Beschreibung
Bemerkungen
Features
High Availability Verbesserungen
- Verbesserte Fast-Path-Performance für Aktiv-Passiv-Cluster
- HA Support in Amazon Web Services, die das AWS Transit Gateway benutzen (in Kürze auf dem Marketplace erhältlich)
- Verbessertes High Availability Setup und Upgrades
VPN-Verbesserungen
- Neue erweiterte Optionen für IPsec-Fernverbindungen (ersetzt scadmin)
- Sophos Connect VPN Client Downloads jetzt über das Userportal verfügbar
- Durchsetzung von TLS 1.2 für SSL-VPN bei Site-to-Site und Fernzugriffsverbindungen
weitere Verbesserungen
- Stärkerer Passwort-Hash – sie werden nach dem Upgrade gebeten ihr Passwort zu ändern, um die vollen Vorzüge dieser Änderung zu erhalten
- Passwortkomplexität für alle Passwörter aktiviert
- Webfilter – Webseiten, die laut Internet Wathc Foundation (IWF) mit Kinderpornographie in Verbindung gebracht werden, werden automatisch blockiert, sobald irgendeine Form der Webfilterung aktiv ist.
- Cloud Optix Integration – Cloud Optix ist jetzt XG Firewall-aware
- Synchronized Application Control – eine neue Option zum automatischen entfernen von entdeckten Apps, die älter als zwei Monate sind
- Authentifizierung – Benutzer können mithilfe des UPN-Formats für RADIUS erstellt werden
Betroffene Produktgruppen
Bugfixes
Probleme / Bugs
- NC-59149: [API Framework] CSC hangs as all 16 workers remains busy
- NC-50703: [Authentication] Access server restarted with coredump using STAS and Chrome SSO
- NC-54576: [Authentication] Sophos Connect connections exhausting virtual IP pool
- NC-57273: [Authentication] Create users for RADIUS in UPN format
- NC-59129: [Authentication] Authentication Failed due to SSL VPN (MAC BINDING) - Logging does not carry any information for the cause.
- NC-61017: [AWS] AWS: TX-DRP increases constantly and affecting production traffic
- NC-59574: [Base System (deprecated)] Sometimes hotfix timer is deleted
- NC-58587: [Clientless Access] Clientless access service crashes
- NC-59411: [DNS] Unable to add "underscore" character in DNS host entry
- NC-54604: [Email] POPs/IMAPs (warren) dropping connection due to ssl cache error
- NC-59897: [Email] Specific inbound mail apparently not being scanned for malware
- NC-60858: [Email] PDF attachment in inbound email got stripped by XG firewall Email Protection
- NC-63870: [Email] XG creates infinite connection to self on Port 25
- NC-59406: [Firewall] Kernel crashed due to conntrack loop
- NC-59809: [Firewall] Loopback rule not hit when created using Server access assistance (DNAT) wizard and WAN interface configured with network rather then host
- NC-59929: [Firewall] Firewall Rules not visible on GUI, Page stuck on Loading
- NC-60078: [Firewall] WAF: Certificate can't be edit via API/XML import
- NC-61226: [Firewall] Different destination IP is shown in log viewer for Allow and Drop firewall rule when DNAT is enabled
- NC-61250: [Firewall] Memory leak (snort) on XG 430 rev. 2 running SFOS v18
- NC-61282: [Firewall, HA] Failed to enable HA when a New XG is replaced in place of another XG.
- NC-62001: [Firewall] Kernel Panic on XG550
- NC-62196: [Firewall] Policy Test for Firewall, SSL/TLS and Web with DAY does not match with Schedule rule
- NC-63429: [Firewall] Kernel stack is corrupted in bitmap hostset netlink dump
- NC-65492: [Firewall] User is not able to generate access code for policy override
- NC-59747: [Firmware Management] Upgrade to the v18 SR4 failed on Azure
- NC-58618: [FQDN] [coredump] fqdnd in Version 18.0.2
- NC-62868: [HA] HA - Certificate Sync fails in Aux
- NC-64269: [HA] IPv6 MAC based rule not working when traffic is load balanced to Auxiliary
- NC-64907: [HA] The auxiliary appliance crashes when broadcast packet is generated from it
- NC-65158: [Hotspot] Voucher Export Shows Encrypted PSKs With SSMK
- NC-57661: [IPS-DAQ-NSE] [NEMSPR-98] Browser 'insecure connection' message when NSE is on but not decrypting
- NC-58391: [IPS-DAQ-NSE] TLS inspection causing trouble with incoming traffic
- NC-61498: [IPS-DAQ-NSE] Symantec endpoint updates URL is getting failed when DPI interfere
- NC-63242: [IPS-DAQ-NSE] SSL/TLS inspection causing outbound problems with Veeam backups
- NC-59774: [IPsec] Charon shows dead Status
- NC-59775: [IPsec] Follow-up: Sporadic connection interruption to local XG after IPsec rekeying
- NC-60361: [IPsec] Intermittently incorrect IKE_SA proposal combination is being sent by XG during IKE_SA rekeying
- NC-61092: [IPsec] Strongswan not creating default route in table 220
- NC-62749: [IPsec] Responder not accepting SPI values after its ISP disconnects
- NC-61101: [L2TP] Symlink not created for L2TP remote access
- NC-62729: [L2TP] L2TP connection on alias interface not working since update to v18
- NC-59563: [Licensing] Apostrophe in email address : Unable to load the "Administration" page from System > Administration
- NC-63117: [Logging Framework] Garner is core-dumping frequently
- NC-61535: [Network Utils] Diagnostics / Tools / Ping utility not working with PPPoE interface
- NC-62654: [nSXLd] NSXLD Coredump caused device hang
- NC-59724: [RED] Back-up from v17.5 MR10 Fails to Restore on v18
- NC-60081: [RED] Unable to specify Username and Password when using GSM 3G/UMTS failover
- NC-60158: [RED] FQDN host Group appearing in RED configuration - Standard /split network
- NC-60854: [RED] Red S2S tunnel static routes disappear on firmware update
- NC-63803: [RED] FailSafe Mode After Backup Restore - Reason Unable To Start RED Service
- NC-55003: [Reporting] Keyword search engine report not working
- NC-59106: [Reporting] Security Audit Report missing information in "Number of Attacks by Severity Level" section
- NC-60430: [Reporting] XG firewall send duplicate copies of schedule executive report
- NC-60851: [Reporting] Scheduled reports won't be sent
- NC-62804: [SecurityHeartbeat] Registration to central security heartbeat does not work via upstream proxy
- NC-62182: [SFM-SCFM] Admin can not able to change password of SF 18.0 device from SFM/CFM device level
- NC-61313: [SNMP] Memory Utilization mismatch between UI and atop/SNMP.
- NC-64454: [SNMP] XG86 - /tmp partition becomes 100% full because of snmpd logs
- NC-53896: [SSLVPN] Enforce TLS 1.2 on SSL VPN connections<br />
- NC-60302: [SSLVPN] All the SSL VPN Live connected users get disconnected when admin change the group of one SSL VPN connected user
- NC-60184: [UI Framework] Missing HTTP Security Headers for HSTS and CSP
- NC-61206: [Up2Date Client] XG Fails To Fetch hotfixes/patterns : File /conf/certificate/u2dclient.pem Missing
- NC-62689: [VFP-Firewall] When fastpath (firewall-acceleration) is enabled ,traceroute will show time-out on the XG hop
- NC-63783: [VFP-Firewall] Unable to start the IPS
- NC-64470: [VFP-Firewall] Auto reboot/nmi_cpu_backtrace due to VFP.Disabling firewall acceleration did fix the issue
- NC-63058: [VirtualAppliance] Incorrect Virtual XG Firewall Model Name Showing in GUI and CLI
- NC-47994: [Web] Pattern updates for SAVI and AVIRA are failing
- NC-54173: [Web] URL Group - add URL control fails on leading/trailing whitespace
- NC-51888: [WebInSnort] IPP/AirPrint not accessible after upgrade software appliance firmware to 18.0 EAP1
- NC-54978: [WebInSnort] When a HTTPS connection is not decrypted, the reports will show a hit to the site but no bytes sent/received
- NC-62448: [WebInSnort] Core dump on Snort
- NC-63515: [WebInSnort] NSE: Unsupported EC type with App control and web policy
- NC-64875: [WebInSnort] HTTP Pipelining errors in DPI mode with non-pipelined traffic