Support-Portal
· Maintenance Release

Sophos Firewall v18.5 MR2 (Build 380)

Beschreibung

Sophos Firewall OS v18.5 MR2 ist verfügbar. Es enthält eine große Zahl von Verbesserungen, Sicherheits- und Performance-Optimierungen, sowie Fixes.

Das Release wird über die nächsten Tage für alle unterstützten Geräte verfügbar gemacht.

Ein Upgrade auf SFOS v18.5 MR2 (Build 380) ist von Versionen v17.5 MR14 und später, Version v18 MR3 und später (einschließlich v18 MR6), sowie von allen vorherigen v18.5-Versionen möglich

Bemerkungen

Enthält Verbesserungen für Nutzer der XGS-Serie Hardware-Appliances:

 

  • Xstream FlowProcessor Treiberupdate – für XGS-Serie 4300-, 4500-, 5500-, 6500-Modelle um die Leistungsfähigkeit der High-End-Modelle anzuheben.
  • XGS-Serie Reimaging – ein visuelles Signal wird nun auf dem LCD-Bildschirm oder Interface-LEDs ausgegeben, wenn das ISO-ReImaging abgeschlossen ist
  • Hardware Reset auf XGS 87/107 – Diese Modelle können nun durch langes Drücken des Reset-Knopfes auf Werkseinstellungen zurückgesetzt werden.

Features

FIPS 140-2 Level 1 Validation
  • SFOS v18.5 MR2 wurde für alle XGS-Serie Hardware Appliances, sowie virtuelle Maschinen mit der Federal Information Processing Standards Publications (FIPS) 140-2 Validation ausgezeichnet, basierend auf dem neuesten kryptographischen Modul.
IPsec VPN Verbesserungen
  • Verbesserte Leistung mit unterstützung für GCM und Suite-B Cipher
  • Verbesserter Inaktivitäts-Time-Out für Fernverbindungen, um Verbindungen länger aufrecht zu halten
  • Routenoptimierung unter Nutzung der Tunnel-Schnittstellen-IP für routenbasiertes IPsec Masquerading (MASQ)
Neuer Sophos Assistent
  • Stellt eine interaktiver „helfende Hand“ für wichtige Workflows im Produkt zur Verfügung, der es deutlich einfacher macht, die Produkte kennenzulernen und übliche Aufgaben zu erledigen.
Zugangsdatenfreie Registrierung für Sophos Central
  • Optimiert den Onboarding-Prozess für neue Firewalls in Sophos Central
Authentifizierungs-Verbesserungen
  • Verbesserter MFA-Support für den Admin-Account mit Alramen und verbessertem Setup-Prozess
  • Unterstützung für Multi-Gruppen-Angehörigkeit in Active Directory, um alle Gruppen anzuzeigen, denen ein Benutzer angehört.
Zertifikats-Verbesserungen
  • Fügt neue, hilfreiche Informationen über Zertifizierungsstellen, einfachere Erkennbarkeit von lokalen Zertifikaten mit privaten Schlüsseln, und einfaches Downloaden des öffentlichen Teils eines Zertifikates hinzu.
Weitere Nutzbarkeits- und Funktionsverbesserungen
  • Neue Domänen für TLS-Ausnahmen hinzugefügt um TLS-Performance zu optimieren und die Endbenutzer-Erfahrung zu verbessern.
  • Unterstützung für Cloudflare als DDNS-Service-Provider
  • Neuer globaler IPS-Schalter hinzugefügt, um de-/aktivieren der IPS Engine zu ermöglichen.
  • Installation-Wizard-Verbesserungen, bei der nur 2 Ports standardmäßig gebridget werden
  • JQuery auf Version 3.5.x geupgradet.
Troubleshooting-Report verbessert
  • Verbessertes Logdatei-Handling, Backend-Report-Generierung und Nutzbarkeits-Verbesserungen.

Betroffene Produktgruppen

Bugfixes

  • NC-80101: Garner service remained in a busy status.
  • NC-79943: IPS service was down.
  • NC-79452: Slow upload speed for XGS 2100 over 1G interfaces with 100 Mbps speed.
  • NC-79404: Log viewer wasn't returning results from /var/eventlogs/.
  • NC-79386: Incorrect signature date shown on the IPS policy screen after migration.
  • NC-79335: Incorrect placement of icon for loading IPS signatures.
  • NC-79110: Couldn't restore backup from 17.5 MR16 to 18.0 MR6.
  • NC-79029: IPS was restarting with core dump
  • NC-78572: Constant restart of XG 750 HA pair.
  • NC-78512: Split networks weren't reachable from the RED network for one RED device.
  • NC-77938: Unable to deactivate the failover group.
  • NC-77771: Kernal panic: Unable to handle kernel paging request at ffff88036e000000.
  • NC-77729: IPsec tunnel not reconnecting after PPPoE reconnects.
  • NC-77289: db testpass wasn't always encrypted correctly
  • NC-77026: Heartbeat authenticated users get disconnected
  • NC-76742: XG Series appliance goes into failsafe mode after backup is uploaded.
  • NC-76521: Firewall ID doesn't appear in the ID column.
  • NC-76400: Apple iOS IPsec VPN client configuration issue.
  • NC-76041: XGS 6500: AVD thread count anomaly.
  • NC-75990: IPsec tunnel not coming up until service restarts
  • NC-75870: QuickHA page stops responding. The administrator isn't able to close it.
  • NC-75844: Traffic issues in HA active-active mode.
  • NC-75783: LDAP authentication with anonymous sign-in wasn't working.
  • NC-75543: Tunnel wasn't established because traffic was passing through an incorrect interface.
  • NC-75269: Firmware didn't upgrade from 18.0 MR4 to 18.0 MR5 in HA pair.
  • NC-75175: RED service didn't restart because of corrupt entry in tblreddevice.
  • NC-75159: IPsec failover wasn't working and required deactivating and then reactivating the failover group to bring the tunnel up.
  • NC-75030: Charon crash in adopt_children_job.c execute.
  • NC-74891: Email notifications received for auxiliary device in HA active-passive mode.
  • NC-74864: Unable to download VPN iOS profile from the user portal when authentication type is certificate for the Sophos Connect client.
  • NC-74791: Quarantine digest sends email 6 minutes earlier than the configured time.
  • NC-74735: The auxiliary device restarts during HA failover.
  • NC-74603: Log for denied attempt to sign in to the web admin console shows the destination port as custom port.
  • NC-74593: Reports for the last one hour didn't load in the report generator.
  • NC-74101: Email delivery issue due to a Brazilian character.
  • NC-73926: Unable to access websites sometimes with HA active-active load balancing.
  • NC-73800: Websites blocked when custom application control policy was applied.
  • NC-73703: Unable to connect to the Sophos Connect client because of incorrect preshared key in KVM HA setup.
  • NC-73617: Mandatory setting requirement when deleting static route through API.
  • NC-73089: Ports not added to LAG
  • NC-73004: CVE-2020-15078 patch for OpenVPN 2.3.6.
  • NC-72955: Logviewer stopped working when active.db was damaged.
  • NC-72949: Print jobs weren't working with the DPI engine.
  • NC-72934: Child SA disconnected when the idle setting was turned on in the Sophos Connect client.
  • NC-72920: xfrm packet loss on route-based IPsec VPN.
  • NC-72851: Importing application filter policy changed the rules and their list of applications when any of the rules had selected Cloud application under Characteristics.
  • NC-72694: SSL/TLS inspection didn't work for SMTP.
  • NC-72664: XG Series appliance wasn't initiating a request to AD server on port 6677 after the appliance was restarted.
  • NC-72545: Duplicate support access ID was created during backup-restore.
  • NC-72492: Guest users who had received a password once were later unable to get the password through SMS.
  • NC-71595: DNAT rule wasn't working after migration from CROS to SFOS 17.5 MR15.
  • NC-71555: Getting certificate-related error when accessing the Outlook client with POP3 scanning rule configured on XG Series appliance.
  • NC-71216: Unable to access Microsoft TFS (Team Foundation Server) hosted on LAN network through SSL VPN.
  • NC-70909: Service monitor failure results in an alert since the HA auxiliary device was shutdown.
  • NC-70877: Expired guest users received an SMS with a blank password.
  • NC-70863: Unable to delete quarantined email.
  • NC-70783: Web admin console access to the primary HA device was lost when a RED interface was saved.
  • NC-70733: USB Dongle Huawei E8372 wasn't reconnecting after a power cycle.
  • NC-70568: Executive reports for the auxiliary device weren't received over email in time.
  • NC-70320: Unable to make changes when Organizational Units (OU) are present.
  • NC-70251: IPS service was down after enabling HA active-passive mode.
  • NC-70243: Report generation stopped after January 1, 2021.
  • NC-70067: Central registration alert didn't disappear after registration.
  • NC-70057: Intermittent WAN connectivity issue for firewall running on Azure.
  • NC-70041: Incorrect count for remote users and connected users.
  • NC-70030: Unable to show username using the custom block Page with the DPI engine.
  • NC-69993: All IPsec tunnels were down, dead gateway detection stopped, and gateway was missing after 30 minutes.
  • NC-69945: Awarrenhttp was down.
  • NC-69456: The firewall went into failsafe mode after restoring a backup.
  • NC-69335: Unable to delete an IPsec connection on the second page of the connection list.
  • NC-69314: Connection dropped due to TLS engine error.
  • NC-69303: IPsec connection configured with certificate doesn't connect.
  • NC-69286: ICMP times out when firewall acceleration is turned on.
  • NC-69111: Unable to export remote users from XG Series appliance.
  • NC-68979: Korean language is broken in the body of email that's encrypted with SPX.
  • NC-68839: All users aren't able to the download Sophos connect client from the user portal.
  • NC-68614: SD-RED UI doesn't show LTE support
  • NC-68531: Showing an error when configuring remote access IPsec VPN.
  • NC-68461: Kernel panic issue.
  • NC-68324: FTP data connection issue with SD-WAN policy route
  • NC-68277: RED site-to-site tunnel failover doesn't always work.
  • NC-68263: Unable to access the web admin console at times.
  • NC-68228: High disk utilization.
  • NC-68226: Google website not opening with DPI engine and application control.
  • NC-68194: Unable to reset web quota.
  • NC-68187: Unknown error while generating DynDNS IP address.
  • NC-68176: Not possible to use special characters in the password for an external email notification server.
  • NC-67997: csd service is in stopped status.
  • NC-67952: ESP sequence number mismatch.
  • NC-67803: Live connection page wasn't loading.
  • NC-67761: System start fails when a large number of users are included in a single firewall rule.
  • NC-67675: The firewall goes into failsafe mode if an interface is added in discover mode when HA is enabled.
  • NC-67606: Unable to update certificate in SMTP TLS settings using API.
  • NC-67340: All the RED 50s disconnect.
  • NC-66980: The firewall restarts because of kernel panic.
  • NC-66966: Unable to sign in to cPanel server with direct proxy.
  • NC-66194: High CPU utilization by mail scanner.
  • NC-66087: Active Directory group import failed in XG series appliance using 18.0.
  • NC-66068: DKIM signing not taking place for out-of-office, non-delivery reports, and bounced emails.
  • NC-65831: The same email is shown for a different filter in the mail log.
  • NC-65567: Split networks aren't reachable if settings are changed in transparent/split mode.
  • NC-65533: Misleading message in notification settings for external mail server.
  • NC-65200: No key recognition after pressing the Windows key in clientless access.
  • NC-65198: False positive for CCL with the term "credit card" in the body.
  • NC-64973: Split networks weren't reachable if the definition name contains special characters.
  • NC-63872: DKIM verification being applied to outbound emails and emails were getting quarantined.
  • NC-63177: DPI causing issue with SSL 2.0 client hello.
  • NC-62880: Sentry reported coredump in crformatter_free_data.
  • NC-62245: OTP settings can't add groups as Organizational Units (OUs).
  • NC-62169: Wireless APs aren't able to lease IP addresses in separate zone.
  • NC-62120: Couldn't restore backup to a different appliance.
  • NC-61909: Mapping issue for i18n configuration and actual configuration name.
  • NC-60855: Unable to restore backup from CROS 10.6.6 MR5 to 17.5 MR12.
  • NC-54523: Yahoo email account configured in email client wasn't working with IMAPS scanning.
  • NC-54308: HSTS not offered on port 8094.
  • NC-50232: Built-in wireless stops broadcasting for LocalWiFi.
  • NAF-53: Mesh APX device restarts at times, stopping internet access.
  • NRF-517: SD-RED 60 loses VLAN configuration after RED pattern update to 3.0.006.
  • NRF-509: AP isn't registering through the RED 15w tunnel.