Support-Portal
· Maintenance Release

Sophos Firewall v19.5 GA (Build 197)

Beschreibung

Bemerkungen

Features

Xstream Architektur

SD-WAN

  • SD-WAN Loadbalancing, um die Bandbreite über mehrere Links zu maximieren. Sie können Loadbalancing als eine Routingstrategie in den SD-WAN-Profilen auswählen. Sie können Round-Robin oder Sitzungspersistenz anhand von Quell- und Ziel-IP-Adresse, sowie Verbindungskriterien mit Gateway-Gewichtung und SLAs nutzen. Stellt Routing von Anwendungsverkehr über mehrere Links sicher, inklusive MPLS, WAN, VPN und RED
  • Echtzeit-Überwachung und -Berichte mit verbesserter Gateway-Leistungs-Diagnose für SD-WAN-Profile. Zeigt Link-Leistung mit Gesamtanzahl der Verbindungen und Datentransferzähler. Der Zähler kann für Troubleshooting zurückgesetzt werden.

IPsec-VPN

  • Obergrenze der maximalen gleichzeitigen Tunnel von 4.650 auf 10.000 erhöht.
High Availability

Cluster- und Geräteidentifikation

  • Veränderbare Nodennamen hinzugefügt. Namen werden im Browser-Tab, dem Drop-Down-Widget, der CLI und Benachrichtigungen angezeigt.
  • Verbessertes HA-Status-Panel mit Informationen über Noden-Namen, Lizenzquelle, ursprüngliches Primärgerät, aktuelle Rolle und Status, sowie Zeitstempel für Statusänderungen
  • HA-Cluster-ID kann jetzt gewählt werden
  • Klarere Darstellung der Geräterollen, sowie der jeweiligen Lizenzvoraussetzungen
  • Persistentes Banner im Sekundärgerät
  • HA-Widget in das Admin-Drop-Down-Menü oben rechts umgezogen

Redundante HA-Links

  • Unterstützt bis zu vier Schnittstellen als dedizierte HA-Links.
  • Erstellt automatisch eine LAG-Schnittstelle im QuickHA-Modus
  • LAGs und VLANs werden nun als dedizierte HA-Links unterstützt.

Unterstützung für unkonfigurierte Schnittstellen als überwachter Port, wenn ein VLAN darauf konfiguriert ist.

Eindeutigere Auswahl des bevorzugten Primärgerätes

Dynamisches Routing

OSPFv3

  • Unterstützung für das OSPFv3-Protokoll, für dynamisches IPv6-Routing

Bessere Routing-Entscheidungen

  • OSPF und OSPFv3 nutzen die eingestellten Schnittstellengeschwindigkeiten und wählen schnellere Schnittstellen für das Routing

BGP

  • Automatische Router-ID-Auswahl für BGP erlaubt dynamische Updates der Router-ID

Logs

  • Stellt Logs für relevante Informationen zu BGP, OSPF und OSPFv3 bereit

weitere Verbesserungen

  • Neue Engine für dynamisches Routing für Stabilität und Zukunfsfestigkeit
  • Voll interoperabel mit anderen Herstellern
Statische Routen

Wichtige Änderungen am Routing-Verhalten

  • Neue Routing Engine: Erlaubt Überwachung von Schnittstellenverbindungsstatus und Netzwerkkonfiguration
  • BGP, OSPF, RIP-Konfigurationen verhindern in der Standardkonfiguration Netzwerk- und Routenverteilung auf Gruppenmitglieder wenn der Schnittstellenverbindungsstatus down ist.
  • BGP-Konfigurationen verhindern standardmäßig Netzwerk- und Routenverteilung zu Gruppenmitgliedern, wenn das SFOS und BGP-Netzwerk nicht übereinstimmende Subnetze haben.
  • Zebra Advanced Shell CLI ist nicht mehr verfügbar, aufgrund der neuen Routing Engine
PKI-Beschleunigung für untersuchte TLS-Flows

Die DPI-Eingine lädt lädt die PKI-Verarbeitung für X.509-Zertifikats-Neusignierung auf die Crypto-Hardware im Xstream Flow Prozessor ab. Dadurch steigert sich die Gesamtleistung mit der SSL/TLS-Decryption in den folgenden Hardware-Modellen:

  • 1U (4300, 4500)
  • 2U (5500, 6500)
Quality of Life Verbesserungen

Azure AD SSO:

  • Unterstützung für Azure AD SSO Konfigurationen für die Anmeldung an der WebAdmin-Konsole

Schnittstellengeschwindigkeit

  • Erkennt automatisch die empfohlenen Verbindungseinstellungen. Unterstützt fortgeschrittene Portkonfigurationen für High-Speed-Schnittstellen, inklusive FEC (Forward Error Correction) für High-Speed 40G-Schnittstellen auf XGS 5500 und 6500 Appliances

Schnittstellen-Breakout

  • Unterstützt den Breakout von 40G-Schnittstellen in 2 oder 4x10G-Schnittstellen mittels DAC oder Fiber-Breakout-Kabel.

Suche

  • Suchfähigkeiten über Name, Typ und Wert für Standard- und selbst erstellte Objekte in Hosts und Services

Logspeicher:

  • Verbesserter Logdatei-Speicher mit konfigurierbarer Rotation und Archivierung, sowie Zeitstempel und Größenänderungen, für einzelne oder mehrere Logdateien.

Betroffene Produktgruppen

Bugfixes

  • NC-106424: API Framework, UI Framework A code injection vulnerability allowing remote code execution was discovered in the user portal and web admin console. We released the hotfixes for this issue. See Resolved RCE in Sophos Firewall (CVE-2022-3236).
  • NC-101326: SSL VPN OS command injection through SSL VPN configuration upload (CVE-2022-3226).
  • NC-108213: UI Framework Post-auth code injection (CVE-2022-3696).
  • NC-99962: Wireless Adjacent code injection in Wi-Fi controller (CVE-2022-3713).
  • NC-93847: Authentication Stored XSS in import group wizard (CVE-2022-3709).
  • NC-94664: Hotspot Post-auth read-only SQLi in user portal (CVE-2022-3711).
  • NC-102257: Firewall Post-auth read-only SQLi through API controller (CVE-2022-3710).
  • NC-89091: API Framework Resolved multiple post-auth SQLi vulnerabilities in the web admin console (CVE-2022-1807).
  • NC-97743: AppFilter Policy Unable to export application filter policy.
  • NC-74235: AppFilter Policy DOM-based XSS in AppFilterPolicyDetailEdit.js.
  • NC-107176: Authentication Web admin console SSO prevents language choice.
  • NC-79468: Authentication Outdated users not removed from the live user list.
  • NC-84910: Authentication STAS authentication stops working when the appliance restarts until the access server's restarted if AD is accessed through a static route.
  • NC-84924: Authentication Memory utilization increases to 90 percent and above in XGS 3100 due to the appcached service.
  • NC-85151: Authentication When the firewall is moved to a group on Sophos Central, it's added to the group but changes to "Error needs attention".
  • NC-85961: Authentication Guest user is created on secondary appliance but not on primary appliance sometimes.
  • NC-90151: Authentication Unable to authenticate with PUSH with Azure MFA.
  • NC-101852: Authentication Unable to add users with the same email address (Azure AD).
  • NC-102771: Authentication XFOS Migration Users unable to authenticate through CAA.
  • NC-102979: Backup-Restore Unable to restore backup from XG 310 to XG 230.
  • NC-85547: Captive Portal Sign-in message and sign-out option not appearing with custom captive portal.
  • NC-95926: CDB-CFR, Reporting Unable to generate reports.
  • NC-101703: CDB-CFR, CM Unable to open the firewall's web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall from Sophos Central.
  • NC-80305: Certificates Though CA isn't available on the pfx file, CA upload opcode gets called.
  • NC-103406: Certificates Migration from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365 fails.
  • NC-81219: CM Expected downtime for a firewall upgrade with HA on Sophos Central.
  • NC-81430 : CM, UI Framework User portal host injection reported.
  • NC-89079: CM fwcm-eventd agent isn't listening to the IP address up event for SD-WAN connection group.
  • NC-83405: Core Utils Inconsistency with Security Audit Reports (SAR).
  • NC-84231: Core Utils Receiving a duplicate copy of the same executive schedule reports.
  • NC-98712: Core Utils Containment plan to handle production issue causing ten-second factory reset feature to not work on XGS Series appliances.
  • NC-89218: Core Utils Resolved post-auth shell injection in web admin console through OpenSSL (CVE-2022-1292).
  • NC-82972: CSC HA appliance stops responding.
  • NC-101021: Date/Time Zone Time zone change allowed in Sophos Central on HA appliances.
  • NC-80660: DHCP DHCP IP lease issue.
  • NC-92745: DNS kdump: stack guard page was hit, and appliance restarts repeatedly.
  • NC-101271: Dynamic Routing (BGP) BGP networks on the web admin console show ASCII characters instead of expected networks for config-type Cisco.
  • NC-106811: Email Unable to start anti-spam service.
  • NC-74248: Email Stored potential XSS in MailScanRuleManage.js
  • NC-83419: Email Inbound emails aren't delivered when SMTP scanning is turned on in the firewall rule.
  • NC-85346 : Email Smarthost authentication didn't work. Related to password decryption failure.
  • NC-87240: Email Avira engine error with axpx files.
  • NC-90702: Email SASI detection problems when too many hits are returned.
  • NC-92840: Email RCA for email not received with an error "smtp_check_forward_reply: response arrived without any command".
  • NC-93380: Email Anti-spam not working after upgrade to SFOS 18.5.3.
  • NC-94362: Email SPX stops working after an unspecified period.
  • NC-95543: Email Mail logs page stuck in loading status.
  • NC-98296: Email Attachments getting corrupted while using SPX.
  • NC-98300: Email High CPU utilization due to Exim.
  • NC-99421: Email Email loop with AV scan failure.
  • NC-101300: Email Unable to send emails after upgrading to 18.5.4 due to malware scan failure.
  • NC-73975: Firewall FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2).
  • NC-77804: Firewall netlink: 153776 bytes leftover after parsing attributes in the following process: ipsetelite.
  • NC-81939: Firewall Not reflecting daylight savings time correctly.
  • NC-82215: Firewall Device freeze issue (0010:queued_spin_lock_slowpath+0x14b/0x170)
  • NC-82332: Firewall Kernel panic. Unable to handle kernel NULL pointer "ip_route_me_harder".
  • NC-82566: Firewall Kernel crash after update to 18.5 MR2. RIP:0010:_raw_read_lock_bh+0x14/0x30.
  • NC-83470: Firewall, VFP-Firewall Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG 750 during Connection rate test.
  • NC-83734: Firewall Inbound emails dropped at times with SMTP scanning turned on in HA load balancing.
  • NC-86093: Firewall Duplicate firewall rule group.
  • NC-89076: Firewall, VFP-Firewall Unable to access `www.radix.ad.jp` on the environment tagged VLAN with DPI configured.
  • NC-89162: Firewall Appliance restarts automatically. 0010:queued_spin_lock_slowpath+0x148/0x170.
  • NC-90024: Firewall Backup restore and migration fails when multiple local ACL rules are configured.
  • NC-91295: Firewall Zones tab showing blank after deleting zone created on second page.
  • NC-95861: Firewall Country blocking through firewall rule isn't working.
  • NC-97883: Firewall Unable to upgrade firmware or restore backup from 17.5.15 to 19.0 GA. Duplicate key value violates unique constraint "tblfirewallrule_unique_name".
  • NC-98089: Firewall Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA.
  • NC-100084: Firewall DNAT issue when multiple hosts are added.
  • NC-102308: Firewall Disabled load balancing NAT rules still sending out alerts for the rules.
  • NC-102436: Firewall Appliance access was lost, and local ACL rules stopped working after restoring backup.
  • NC-102614: Firewall Traffic not working with FastPath for bridge with logical members after migrating to 19.0 GA. Traffic shouldn't get offloaded.
  • NC-86819: Firmware Management, Licensing AWS instance stuck when starting it.
  • NC-88207: Firmware Management Firmware update fails when space is used in file name.
  • NC-94291: Firmware Management Small var partition created for VM image using aux disk.
  • NC-100716: FQDN ipset sporadically not created for wildcard FQDN host.
  • NC-100250: Gateway Management RCA: Unable to change DGD settings for a specific WAN port.
  • NC-82225: HA Unable to establish HA correctly on fiber ports.
  • NC-92282: HA System services page doesn't load.
  • NC-95351: HA HA failover isn't working due to automatic restart of the auxiliary device.
  • NC-100623: Hotspot Hotspot voucher creation fails.
  • NC-99801: Interface Management Unable to delete a LAG interface.
  • NC-101046: IPS-DAQ Website doesn't work due to OCSP must-staple in Firefox browser.
  • NC-86451: IPS-DAQ-NSE Unable to access web server through XG Firewall with SSL/TLS inspection error "Dropped due to TLS internal error".
  • NC-92131: IPS-DAQ-NSE Unable to upload a large file with SSL/TLS inspection turned on in do-not-decrypt mode.
  • NC-106834: IPS-DAQ-NSE Connection untrusted when browsing some sites.
  • NC-100699: IPsec SMB file transfer stops and doesn't recover with IPsec acceleration and policy-based VPN.
  • NC-106608: IPsec Duplicate SAs created.
  • NC-79128: IPsec Memory usage increased to 90 percent over 20-25 days.
  • NC-81207: IPsec Web admin console shows error when updating any VPN tunnel configuration.
  • NC-81944: IPsec WWAN doesn't connect after random disconnect event if xfrm interface is created on WWAN.
  • NC-83065: IPsec System generated traffic getting impacted when route precedence is set to VPN and remote subnet to Any.
  • NC-83445: IPsec Constant IPsec VPN flapping. Pushed through Central SD-WAN Orchestration.
  • NC-84750: IPsec Auxiliary device sporadically receives IPsec packets.
  • NC-85383: IPsec Unable to connect IPsec remote access due to invalid .scx file.
  • NC-88404: IPsec IPsec tunnel didn't come up automatically after the restart of a HA appliance.
  • NC-90247: IPsec IPsec VPN failback isn't working.
  • NC-94734: IPsec PPPoE isn't connecting after random disconnect event if xfrm interface is created on PPPoE.
  • NC-95239: IPsec Different gateway entry in IPsec configurations when using DDNS.
  • NC-95633: IPsec Unable to connect IPsec remote access due to invalid .scx file
  • NC-100707: IPsec Wrong source IP address in IPsec routes.
  • NC-101355: IPsec Migration from 19.0 GA to 19.0 MR1 fails.
  • NC-103733: IPsec Amazon VPC connection issue since BGP service keeps restarting.
  • NC-97753: IPS Engine, IPS Policy Unable to upgrade to 19.0 GA from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table.
  • NC-100681: IPS Engine Increase in snort memory usage with ATP pattern updates.
  • NC-107999: IPS Ruleset Management HA cluster configuration fails when there's no Network Protection license.
  • NC-83177: IPS Ruleset Management Unable to toggle IPS switch in 18.5 MR2.
  • NC-98576: IPS Ruleset Management IPS pattern not updating.
  • NC-99152: Logging Framework Central reporting: Couldn't initiate the mmap case when queue limit reached with no central connectivity.
  • NC-101713: Logging Framework PG trigger entry not present for sign-in events if on-appliance reporting is turned off.
  • NC-94418: Logging Framework (Central Reporting) Central reporting feature is stuck at write_data2_file.
  • NC-101716: NFP-Firewall Packet drop and slow file transfer with IPsec (IPsec acceleration) and NAT-T.
  • NC-97058: NFP-Firewall VPN traffic for specific tunnel periodically stops when IPsec acceleration is enabled.
  • NC-94128: NFP-Firewall Firewall stopped responding on specific port.
  • NC-90566: NFP-Firewall Traffic not traversing XGS Firewall for a specific configuration.
  • NC-98094: nSXLd Unable to categorize URLs and IP addresses using external URL database.
  • NC-85412: PPPoE PPPoE password issue.
  • NC-95197: RED Appliance auto-restarts frequently in a day or two.
  • NC-90839: RED Red interface disappears when changing the DHCP server configuration.
  • NC-88628: RED RED UDP packets are forwarded to the auxiliary device after HA switchover.
  • NC-76071: RED XGS-2100 - Interface doesn't have any IP address when same firmware is restored on the same hardware.
  • NC-94337: Reporting Migration failure to 19.0 GA - MaxNoTables24hr_tls exists.
  • NC-81131: Reporting Last access time isn't generated when there are users with username having XSS payload.
  • NC-86690: SDWAN Routing SD-WAN FTP proxy traffic not working with transparent proxy.
  • NC-86652: SDWAN Routing TFTP traffic doesn't follow SD-WAN routing.
  • NC-83366: SDWAN Routing Turning off captcha on VPN zone isn't working for route-based VPN with SD-WAN routing.
  • NC-93720 : SecurityHeartbeat delay-missing-heartbeat-detection not synchronized on the auxiliary device.
  • NC-85423: SNMP Kernel fails on XG 125 with SNMP high memory consumption.
  • NC-74120: Spoofing Traffic through bridge will be blocked as IP_Spoof if spoof protection is turned on for the involved zone.
  • NC-102737: SSLVPN SSL VPN service stuck in busy status. Site-to-site and remote access SSL VPN affected.
  • NC-99247: SSLVPN Unable to download SSL VPN site-to-site server configuration.
  • NC-98574: SSLVPN Traffic isn't passing through site-to-site SSL VPN tunnel though tunnel is up.
  • NC-94661: SSLVPN Android and iOS users aren't able to import SSL VPN ovpn file.
  • NC-93919: SSLVPN SecurityHeartbeat_over_VPN object removed from SSL VPN policy after an SSL VPN global configuration change.
  • NC-88483: SSLVPN CVE: 2022-0547 openvpn deferred auth vulnerability.
  • NC-87596: SSLVPN Site-to-site and remote access SSL VPN not working.
  • NC-83469: SSLVPN Dashboard doesn't reflect the remote user's details.
  • NC-101075: Static routing Static route to RED disappears when XGS in HA 19.5 is restarted.
  • NC-93689: Up2Date Client Cosmetic issue with SASI pattern after firmware downgrade.
  • NC-100334: WAF Virtual host not removed if firewall rule is turned off.
  • NC-84146: WAF Warning about subject alternate not being part of domain.
  • NC-102093: Web Upgrading from 19.0 GA to 19.5 EAP0 can leave nasm directory in a bad status.
  • NC-100265: Web Expired certificates in certcache are being used rather than generating new ones.
  • NC-83584: WebInSnort IPS segfault in libnsg_tcphold_preproc.
  • NC-81956: WebInSnort HTTPS traffic to internal server on 8080 is dropped by ips tcphold.
  • NC-94019: Wireless Wrong Mac-aging time for bridge interface Guest AP.
  • NC-90684: Wireless Multiple APX 320s not Registering with XG Firewall. Not showing up in pending list.
  • NC-87659: Wireless Legacy AP roaming key decryption is failing when fast transition is turned on.
  • NC-85549: Wireless SFOS goes in bad status after a restart if time-based SSID is configured.
  • NC-84604: Wireless Unable to restore backup from SG 230 to XGS 2300 due to access point database issue.
  • NC-107453: WAF WAF rules not working on auxiliary appliance.