Support-Portal
· Maintenance Release

SFOS 18 MR 4 released

Beschreibung

Bemerkungen

Features

High Availability Verbesserungen
  • Verbesserte Fast-Path-Performance für Aktiv-Passiv-Cluster
  • HA Support in Amazon Web Services, die das AWS Transit Gateway benutzen (in Kürze auf dem Marketplace erhältlich)
  • Verbessertes High Availability Setup und Upgrades
VPN-Verbesserungen
  • Neue erweiterte Optionen für IPsec-Fernverbindungen (ersetzt scadmin)
  • Sophos Connect VPN Client Downloads jetzt über das Userportal verfügbar
  • Durchsetzung von TLS 1.2 für SSL-VPN bei Site-to-Site und Fernzugriffsverbindungen
weitere Verbesserungen
  • Stärkerer Passwort-Hash – sie werden nach dem Upgrade gebeten ihr Passwort zu ändern, um die vollen Vorzüge dieser Änderung zu erhalten
  • Passwortkomplexität für alle Passwörter aktiviert
  • Webfilter – Webseiten, die laut Internet Wathc Foundation (IWF) mit Kinderpornographie in Verbindung gebracht werden, werden automatisch blockiert, sobald irgendeine Form der Webfilterung aktiv ist.
  • Cloud Optix Integration – Cloud Optix ist jetzt XG Firewall-aware
  • Synchronized Application Control – eine neue Option zum automatischen entfernen von entdeckten Apps, die älter als zwei Monate sind
  • Authentifizierung – Benutzer können mithilfe des UPN-Formats für RADIUS erstellt werden

Betroffene Produktgruppen

Bugfixes

Probleme / Bugs

  • NC-59149: [API Framework] CSC hangs as all 16 workers remains busy
  • NC-50703: [Authentication] Access server restarted with coredump using STAS and Chrome SSO
  • NC-54576: [Authentication] Sophos Connect connections exhausting virtual IP pool
  • NC-57273: [Authentication] Create users for RADIUS in UPN format
  • NC-59129: [Authentication] Authentication Failed due to SSL VPN (MAC BINDING) - Logging does not carry any information for the cause.
  • NC-61017: [AWS] AWS: TX-DRP increases constantly and affecting production traffic
  • NC-59574: [Base System (deprecated)] Sometimes hotfix timer is deleted
  • NC-58587: [Clientless Access] Clientless access service crashes
  • NC-59411: [DNS] Unable to add "underscore" character in DNS host entry
  • NC-54604: [Email] POPs/IMAPs (warren) dropping connection due to ssl cache error
  • NC-59897: [Email] Specific inbound mail apparently not being scanned for malware
  • NC-60858: [Email] PDF attachment in inbound email got stripped by XG firewall Email Protection
  • NC-63870: [Email] XG creates infinite connection to self on Port 25
  • NC-59406: [Firewall] Kernel crashed due to conntrack loop
  • NC-59809: [Firewall] Loopback rule not hit when created using Server access assistance (DNAT) wizard and WAN interface configured with network rather then host
  • NC-59929: [Firewall] Firewall Rules not visible on GUI, Page stuck on Loading
  • NC-60078: [Firewall] WAF: Certificate can't be edit via API/XML import
  • NC-61226: [Firewall] Different destination IP is shown in log viewer for Allow and Drop firewall rule when DNAT is enabled
  • NC-61250: [Firewall] Memory leak (snort) on XG 430 rev. 2 running SFOS v18
  • NC-61282: [Firewall, HA] Failed to enable HA when a New XG is replaced in place of another XG.
  • NC-62001: [Firewall] Kernel Panic on XG550
  • NC-62196: [Firewall] Policy Test for Firewall, SSL/TLS and Web with DAY does not match with Schedule rule
  • NC-63429: [Firewall] Kernel stack is corrupted in bitmap hostset netlink dump
  • NC-65492: [Firewall] User is not able to generate access code for policy override
  • NC-59747: [Firmware Management] Upgrade to the v18 SR4 failed on Azure
  • NC-58618: [FQDN] [coredump] fqdnd in Version 18.0.2
  • NC-62868: [HA] HA - Certificate Sync fails in Aux
  • NC-64269: [HA] IPv6 MAC based rule not working when traffic is load balanced to Auxiliary
  • NC-64907: [HA] The auxiliary appliance crashes when broadcast packet is generated from it
  • NC-65158: [Hotspot] Voucher Export Shows Encrypted PSKs With SSMK
  • NC-57661: [IPS-DAQ-NSE] [NEMSPR-98] Browser 'insecure connection' message when NSE is on but not decrypting
  • NC-58391: [IPS-DAQ-NSE] TLS inspection causing trouble with incoming traffic
  • NC-61498: [IPS-DAQ-NSE] Symantec endpoint updates URL is getting failed when DPI interfere
  • NC-63242: [IPS-DAQ-NSE] SSL/TLS inspection causing outbound problems with Veeam backups
  • NC-59774: [IPsec] Charon shows dead Status
  • NC-59775: [IPsec] Follow-up: Sporadic connection interruption to local XG after IPsec rekeying
  • NC-60361: [IPsec] Intermittently incorrect IKE_SA proposal combination is being sent by XG during IKE_SA rekeying
  • NC-61092: [IPsec] Strongswan not creating default route in table 220
  • NC-62749: [IPsec] Responder not accepting SPI values after its ISP disconnects
  • NC-61101: [L2TP] Symlink not created for L2TP remote access
  • NC-62729: [L2TP] L2TP connection on alias interface not working since update to v18
  • NC-59563: [Licensing] Apostrophe in email address : Unable to load the "Administration" page from System > Administration
  • NC-63117: [Logging Framework] Garner is core-dumping frequently
  • NC-61535: [Network Utils] Diagnostics / Tools / Ping utility not working with PPPoE interface
  • NC-62654: [nSXLd] NSXLD Coredump caused device hang
  • NC-59724: [RED] Back-up from v17.5 MR10 Fails to Restore on v18
  • NC-60081: [RED] Unable to specify Username and Password when using GSM 3G/UMTS failover
  • NC-60158: [RED] FQDN host Group appearing in RED configuration - Standard /split network
  • NC-60854: [RED] Red S2S tunnel static routes disappear on firmware update
  • NC-63803: [RED] FailSafe Mode After Backup Restore - Reason Unable To Start RED Service
  • NC-55003: [Reporting] Keyword search engine report not working
  • NC-59106: [Reporting] Security Audit Report missing information in "Number of Attacks by Severity Level" section
  • NC-60430: [Reporting] XG firewall send duplicate copies of schedule executive report
  • NC-60851: [Reporting] Scheduled reports won't be sent
  • NC-62804: [SecurityHeartbeat] Registration to central security heartbeat does not work via upstream proxy
  • NC-62182: [SFM-SCFM] Admin can not able to change password of SF 18.0 device from SFM/CFM device level
  • NC-61313: [SNMP] Memory Utilization mismatch between UI and atop/SNMP.
  • NC-64454: [SNMP] XG86 - /tmp partition becomes 100% full because of snmpd logs
  • NC-53896: [SSLVPN] Enforce TLS 1.2 on SSL VPN connections<br />
  • NC-60302: [SSLVPN] All the SSL VPN Live connected users get disconnected when admin change the group of one SSL VPN connected user
  • NC-60184: [UI Framework] Missing HTTP Security Headers for HSTS and CSP
  • NC-61206: [Up2Date Client] XG Fails To Fetch hotfixes/patterns : File /conf/certificate/u2dclient.pem Missing
  • NC-62689: [VFP-Firewall] When fastpath (firewall-acceleration) is enabled ,traceroute will show time-out on the XG hop
  • NC-63783: [VFP-Firewall] Unable to start the IPS
  • NC-64470: [VFP-Firewall] Auto reboot/nmi_cpu_backtrace due to VFP.Disabling firewall acceleration did fix the issue
  • NC-63058: [VirtualAppliance] Incorrect Virtual XG Firewall Model Name Showing in GUI and CLI
  • NC-47994: [Web] Pattern updates for SAVI and AVIRA are failing
  • NC-54173: [Web] URL Group - add URL control fails on leading/trailing whitespace
  • NC-51888: [WebInSnort] IPP/AirPrint not accessible after upgrade software appliance firmware to 18.0 EAP1
  • NC-54978: [WebInSnort] When a HTTPS connection is not decrypted, the reports will show a hit to the site but no bytes sent/received
  • NC-62448: [WebInSnort] Core dump on Snort
  • NC-63515: [WebInSnort] NSE: Unsupported EC type with App control and web policy
  • NC-64875: [WebInSnort] HTTP Pipelining errors in DPI mode with non-pipelined traffic