DRP increases constantly and affecting production traffic
• NC-59574 [Base System (deprecated)] Sometimes hotfix timer is deleted
• NC-58587 [Clientless Access] Clientless access service crashes
• NC-59411 [DNS] Unable to add "underscore" character in DNS host entry
• NC-54604 [Email] POPs/IMAPs (warren) dropping connection due to ssl cache error
• NC-59897 [Email] Specific inbound mail apparently not being scanned for malware
• NC-60858 [Email] PDF attachment in inbound email got stripped by XG firewall Email Protection
• NC-63870 [Email] XG creates infinite connection to self on Port 25
• NC-59406 [Firewall] Kernel crashed due to conntrack loop
• NC-59809 [Firewall] Loopback rule not hit when created using Server access assistance (DNAT) wizard and WAN interface configured with network rather then host
• NC-59929 [Firewall] Firewall Rules not visible on GUI, Page stuck on Loading
• NC-60078 [Firewall] WAF: Certificate can't be edit via API/XML import
• NC-61226 [Firewall] Different destination IP is shown in log viewer for Allow and Drop firewall rule when DNAT is enabled
• NC-61250 [Firewall] Memory leak (snort) on XG 430 rev. 2 running SFOS v18
• NC-61282 [Firewall, HA] Failed to enable HA when a New XG is replaced in place of another XG.
• NC-62001 [Firewall] Kernel Panic on XG550
• NC-62196 [Firewall] Policy Test for Firewall, SSL/TLS and Web with DAY does not match with Schedule rule
• NC-63429 [Firewall] Kernel stack is corrupted in bitmap hostset netlink dump
• NC-65492 [Firewall] User is not able to generate access code for policy override
• NC-59747 [Firmware Management] Upgrade to the v18 SR4 failed on Azure
• NC-58618 [FQDN] [coredump] fqdnd in Version 18.0.2
• NC-62868 [HA] HA - Certificate Sync fails in Aux
• NC-64269 [HA] IPv6 MAC based rule not working when traffic is load balanced to Auxiliary
• NC-64907 [HA] The auxiliary appliance crashes when broadcast packet is generated from it
• NC-65158 [Hotspot] Voucher Export Shows Encrypted PSKs With SSMK
• NC-57661 [IPS-DAQ-NSE] [NEMSPR-98] Browser 'insecure connection' message when NSE is on but not decrypting
• NC-58391 [IPS-DAQ-NSE] TLS inspection causing trouble with incoming traffic
• NC-61498 [IPS-DAQ-NSE] Symantec endpoint updates URL is getting failed when DPI interfere
• NC-63242 [IPS-DAQ-NSE] SSL/TLS inspection causing outbound problems with Veeam backups
• NC-59774 [IPsec] Charon shows dead Status
• NC-59775 [IPsec] Follow-up: Sporadic connection interruption to local XG after IPsec rekeying
• NC-60361 [IPsec] Intermittently incorrect IKE_SA proposal combination is being sent by XG during IKE_SA rekeying
• NC-61092 [IPsec] Strongswan not creating default route in table 220
• NC-62749 [IPsec] Responder not accepting SPI values after its ISP disconnects
• NC-61101 [L2TP] Symlink not created for L2TP remote access
• NC-62729 [L2TP] L2TP connection on alias interface not working since update to v18
• NC-59563 [Licensing] Apostrophe in email address : Unable to load the "Administration" page from System > Administration
• NC-63117 [Logging Framework] Garner is core-dumping frequently
• NC-61535 [Network Utils] Diagnostics / Tools / Ping utility not working with PPPoE interface
• NC-62654 [nSXLd] NSXLD Coredump caused device hang
• NC-59724 [RED] Back-up from v17.5 MR10 Fails to Restore on v18
• NC-60081 [RED] Unable to specify Username and Password when using GSM 3G/UMTS failover
• NC-60158 [RED] FQDN host Group appearing in RED configuration - Standard /split network
• NC-60854 [RED] Red S2S tunnel static routes disappear on firmware update
• NC-63803 [RED] FailSafe Mode After Backup Restore - Reason Unable To Start RED Service
• NC-55003 [Reporting] Keyword search engine report not working
• NC-59106 [Reporting] Security Audit Report missing information in "Number of Attacks by Severity Level" section
• NC-60430 [Reporting] XG firewall send duplicate copies of schedule executive report
• NC-60851 [Reporting] Scheduled reports won't be sent
• NC-62804 [SecurityHeartbeat] Registration to central security heartbeat does not work via upstream proxy
• NC-62182 [SFM-SCFM] Admin can not able to change password of SF 18.0 device from SFM/CFM device level
• NC-61313 [SNMP] Memory Utilization mismatch between UI and atop/SNMP.
• NC-64454 [SNMP] XG86 - /tmp partition becomes 100% full because of snmpd logs
• NC-53896 [SSLVPN] Enforce TLS 1.2 on SSL VPN connections
• NC-60302 [SSLVPN] All the SSL VPN Live connected users get disconnected when admin change the group of one SSL VPN connected user
• NC-60184 [UI Framework] Missing HTTP Security Headers for HSTS and CSP
• NC-61206 [Up2Date Client] XG Fails To Fetch hotfixes/patterns : File /conf/certificate/u2dclient.pem Missing
• NC-62689 [VFP-Firewall] When fastpath (firewall-acceleration) is enabled ,traceroute will show time-out on the XG hop
• NC-63783 [VFP-Firewall] Unable to start the IPS
• NC-64470 [VFP-Firewall] Auto reboot/nmi_cpu_backtrace due to VFP.Disabling firewall acceleration did fix the issue
• NC-63058 [VirtualAppliance] Incorrect Virtual XG Firewall Model Name Showing in GUI and CLI
• NC-47994 [Web] Pattern updates for SAVI and AVIRA are failing
• NC-54173 [Web] URL Group - add URL control fails on leading/trailing whitespace
• NC-51888 [WebInSnort] IPP/AirPrint not accessible after upgrade software appliance firmware to 18.0 EAP1
• NC-54978 [WebInSnort] When a HTTPS connection is not decrypted, the reports will show a hit to the site but no bytes sent/received
• NC-62448 [WebInSnort] Core dump on Snort
• NC-63515 [WebInSnort] NSE: Unsupported EC type with App control and web policy
• NC-64875 [WebInSnort] HTTP Pipelining errors in DPI mode with non-pipelined traffic

XG Firewall v17.5 MR15 Released

Maintenance Release

• Several security and hardening enhancements
• SSMK (Secure Storage Master Key) for the encryption of sensitive data
• Secure encryption for storing admin password hash
  • Admin (default administrator account) will be asked to change their password
  • Optional but highly recommended
• Password complexity have been enabled for all the passwords

Important Issues Resolved

• NC-61620 [Authentication] Not Able To Restore Backup From CR50iNG To XG135
• NC-62695 [Authentication] SATC: Users Are Not Coming In Live
• NC-58344 [Clientless Access] [SMB Bookmark] Delete file/folder with specific special characters in name, Deletes all contents of shared from smb server
• NC-62210 [Firewall] CSC Unresponsive After Back-Up Is Uploaded From An HA Pair
• NC-65158 [Hotspot] Voucher Export Shows Encrypted PSKs With SSMK
• NC-62807 [IPsec] Responder Not Accepting SPI Values After Its ISP Disconnects
• NC-63825 [PPPoE] For 17.5- PPPoE Link Does Not Reconnect After Disconnecting
• NC-62024 [RED] XG86 /tmp Partition Fills Up
• NC-62072 [RED] RED Log Folders Are 1 Month Behind
• NC-63803 [RED] FailSafe Mode After Backup Restore - Reason Unable To Start RED Service
• NC-63904 [RED] Network Tab Slow Loading Issue
• NC-60457 [SSLVPN] Incorrect Count of Remote User's
• NC-60863 [UI Framework] Improper Color Status In Control Center Widget
• NC-61206 [Up2Date Client] XG Fails To Fetch hotfixes/patterns : File /conf/certificate/u2dclient.pem Missing
• NC-63058 [VirtualAppliance] Incorrect Virtual XG Firewall Model Name Showing in GUI and CLI