Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 84 replies
  • Subscribers 48 subscribers
  • Views 579471 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall 16.05 RC1

talex

Hi XG Community!

We've finished SFOS v16.05.0 RC1 and want to hand it to you as a soft-release.

Those of you who already used Sophos UTM might remember that we do soft-releases from time to time. For all others, let me quickly explain what it is:

Soft-Release:

We finish the release and think it's worth getting some feedback before shipping the release to all.

So we provide the links to the update packages to you via this forum and you can download the update package and upload it to your SFOS device.

We will monitor the feedback in this forum for some time and then ship the release to everyone.

For detailed list of features and changes , Please refer the attached Release Note : 6523.Sophos XG Firewall v16_5 RN_v3.3.pdf

 

Issues Resolved

NC-12759 [Authentication] Segmentation Fault of access server
NC-13930 [Authentication] Access_server segmentation fault
NC-14100 [Authentication] Appliance IP doesn't appear on general tab of STAS suite
NC-14160 [Authentication] Netbios packages sent out via WAN port
NC-13972 [Base System] Webadmin certificate is not updated when changing common name in ca certificate
NC-14123 [Base System] No reconnect of ipsec tunnel when using IPv6
NC-14140 [Base System] If VPN profile name is matching an existing log file then the profile will log to this log file
NC-14227 [Certificates] Improve error message for Certificate Revocation List
NC-3820 [Certificates] The validation period To/From is not taken into account for CRL uploads
NC-13394 [Clientless Access(HTTP/HTTPS)] Japanese character issue in HTTP bookmark of clientless access
NC-13014 [FirewallDatapath] Not able to ping local machine located in DMZ zone from LAN zone with IPsec S2S tunnel setup
NC-13665 [Firewall] Skipping load balancing for missing heartbeat drop traffic
NC-13702 [Firewall] Block Page with captive portal link shown for users when webfilter + user based rules are used
NC-13987 [Firewall] Wizard failed after configure DOS rule using src-zone
NC-14137 [Firewall] 'Internet Scheme' page loading failed
NC-11810 [Framework(UI)] Application List headings are removed after applying filter
NC-13043 [Framework(UI)] Control Center - system graph initially renders without title
NC-13858 [Framework(UI)] Improve XG Firewall dashboard diagrams
NC-14649 [Framework(UI)] Possible SQL injection in EventViewerHelper
NC-14671 [Framework(UI)] XSS in LiveConnectionDetail.jsp in SFOS
NC-15101 [Framework(UI)] Apache service stop in case of certificate names contain space characters
NC-8116 [Framework(UI)] Disable TLS1.0 and TLS1.1 support for Webadmin and Userportal
NC-14995 [Galileo Heartbeat] Heartbeat - Service restarting automatically
NC-14244 [Hotspot] Hotspot type POTD send extra mail while updating password creation time
NC-13610 [IDS + AppControl] Psiphon Proxy application is not blocked
NC-13496 [IPS] Wrong ip address shown in web filter logviewer when device configured in TAP-Mode
NC-14231 [IPS] Internet traffic dropped by IPS if network subscription is missing
NC-12228 [Mail Proxy] MIME whitelist box is not large enough to display the entire text
NC-14093 [Mail Proxy] Proxy stops processing mails if IP reputation is enabled with action "Reject"
NC-14098 [Mail Proxy] Delivery failure notification not sent if sender or recipient email address contains space character
NC-14178 [Mail Proxy] SMTP proxy dies to due to specific characters in return path of delivery failure notification
NC-14213 [Mail Proxy] Read only profile should be set in Email protection in HA mode
NC-13448 [Network Services] DHCP service dies while binding custom option to DHCP Server
NC-12214 [Networking] New warning message for unbinding interfaces trivialize effects
NC-12966 [Networking] WWAN connectivity issue with Huawei E3372
NC-13449 [Networking] DHCP Option is deleted without removing it's binding.
NC-13599 [RED] Transparent Split and 3G Failover should not be possible to configure
NC-14164 [RED] [RED] implement "TLS 1.2 only" mode
NC-11769 [Reporting] Event Type 'Not Available' seen in Reports of Admin Events
NC-12472 [Reporting] PDF Report Export/On Demand: When records continue on 2nd page server time change
NC-13257 [Reporting] Pagination is not working for "Interface" widget in executive report.
NC-14337 [Reporting] Reports is not loading when language is spanish
NC-6345 [Reporting] Custom Reports: Sometimes application/protocoll filter is not working properly
NC-12969 [SSLVPN] SSLVPN Remote-Access to Apple iPhone: traffic cannot pass through tunnel
NC-13945 [UI] Log Viewer link from widget window is not working
NC-13995 [VPN] VPN failover group stops retrying after couple of minutes
NC-6589 [VPN] DHCP_V6A_IPSec connection not re-connected when changing IPv4 address of the same WAN interface
NC-14118 [WAF] SFM MR-2 can not push web server configuration to SFv16 device
NC-11111 [Web] Captive Portal settings: unauthenticated users redirection does not work
NC-10629 [Wireless] Wifiauth service dies
NC-13207 [Wireless] hostapd dies state after updating radius server in wireless global settings
NC-13326 [Wireless] High CPU usage of DHCPd
NC-13340 [Wireless] Update organizationally unique identifier (OUI) library
NC-13940 [Wireless] Red15w wireless is not detected
NC-14000 [Wireless] DHCP option 234 code missing in "editreddevice" opcode
NC-9469 [Wireless] WLAN interfaces are not shown in network configuration wizard if wireless network name contains 'WLAN'

Known Issues

There is an issue with the Sandstorm licensing if you try to initiate the 30 day evaluation via ControlCenter.
After you clicked the 30 days trial button, you will be redirected to the MySophos portal where you finish the subscription process. At the end you will see a HTTP 404 error page, because the redirect URL is not correct.
As a workaround, please redo the steps until you get to the license overview of your device. The license should be synced to your device at that time.
This issue does not appear if you initiate the process via MySophos instead via ControlCenter

Downloads

You can find the firmware for your appliance from in MySophos portal.

 

happy testing
/talex



This thread was automatically locked due to age.
  • 0 in reply to Billybob

    Bill,

    a Terminator never stops! Even if there are some bugs I would like to say "well done" to Sophos Team because they released a RC here in order to be able to test it and report bug.

    We need to get back soon from Sophos Staff and see JIRA numbers with their fixing date (still missing on many JIRA, an improvement that must be included and shared into 2017).

    Sophos sells because we sell and because we believe in them. Without us, they will lose Market position and many of them will lose the job. Also Sophos and other security company wil work during these holidays because bad guys never stop and also they take advantage of this situation.

    Logging part is another feature that we will see soon (v17) and hope to see other feature too.

    The Category classification is a bug and also the categorization is not working as UTM9 where the Web Filter engine used was another one. XG now uses Cyberoam Engine (that must be improved). I never liked Cyberoam Web Engine (many false positive/negative compared to UTM9).

    Hope also to see more investigation and more feedback here from Sophos Staff. , , , did a great improvement during this year but Sophos XG needs some other steps in order to be sellable (in my opinion) and more interventation and faster support is required. 

    During the Christmas time I am busy with cooking but an eye on Community will be there too.

    I hope all of you have seen the new feature available with v16.5. Now we can see object proprieties inside Firewall rules without clicking on editing. See the attachments.

    Well done to Sophos develops!

    Happy Christmas to you all. In some way, we are a family too.

  • 0 in reply to lferrara

    More hidden stuff...

    After a reboot in older versions this screen was presented if you tried to login too fast

    With 16.05 we get 

    Lets hope we are not rebooting for any reason[:D]

  • 0 in reply to lferrara

    One think I forgot to write:

    I do not like that inside the Avdanced Threat there are also the Sandstorm Activity. Logs and reports must be in one location and not scattered. They have the big limitation of having too many TABs with few menu.

    Another big improvement we expect to see into v17.

    Regards

  • 0 in reply to lferrara

    Hi guys,

    there is another thread where one of the Sophos staff advise to stop and restart the web service because it does not appear to be connecting to the wingc server and also run a command to capture some details from a log file.

    Made no difference in my case.

  • 0 in reply to rfcat_vk

    An update:

    Today an IPS update has been released: 3.13.17, but the web filter still did not work, so I reboot the XG and now categorization is working.

    Update the pattern and notify if the Web Filter is working again.

    Thanks

  • 0 in reply to lferrara

    Mine started working by issuing the service WINGc:restart -ds nosync command. I am assuming everyone was affected by this and only a few people complained? Nobody is using XG or everyone is using it at home and happy they got everything protected while their 9 year old is watching porn because categorization was broken for 2 days. Another interesting aspect of the whole problem is that I had category NONE blocked in webfiltering. But when the filter breaks, NONE is allowed as the categorization system is broken.

    There is also a BUG in XG probably was there from v16, but I just noticed it. Restarting your appliance CHECKS AND INSTALLS PATTERN UPDATES even when the updates are set to DO NOT AUTO UPDATE

    Strange, I have to protect my XG by using another firewall so that the XG wouldn't protect me from myself[;)]

  • 0

    Anyone tested SSL VPN functionality since the update? Mine will not pass any traffic.  Reverted to 16.01.02 and it worked again.

    Looking at the status output from the vpn client:

    16.01.02: 

    Dec 27 09:12:35: PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2001:db8::1:1/64 2001:db8::1:0,route-gateway 172.20.9.5,tun-ipv6,ping 45,ping-restart 180,redirect-gateway def1,route-ipv6 ::/1,route-ipv6 8000::/1,topology subnet,route remote_host 255.255.255.255 net_gateway,dhcp-option DNS <internal dns 1>,dhcp-option DNS <internal dns 2>,dhcp-option DOMAIN <my domain-redacted>,ifconfig 172.20.9.6 255.255.255.0'

     

    16.05.0 RC1:

    Dec 27 09:27:27: PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2001:db8::1:1/64 2001:db8::1:0,route-gateway 172.20.9.5,tun-ipv6,ping 45,ping-restart 180,redirect-gateway def1 ipv6,route-ipv6 ::/1,route-ipv6 8000::/1,topology subnet,route remote_host 255.255.255.255 net_gateway,dhcp-option DNS <internal dns 1>,dhcp-option DNS <internal dns 2>,dhcp-option DOMAIN <my domain-redacted>,ifconfig 172.20.9.6 255.255.255.0' 

    I bolded the major difference - the "ipv6" flag on the redirect-gateway directive.

    The openvpn client doesn't like that option.  The log shows the following:

    Dec 27 09:27:27: Options error: unknown --redirect-gateway flag: ipv6 

     

    I have tried this in the Sophos VPN client and Viscosity a non-free but vastly superior OpenVPN client.  Works in NEITHER.  Both work absolutely fine in 16.01.02.

    WORK AROUND: Setting Lease Mode to IPV4 only in VPN Settings seems to resolve the issue, most likely because it just drops all reference to ipv6 in the push config.

    Submitted support case 6849698 as well.

  • 0

    This release looks really awesome.  I've done an upgrade my developement VM from 16.1.2 to 16.5 without any problems. Just a couple of challenges but fairly minor

    Positive things:

    * Upgrade from backup was seemless. 

    * Site blocking work well of the bat. Very happy with this.

    * SSO from STAS works very well and is consistent.

    * Log viewer link in every screen is great. Best feature of Version 16.

    * PTR zones on DNS works very well.

    *  Group traffic limiting works very well and appear fairly instant when changes are made.

    Challenges:

    * Say I want to block all applications in the high risk and very high risk but need to allow logmein for admin purposed, then I've got to scoll manually through the whole list to find it. Kinda hard.

    * Why has HTTP being categorised at 4? Blocking the risky and very risky blocks port 80 traffic. 

    * Some website categories are a little off like ad.atdmt.com which is clearly adds but appears under IPS's and dynamic DNS.

    * Default polices for web and application filtering break Office365 email and lync/Skype4business.

    * Some inconsistency around application blocking and webfilter (again with logmein) means that the SSL cert needed to show the logmein client page in the app gets blocked by everything else is allow.

    * Scanning HTTP cause Error 500 to appear on all HTTP and HTTPS traffic. This magically went aware at some point.

    Feature requests:

    Allow "Administrator" role to be selected form importing users from AD groups import.

     

    All in all it looks fairly solid aside from one or two issues. Great work devs and sophos team.

     

    Peter Tiggerdine

    Systems and Network Architect.

     

     

     All in all, feeling the devs are heading in the right directions. 

  • 0 in reply to ChavousCamp

    SSL work... but I need to reconfigure SSL VPN client (I'm verry happy with viscosity).. SSLVPN portal, download newconfig....

  • 0 in reply to GabrieleDal Toè

    Having to reconfigure the VPN client is not an acceptable option.

    It is FINE for me - but my clients have lots deployed.