Support-Portal

SFOS 17.1.0 GA

Beschreibung

SFOS v17.1.0 GA ist jetzt verfügbar. Hier finden sie alles, was sie wissen müssen.

Das Release ist als manuelles Update für alle SFOS-Versionen über das MySophos-Portal verfügbar.

Das On-the-Box-Upgrade („Neue Firmware verfügbar“-Pop-Up & „Nach neuer Firmware suchen”) wird in kurzer Zeit zur Verfügung stehen.

Bemerkungen

Für den Fall, dass sie ihre Firewall mithilfe von SFM/CFM verwalten: Firewalls die SFOS v17.1 GA nutzen, werden die Anwendungsfilter-Richtlinien nicht akzeptieren, wenn diese von einer Gerätegruppe oder einem Template angewendet werden. Sie können die Anwendungsregeln von der Geräteansicht in SFM/CFM aus verwalten, bis diese Limitierung in SFOS 17.1 MR-1 aufgehoben wurde.

Features

Cloud App Sichtbarkeit

Bringt die Sichtbarkeitssäule von CASB auf die Sophos XG Firewall, wodurch sie schnell und einfach Einblick in die Shadow IT erhalten und sehen welche Daten innerhalb der Cloud-Anwendungen besonders gefährdet sind mithilfe von großatigen Berichten über Nutzer und Datenvolumen, das von den Cloud-Diensten geup- und gedownloaded wird

Synchronisierte Anwendungskontrolle

Erhält weitere Verbesserungen für das Management neu entdeckter Applikationen, wie zum Beispiel Optionen zum Suchen, Filtern und Löschen von Anwendungen. Zudem wird ihnen nun in der Liste die Kategorie angezeigt, die der neu entdeckten Anwendung zugeordnet wurde

Email-Sicherheit

Benutzermanagement über individuelle SMTP-Blocks hinzugefügt und Listen über das User Portal erlaubt. Domains und Email-Adressen, die der Erlaubt-Liste hinzugefügt wurden, werden Richtlinien umgehen (mit Ausnahme von Malware oder Sandbox-Erzwingung) und Domains, sowie Email-Adressen, die auf der Block-Liste stehen, werden automatische in die Quarantäne geleitet

SSL VPN Port-Option

Verbesserungen in der Firewall- und Regelverwaltung verbessern die Flexibilität und optimieren die Verwaltung weiter. Sie können nun auf eine irewall-Regel aus der Liste doppelklicken, um sie zu bearbeiten. Es gibt auch eine neue Option um Google QUICs HTTPS über UDP zu blocken, was einen Fallback zu TCP verursacht und volle SSL-Inspektion von Traffic möglich macht. Zudem besteht nun die Möglichkeit beim Definieren von ACL-Ausnahmen den Zugang für Services wie dem User Portal von einem einzelnen Alias zu beschränken

Wireless Verbesserungen

XG Firewall 17.1 bring Verbesserungen für das Wireless Networking, wie zum Beispiel die Option die Channelbreite für Drahtlostransmitter sowohl in der GUI, als auch bei RADIUS einzustellen

IPSec VPN IKEv2 Verbesserungen

In dieser Version wird neuer IKEv2 Support für IPSec VPN Verbindungen hinzugefügt und alle Stabilitäts- und Zuverlässigkeitsverbesserungen, die in folgenden Wartungsreleases erscheinen, sind in Version 17.1 enthalten

Neuer Hardware Support

Unterstützung der neuesten XG-Serie-Desktophardwareverbindungen und -features, die bereits in früheren Wartungsreleases bekannt gegeben worden, sind auch in Sophos XG Firewall v17.1 enthalten

Betroffene Produktgruppen

Bugfixes

  • NC-31554: [Base System] Missing color indication for ATP widget
  • NC-31662: [Base System] Change of the XG Firewall login screen
  • NC-31484: [Email] Emails are not removed from spool after update to SF 17.0 MR8<br />
  • NC-31514: [Firewall] Editing IPv6 host is not possible
  • NC-31030: [SSLVPN] Remove misleading message "Port 443 is already in use by User Portal"
  • NC-31615: [Web] Remove file type data columns in cloud application dashboard
  • NC-30212: [Base System] Device displays fail message for SFM/CFM heartbeat
  • NC-29075: [Email] Unable to update mail spool if mail address contains special character (')
  • NC-29757: [Email] CVE-2011-1473: POP/IMAP - Secure Client-Initiated Renegotiation vulnerability
  • NC-30160: [Email] Option "Skip mails (for malware scan) greater than" is not working for outbound traffic
  • NC-30183: [Email] Notification test email fails with authentication when mail send without saving configuration
  • NC-30303: [Email] Possible authenticated remote code execution in mail_sender
  • NC-30649: [Email] Permissions for Email protection are not exported correctly
  • NC-29216: [Firewall] Separate out filter and NAT table chains for IPsec in two different services
  • NC-29505: [Firewall] Traffic shaping rule for firewall has wrong default policy association
  • NC-29776: [Firewall] After migrating from CR to SF DNAT rules stop working after every reboot
  • NC-29990: [Firewall] Import/Export of destination local acl always set to "any" if any port is selected before
  • NC-30037: [Firewall] Validation missing if IPv4 is selected as IP version
  • NC-30197: [Firewall] Firewall rule filter is not working from second page onwards
  • NC-30588: [Firewall] Policy Tester ignores IP host groups in the firewall rule
  • NC-30766: [Firewall] Unauthenticated XSS in diagnostics component
  • NC-30871: [Firewall] Japanese column header not displayed in the right place in Protect -> Firewall
  • NC-19980: [Framework(UI)] Filter search containing backslash char will not find the match
  • NC-30575: [Framework(UI)] VPN FO Group selection widget doesn't display correctly in Chrome
  • NC-28826: [HA] HA migration does not complete if dedicated link goes down during migration process
  • NC-29572: [IPsec] GUI allows admin to select external certificate for Remote Certificate for IPsec Connection for Remote Access
  • NC-30830: [IPsec] CVE-2018-10811 & memleak: Import upstream strongswan patches
  • NC-30979: [IPsec] IPsec route can disappear if two connections use the same
  • NC-29889: [Network Services] Unable to lease the IP to some users
  • NC-31017: [RED] RED S2S client does not work with routed server address
  • NC-29733: [Reporting] Showing unknown character for Current HA status under reports with HA
  • NC-29846: [Reporting] Sort by Users/Byte is not working on Cloud Applications page
  • NC-30155: [Reporting] Wrong label displayed for widget of Cloud Application
  • NC-30155: [Reporting] Wrong label displayed for widget of Cloud Application
  • NC-30190: [Reporting] Records are not displaying in HTML export for "Records Per Chart 25 and more" for some widget of Cloud application
  • NC-28789: [Sandstorm] ExcludeSandstormFileTypes is not available in SandboxSettings XMLAPI data
  • NC-27461: [SFM-SCFM] Compatibility v17: Firewall UI issues at device level
  • NC-28913: [SFM-SCFM] Compatibility v17: Appliance unsync when applying L2TP (Remote Access) or IPSEC configuration
  • NC-29907: [SSLVPN] Not able to edit SSL VPN (Remote Access) policy
  • NC-30847 : [SSLVPN] Unable to set user portal port to SSL VPN port
  • NC-29278: [Synchronized App Control] Renaming an Endpoint does not update SAC table
  • NC-29820: [Synchronized App Control] No new logs since 2 days - /tmp is full on XG85
  • NC-31020: [Synchronized App Control] Synchronized Application Control page is taking too long to load
  • NC-31229: [Synchronized App Control] SAC data table not loaded after migration to v17.1 Beta1
  • NC-30054: [UI] Device Access page showing error on Auxiliary machine<br />
  • NC-29602: [WAF] API Get for SecurityPolicy does not return Traffic Shaping settings for the policy
  • NC-29876: [WAF] Website hosted over WAF taking more time to load when Common Threat Filter enabled
  • NC-30448: [WAF] Rewrite HTML for site path with special characters leads to memory allocation failure
  • NC-28699: [Web] Cloud Applications Control center widget - spacing issue
  • NC-28762: [Web] After power failure, Android devices captive portal does not disappear after logging in
  • NC-29002: [Web] API Import for WebFilterPolicy with dependent entities failed
  • NC-29164: [Web] Proxy drops HTTP Response when 100 and 200 in same packet
  • NC-29166: [Web] AV files served from cache are not scanned if 'scan av' flag enabled after file was cached
  • NC-29385: [Web] Data mismatch for Control Center and reporting widget for Cloud Application
  • NC-29479: [Web] Usercache is not updated when classification set through AppClassificationBatchAssignment
  • NC-29504: [Web] Captive Portal customization Reset to Defaults does not work
  • NC-29601: [Web] Policy Test Tool not working
  • NC-29809: [Web] When cloud dash board page contains more than 10 apps, some apps will not show app-icon warning exclamation triangle mark when changing app classification
  • NC-29984: [Web] WebFilterURLGroup API Doc is misleading
  • NC-30606: [Web] Fail to change application classification when changing to other languages
  • NC-30682: [Web] Cloud Applications page loading failed in XG85 appliance
  • NC-31042: [Web] Cloud Applications dashboard column names have overlapping text in French
  • NC-27033: [Wireless] Pending text is wrapping to next line for Wireless APs counter
  • NC-27535: [Wireless] UI is not displaying WiFi client's IP when multiple clients are connected to AP
  • NC-28763: [Wireless] UI displays AP as inactive even if AP was active<br />
  • NC-28765: [Wireless] AP goes in inactive mode when used "2.4 Ghz and 5 Ghz" Frequency band
  • NC-29419: [Wireless] Not able to configure channel 12 and channel 13 on Desktop refresh devices
  • NC-29988: [Wireless] Wireless network update is not reflecting when it is assigned to LocalWiFi1(OptionalWiFi)
  • NC-29977: [WAF] Reverse authentication: Access possible for empty protection profile
  • NC-28797: [Access] User Edit page doesn't load for some users who are part of multiple groups
  • NC-26797: [API] HA devices update from MR2 to MR3 result in primary unit being factory reset
  • NC-22530: [Authentication] Webfilter policy is not working for auto-created AD user
  • NC-28175: [Authentication] Customer from NC-21823 has updated and getting segfault for access_server
  • NC-16090: [Base System] Source port changes to random over IPSec VPN
  • NC-25783: [Base System] Import certificate option is missing for CSR
  • NC-26328: [Base System] Additional CPU cores not detected in v17 after license upgrade
  • NC-27022: [Base System] Import from configuration failed due to too long certificate name
  • NC-27076: [Base System] Ping utility not working
  • NC-27263: [Base System] Incorrect interface speed is shown via SNMP
  • NC-28033: [Base System] Packet capture and connection list issue
  • NC-28220: [Base System] Garner active.db file size is too big in /tmp/eventlogs due to LogViewer output plug-in
  • NC-28566: [Base System] Garner service restarts
  • NC-27087: [Certificates] Default CA regeneration fails
  • NC-27853: [DDNS] DynDNS update does not happen in the configured time range
  • NC-28177: [DNS] Unable to resolve DNS of services.vip.symantec.com when registering it in Services/FQDN Host
  • NC-22864: [Firewall] Quick QUIC block
  • NC-22878 : [Firewall] Allow user to edit rule while double clicking on the rule
  • NC-22927: [Firewall] NATPolicy API export fails when it contains NAT profile created on network
  • NC-26433: [Firewall] Captive Portal access issue for Android devices
  • NC-26560: [Firewall] One time schedule in firewall rule for VPN traffic doesn't block traffic when schedule expires
  • NC-27004: [Firewall] Unable to send email due to Default Internet Scheme Policy
  • NC-27164: [Firewall, Performance] LAN interface become unresponsive
  • NC-28025: [Firewall] Policy Tester ignores service groups in the firewall rule
  • NC-28710: [Firewall] Display of firewall rule in Firewall Group overlaps with display of action
  • NC-28756: [Firewall] Appliance inaccessible after the backup restore
  • NC-28785: [Firewall] Packet capture log is empty when opened via hyperlink in log viewer for IPv6
  • NC-28791: [Firewall] Sometimes VPN is not working when bridge has WAN interface
  • NC-28800: [Firewall] Firewall Rule ID is shown with an incorrect ID
  • NC-29379: [Firewall] HA Aux appliance goes in failsafe mode when failed to load LBS module (occurs only in specific IPv6 condition)
  • NC-29243: [Framework(UI)] Subnet creation is broken for IE11
  • NC-25854: [HA] Disable HA fails on auxiliary appliance when LAG interface is used as peer admin port and a bridge interface is also configured in SFOS
  • NC-29040: [Hotspot] File name containing space is not working for images/stylesheets and logos of hotspots
  • NC-26514: [IPS] IPS core dumps with appliances in HA (A-A)
  • NC-27549: [IPS] ATP Exception is getting removed automatically
  • NC-28602: [IPS] Filter alignments in Application Filter Policy Rule are displayed incorrect
  • NC-29174: [IPS] IPS Policies are not being pushed out via SFM template
  • NC-25380: [IPsec] Add an option to auto create a Firewall rule
  • NC-22604: [Logging] GUI alignment issue when sender name or subject is longer
  • NC-26357: [Logging] Log viewer is not loading after adding any filter and read/write goes high after activity
  • NC-21745: [Mail Proxy] i18n file name is not displayed in log viewer and on sandstorm activity page for sandstorm module
  • NC-25746: [Mail Proxy] CVE-2012-4929: SSL/TLS CRIME Vulnerability on port 8094
  • NC-26472: [Mail Proxy] AwarrenMTA: few mails appear on queue after delivery (DB connect fail)
  • NC-26930: [Mail Proxy] XG not able to update spool due to special characters in failure reason
  • NC-27240: [Mail Proxy] Unable to send emails due to auto routing to rcpt DNS in case of greylisting reply for MX
  • NC-27365: [Mail Proxy] Display issues with german umlauts in SPX Template
  • NC-28081: [Mail Proxy] Unable to save the SMTP policy when some MIME types are selected
  • NC-28364: [Mail Proxy] Email should be quarantined if scanning fails due to unscannable file
  • NC-28819: [Mail Proxy] Quarantined emails are not visible on SMTP Quarantine
  • NC-29018: [Mail Proxy] XG is unable to block email attachments when sent via Powershell v5.1<br />
  • NC-29103: [Mail Proxy] Unable to release quarantine mails with special characters from spam digest
  • NC-29315: [Mail Proxy] CTIPD service should be stopped if Email or WAF subscription is not activated
  • NC-29319: [Mail Proxy] Unable to release false positive outbound spam emails
  • NC-29339: [Mail Proxy] CVE-2013-0169: Multiple SSL/TLS vulnerabilities - POP/IMAP
  • NC-29437: [Mail Proxy] Multi-level subdomain getting 501 syntax error while “Reject invalid HELO or missing RDNS” enabled
  • NC-29671: [Mail Proxy] AwarrenMTA restarts when used with high CCLs on certain mails
  • NC-21993: [Network Services] Static MAC-IP binding issue
  • NC-28815: [Network Services] CVE-2018-5732 and CVE-2018-5733: DHCP vulnerabilities
  • NC-27874: [Networking] IP address in static DHCP leases is shown incompletely
  • NC-28029: [Networking] Firewall configured as DHCP relay agent is generating flood on internal DHCP server
  • NC-28564: [Networking] Backup-Restore failed for different interface name devices when VDSL interface is configured
  • NC-29721: [Networking] HA failover is taking 10 minutes in v17.0 MR5
  • NC-28320: [nSXLd] URL Category Lookup provides different results for UI and command line
  • NC-27556: [PPTP] PPTP Remote Access fails when user name is not in lower case
  • NC-27881: [Qos] Unit for bandwidth parameter is incorrect on the Dashboard
  • NC-27942: [RED] XG red to XG red not connecting over MPLS network
  • NC-22787: [Reporting] Dashboard uses incorrect design for ATP and UTQ widgets
  • NC-22829: [Reporting] Reports section in Control Center gets stucked when "None" is configured as Admin Profile for "Reports Access"
  • NC-25786: [Reporting] Logo is not displayed properly in SAR report
  • NC-27046: [Reporting] "Search Key" filter not working for Google Search Engine
  • NC-28918: [Reporting] Unable to view Objectionable websites in Control Center and Reports
  • NC-29465: [Reporting] Not able to send mail digest - due to PG connections full
  • NC-26575: [SecurityHeartbeat] Heartbeat DB opcode sync command gets stuck
  • NC-27258: [SecurityHeartbeat] Ipset opcode stucks in HA setup
  • NC-28065: [SSLVPN] Port 8443 should be useable at any time when not used somewhere else
  • NC-28219: [SSLVPN] Site-Site SSLVPN: Routes aren't added with IP HOST Group in remote network
  • NC-23106: [Synchronized App Control] [SAC] Extended Filter/Search function in app Lists
  • NC-22122: [UI] CVE-2007-6750: Apache Partial HTTP Request Denial of Service Vulnerability for port 8443, 443, 4444
  • NC-26436: [WAF] Common Threat Filter should be disabled in default Outlook Anywhere Web Protection Policy
  • NC-28405: [WAF] Content gets lost when using form-hardening
  • NC-28944: [WAF] HTTPS Certificate Error when editing a Business Application Rule
  • NC-29483: [WAF] Creating IP host object inline leads to hanging SlowHTTP UI
  • NC-29650: [WAF] CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request
  • NC-18038: [Web] Page redirections for authentication (and others) should use hostname not IP
  • NC-25617: [Web] Log virus name for unscannable content as "Unscannable" in the Web Virus report
  • NC-25745: [Web] CVE-2016-2183, CVE-2016-6329: SWEET32 SSL/TLS Vulnerability and Triple DES on port 8090
  • NC-26136: [Web] Change link of Guest User Registration on Captive Portal page into https
  • NC-27893: [Web] Unable to use apostrophe character in Captive Portal settings
  • NC-28457: [Web] No response when clicking on Captive Portal login button
  • NC-28601: [Web] Dynamic app filter rules which do not contain any applications is enforced for all applications
  • NC-28695: [Web] Block and warnpage previews use wrong template
  • NC-28759: [Web] Awarrenhttp segfaults when killed while scanning
  • NC-28792: [Web] IPS fails to close connections which are blocked by an app filter (causing proxy to timeout after 60 sec)
  • NC-28899: [Web] 'Block HTTP' option disappears if switching from a dynamic category to a non-dynamic one for an activity
  • NC-29124: [Web] Possible buffer overflow in Web Proxy's warn-proceed transformer
  • NC-5395: [Wireless] Wrong interface status shown on auxiliary appliance for wireless network
  • NC-19851: [Wireless] Support Radius Accounting on Remote APs & Local Wifi models
  • NC-26278: [Wireless] IP addresses not visible in Wireless Client List
  • NC-27261: [Wireless] Wizard is failing in XG85W(old model) after configuring SSID from wireless config page of wizard