Sophos Firewall

These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).

Version 19.0 GA Build 317
Released on April 21, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

See the video.

SD-WAN profiles

VPN orchestrated SD-WAN network is already available from Sophos Central. It enables you to centrally orchestrate complex SD-WAN overlay networks, simplifying the process. See SD-WAN connection groups.

We now offer Xstream SD-WAN on the firewall:

Xstream SD-WAN profiles support routing strategies for multiple WAN links, including VDSL, DSL, cable, LTE/cellular, and MPLS. You can configure more than two gateways and specify a routing strategy based on the first available link or performance criteria.
Performance-based SLAs automatically select the best WAN link based on jitter, latency, or packet loss. SLAs can be based on best performance or custom SLA values. You can use multiple probe targets to perform a health check.
Zero-impact rerouting maintains application sessions when link performance falls below the thresholds and transitions sessions to a better performing WAN link.
SD-WAN monitoring graphs on Diagnostics > SD-WAN performance provide real-time insights into latency, jitter, and packet loss for all WAN links. You can select the time. You can also click the status on SD-WAN profiles to go to diagnostics.
Logs contain SD-WAN routing information. A new SD-WAN log module allows you to focus on log entries specific to SD-WAN routing and health. Log entries include SD-WAN rule ID and name for route request and reply directions.

Xstream FastPath acceleration

IPsec acceleration: Xstream FastPath acceleration of IPsec traffic automatically places IPsec VPN traffic flows on the FastPath through the Xstream Flow Processor, taking advantage of the processor's hardware crypto capabilities. This moves the CPU-intensive processing required for IPsec tunnels, such as ESP encapsulation and encryption, decapsulation and decryption, to the Xstream Flow Processor, freeing up CPU resources and improving performance.

Xstream FastPath Acceleration for IPsec traffic works for both site-to-site (including policy-based and route-based IPsec) and remote access VPN traffic, but weak cipher or authentication algorithms (DES, 3DES, BlowFish, MD5) aren't offloaded. See FastPath acceleration.

Web

Per-connection authentication: In explicit proxy mode, web authentication can now handle multiple different users coming from the same source address. This is useful in authentication for terminal services, Windows remote desktop, or direct access systems.
Tenant Restrictions: The Tenant Restriction feature of O365 used to restrict the domains a user can sign in to by adding headers to outbound HTTPS requests is available in web policies. This enables Microsoft Azure AD to enforce restrictions, typically used to restrict personal accounts from accessing O365 from Sophos Firewall protected networks.
X-Forwarded-For Header configured in web policies allows the source IP address to be passed upstream to load-balancers or proxies.

VPN

User experience

The VPN menu and user interface have been reorganized to make it more intuitive:

Remote access and site-to-site VPN are individual left menu items.
IPsec, SSL, and L2TP are top menu items with links on the pages to IPsec profiles, client download, and logs for easy access to the corresponding settings.
IPsec policies have been renamed IPsec profiles. It's now under System > Profiles.
The new assistant for remote access SSL VPN streamlines and enables easy configuration.
Clientless policies, bookmarks, and bookmark groups have been consolidated under Clientless SSL VPN policy.
Amazon VPC is available on site-to-site VPN for the easy setup of Amazon Web Services VPC tunnels with the option to import the VPC configuration file or AWS security credentials.

Feature enhancements

Custom policy support for remote access IPsec VPN addresses a potential PCI compliance issue with the default remote access IPsec policy:

Added the ability to configure custom rekey time to prevent MFA prompts every four hours.
Added the option to increase idle time-out from 10 minutes to 6 hours.

Route-Based VPN (RBVPN)

Added support for static multicast routes.
You can specify traffic selectors for route-based VPNs with automatic configuration of the XFRM interface and route management for the selected hosts. Only traffic matching the configured pairs of local and remote addresses enters the tunnel.

GCM and Suite-B cipher suite support for IPsec

AES-GCM for IPsec significantly improves IPsec VPN performance.

SSL VPN

Upgraded OpenVPN and OpenSSL.
Default TLS 1.3 support on SSL VPN tunnels.
AES-NI path-enabled.
GCM encryption support.
Significant performance enhancements (nearly 5x) in SSL VPN capacity with the addition of multi-instance support.

VPN logging

VPN selection is available in the log viewer, making it easy to monitor and troubleshoot VPN connections for remote access and site-to-site IPsec and SSL VPN tunnels. Additionally, IPsec logging messages have been enhanced with more details for greater clarity.

AWS VPC

The new feature enables you to connect your on-premise firewall to your AWS network infrastructure easily. You can now import the VPC configuration XML file from AWS to automate the tunnel setup on your Sophos Firewall, including the related routing and IPsec policies. You can import, monitor, and manage AWS VPC connections on Site-to-site > AWS VPC.

Other enhancements

DHCP: Added DHCP IPv4 options and boot server configuration on the web admin console.
Global IPS switch: Added a global switch on Intrusion Prevention > IPS policies to turn IPS on or off. The switch is automatically set when you migrate to 19.0 based on your previous configuration. For example, if you've been using IPS, it's set to On.
Multi-factor authentication: Added the option to require MFA with a one-time password to sign in to the web admin console for the default admin account. This improves security, workflow, and usability.
Authentication: Improved authentication performance that eases high-load situations with thousands of users.
Synchronized Security: An update to Lateral Movement Protection to guard against the use of spoofed MAC addresses that disrupt legitimate traffic.
Zero-day protection: An additional data center location for cloud-based machine learning file analysis is available for the Asia-Pacific region in Sydney, Australia. This adds to the existing data center locations in Japan, Germany, the UK, and the USA.
Anti-spam engine: Email protection now uses the Sophos Anti-Spam Interface (SASI) in place of the anti-spam engine for anti-spam scanning. SASI is already in use in Sophos Email. If you see false positives or false negatives, see how to submit a sample.
Log suppression: Repetitive firewall logs within a module are shown in a single event with a count of the repetition. This improves troubleshooting and optimizes logging scalability and storage efficiency.

User experience

Device and management identity: The device hostname is now shown in the browser tab and the active user ID in the upper right corner of the web admin console. This makes managing multiple firewalls and administrator accounts easier.
Search functionality:
- Global search: A new intelligent search box with auto-completion shows up above the main menu and allows you to find any page or feature in the firewall.
- Object search: You can search for a network object or service for inclusion in rules and policies. It includes a free-text search option that allows you to search by label or value, enhancing the user experience.
Flow monitor: Enhanced the user interface and layout of the flow monitor to make the headers persistent and eliminate horizontal scrolling.

Version 18.5

For information about the previous version, see 18.5 release notes.

Resolved issues

Version 19.0 GA Build 317

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-89079	CM	fwcm-eventd agent isn't listening to the IP address availability event.
NC-87798	WAF	Upgraded Apache to 2.4.53+.
NC-87665	API Framework, UI Framework	Fixed pre-auth RCE (CVE-2022-1040).
NC-87165	Core Utils	Fixed OpenSSL DoS vulnerability (CVE-2022-0778).
NC-85549	Wireless	SFOS becomes unresponsive after a restart if time-based SSID is configured.
NC-85412	PPPoE	Two PPPoE links with different passwords in 18.5 MR2.
NC-85339	Security	Resolved multiple XSS vulnerabilities through company name (CVE-2021-25268).
NC-84951	Network Utils	Fixed Diagnostics > Tools > Route lookup.
NC-84281	Authentication	Status column isn't visible on Authentication > Users.
NC-84218	Web	Can't turn on OTP for admin user whose user ID isn't 3.
NC-84158	Web	Sophos Central signing admin out of the firewall console when they click Add user.
NC-84101	UI Framework	Corrected a typo in Spanish on the Control center.
NC-83662	Web	Updated the number of administrator accounts unprotected by MFA shown in the alert on Authentication > Users.
NC-83584	WebInSnort	IPS segfault in libnsg_tcphold_preproc disconnecting live users after a limit.
NC-83581	Gateway Management	Corrected the typo in CLI command to session-persistence.
NC-83470	Firewall, VFP-Firewall	Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG750 during connection rate test.
NC-83430	RED	RED causing massive network traffic after upgrading to SF 18.0 MR6 or SF 18.5 MR2.
NC-83392	CM (Join to Cloud)	Backup isn't generated when the backup name contains [].
NC-83366	SDWAN Routing	Unable to turn off captcha for VPN zone for route-based VPN with SD-WAN routing.
NC-83347	Email, FQDN	Unable to add lx63.hoststar.hosting to email server under notification settings.
NC-83177	IPS Ruleset Management	Unable to turn IPS switch on or off in 18.5 MR2.
NC-83065	IPsec	Ping: sendto: operation not permitted when upgraded from 18.0 MR3 to later firmware on directly connected network.
NC-82566	Firewall	Kernel crash after update to 18.5 MR2.
NC-82332	Firewall	Kernel panic because kernel NULL pointer ip_route_me_harder wasn't handled.
NC-82215	Firewall	Device freeze issue.
NC-81974	IPS-DAQ	Snort soft lockup and device restart.
NC-81956	WebInSnort	HTTP and HTTPS traffic to internal server on 8080 is dropped by IPS tcphold.
NC-81768	Backup-Restore	Couldn't restore backup because of duplicated key.
NC-81517	Firewall	Policy test for firewall not showing correct results.
NC-81069	Email	Import fails for the entity MtaBlockedSenders.
NC-80660	DHCP	DHCP IP lease issue.
NC-79468	Authentication	Outdated users shown in Live Users.
NC-79417	Web	SSL/TLS rules can't be seen on the web admin console.
NC-78563	WAF	WAF not redirecting page to proper domain when there are multiple domains listed in the WAF rule.
NC-74847	Web	Snort crashing with a segfault due to a blank conf file.
NC-74228	Email	Can't show quarantine due to \x1E? in the subject.
NC-73975	Firewall	FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2.
NC-71761	Security	Resolved multiple XSS vulnerabilities (CVE-2021-25267).
NC-71379	Email	MTA doesn't provide the full certificate chain.
NC-69997	Email	Notification test mail has wrong encoded subject when web admin console's language is set to Traditional Chinese or Simplified Chinese.
NC-66163	Email	Report received with garbled characters.
NC-51929	DDNS	DDNS doesn't apply to some generic top-level domains.

Known issues

Known issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description	Workaround
NC-87676	WAF	WAF may stop working after a backup is restored for firewalls that first started with a version earlier than 18.0 GA and are currently running a version later than 18.0 GA.	If WAF does't start and reverseproxy.log shows the following message, contact Sophos Support: Invalid encrypted key
NC-85454	PPPoE	When more than one PPPoE link is configured on SFOS, and you upgrade the firmware to 18.5.MR2 build #380, passwords of the PPPoE links are lost for all but any one PPPoE link. So, only one PPPoE link remains functional after migration. The other links don't connect because of authentication failure.	Edit the PPPoE interface configuration, update the password, and save the configuration.
NC-85343	Network utils	Unable to update interface name using the following terms: "port", "eth", or "ge".	The names of physical and virtual interfaces, wireless networks, and IP tunnels can't start with system-reserved names, such as port, eth, ge, and xfrm, except when the Name is the same as the Hardware name.
NC-85313	API framework	No status code in API response.	You must use one of the tags <Set>, <Get>, or <Remove>, after the <Login> tag.
NC-85063	WAF	WAF does not permit file uploads larger than 1 MB in OWA.	Contact Sophos Support.
NC-84972	Web	When you use the web proxy, files that undergo anti-virus scanning are stored in /tmp. If web caching is turned on (Web > General settings > Enable web content cache) the /tmp directory may run out of space. To determine if the issue affects the firewall, enter the following command: df -h /tmp If the availble space shows 0 MB, enter the following command: du -c /tmp/0x1* Non-zero length files can take up a significant portion of the partition. Large numbers of files that are of zero length don't cause the issue.	Do one of the following: Go to Web > General settings, and clear the check box "Enable web content". This option is turned off by default. Restart the firewall.
NC-84550	Reporting	Local reports on Sophos Firewall differ from CFR reports. If the number of bytes transferred exceeds 32 bits, log viewer shows the truncated value.	Will be resolved shortly.
NC-84517	Firewall	Firewall rule isn't applied to terminal server traffic from Server Protection SATC.	The firewall must join the EAP for New Server Protection features and confirm the machine is added to EAP. See details.
NC-84171	L2TP	Multiple clients behind NATed device cause traffic issues. When these try to connect to Sophos Firewall, tunnels are established. However, ping from the first client drops after a few seconds. There's no ping from a client when the other client's ping works.	Will be resolved shortly.
NC-84054	SecuirtyHeartBeat	Configuration migration fails due to invalid byte sequence. Backup isn't restored if there's an error with the database tblappstoeps since it may contain an invalid byte sequence for encoding "UTF8".	Contact Sophos Support.
NC-83527	SecurityHeartbeat	Unable to register Firewall with Sophos Central account because Amazon certificate isn't present in /conf/.	To check if an Amazon certificate is present, enter the following command openssl crl2pkcs7 -nocrl -certfile /conf/certificate/internalcas/cloud-ca.crt \| openssl pkcs7 -print_certs -text -noout \| grep Issuer If Amazon CA isn't present, do as follows: mount -o rw,remount / cp ""/conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt.org"" cp ""/_conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt"" mount -o remount,ro / These steps don't require downtime.
NC-83108	Config Migration Framework	Upgrading from 18.0.MR6 to 18.5.MR1 results in a factory reset.	Downgrade to the previous firmware and then upgrade to 18.5.MR2. Alternatively, you can upgrade to 18.5.GA and then to 18.5.MR1.
NC-82331	Security Heartbeat	From 18.5 MR2, Sophos Firewall encrypts certificate keys. So, when you upgrade to this version, the firewall refreshes the certificate used by synchronized endpoints to send a Security Heartbeat. If DNS resolution to sophos.com fails, the endpoints may not get the new certificate from Sophos Central, and the heartbeat fails.	Do as follows: Make sure the endpoints have network connectivity during the upgrade. They can then fetch the new certificate from Sophos Central. If the endpoints are blocked from getting DNS resolution for sophos.com to download the new certificate, go to the corresponding firewall rule and temporarily clear the checkbox "Block clients with no heartbeat".
NC-81520	Hotspot	Password isn't printed on the hotspot voucher for bridge to AP LAN and bridge to AP VLAN.	Use a wireless network with Client traffic set to Separate zone instead. Do as follows: Go to Wireless > Wireless networks. Select the network you want and set Client traffic to Separate zone. Go to Hotspots and select the hotspot you want. Set Interfaces to this wireless network.
NC-81039	Licensing	SFOS gets stuck after a restart. On the hardware, hyperthreading was turned on, stopping the kernel from starting. It only happens when SFOS RAM/CPU are lower than that purchased in the license and hyperthreading is turned on on Dell hardware.	Turn off hyperthreading on the server.
NC-78544	Certificates	Unable to upload certificate authorities for firewalls with an imported configuration using the migration assistant.	Regenerate the client authentication CA and certificate file.
NC-76186	Hardware-XG Series	4X10G Flexiport module with the Intel 700 series NVM data and driver isn't recognized.	Known behavior
NC-73174	Logging framework	Log viewer shows the DDNS events for success and failure twice.	Known behavior
NC-71401	Central Management	Unable to register XG Series firewalls with Central Manager using email addresses with more than 50 characters.	Enter an email address with fewer than 50 characters.
NC-70369	Dynamic routing (OSPF)	Auto-interface cost calculation doesn't work for OSPF.	Go to Routing > OSPF > Override interface configuration. Click Select interface, clear the check box for Interface Cost and enter the cost.
NC-69633	Email	Wildcard SMTP exceptions for FQDN hosts appear on the exceptions list. However, when editing the exception, they aren't visible.	Will be resolved shortly.
NC-69491	Authentication	Unable to access the web admin console after an auto-restart. When a high number of RADIUS SSO users sign in simultaneously and the firewall restarts, sometimes the web admin console isn't available after the restart. However, LAN users can connect, and you can access the firewall through SSH.	Known behavior
NC-69439	Web	For the internet scheme web policy in devices migrating from CROS to SFOS, Policy tester doesn't show the web filter ID.	Known behavior
NC-69088	Web	Unable to create Secure Storage Master Key on HA devices.	Take a backup and then reset the XG Firewall device to factory configuration. Restore the backup. Rejoin HA. If you don't want to reset to factory configuration, enter the following advanced shell commands: /bin/nsgenc reset -f /bin/nsgenc init reboot /bin/nsgenc status; echo $? If the result is 1, restore the backup. Upgrade to 18.0 MR4 or later version. Rejoin HA. If the result is 0, contact Sophos Support.
NC-68438	Web	Web policy rule doesn't support users with the character "/" in the name.	Known behavior
NC-67790	DHCP	DHCP doesn't assign multiple IP addresses to the same MAC address. Example: For the captive portal to work over a bridged interface with a VLAN, the access point creates a virtual interface and needs an IP address from the VLAN. When the captive portal asks for an IP address over VLAN, the discover request comes with the interface's MAC address. If one scope is set to static and the other to dynamic, the IP assignment doesn't work.	Set both the DHCP scopes to dynamic or static.
NC-67688	HA	For 18.0 MR1, when the backup contained redundant information, it increased the backup size. If a larger backup is taken and restored, the /conf may be larger than expected.	Run the following commands on the advanced shell: rm -rf /conf/httpclient/httpclient rm -rf /conf/iview_images/iview_images/ Take a backup again.
NC-65961	Web	Log viewer for Firewall and Web filter shows Allowed for all port 80/443 traffic from WAN to WAN and LAN zones, although users initiating traffic from the WAN zone are shown a block page.	Known behavior
NC-65625	SSL VPN	OpenSSL limits the CN (Common Name) to 64. OpenVPN limits the CN to 63 + 1 (null character). This limits the <username>@<domain name> length to 51 characters since a 12-character random string is added to the CN.	Only use up to 51 characters for <username>@<domain name>.
NC-63913	IPS policy	When XG Series firewall is in FETCH mode in SFM, and users change the Advanced threat setting using the template, the SFM event log shows a failure message.	Known behavior
NC-63535	Email	Modifications aren't allowed to the block email senders list. On Email > General settings > Block senders, when users add a domain or email address, the error "Request could not be completed" appears, and the domain or email address isn't added.	Remove any of the domains or email addresses from the block senders list and add them again.
NC-62786	VFP-Firewall	Turning firewall-acceleration on or off bounces the ports.	Will be resolved shortly.
NC-60401	Central Management	When you downgrade the firmware or reset a firewall registered with Sophos Central (and services accepted on Sophos Central), the firewall loses its central registration information. When it's registered again, and Central management is turned on, endpoints already known to Sophos Central and the Central Management API consider this a bad request since Central services have already been approved.	Deregister the firewall. For HA devices, deregister both firewalls from Sophos Central. Sign in to Sophos Central., go to Firewall management and click Remove from Central for the firewall. Alternatively, run the following command on the advanced shell: /bin/central-register --register -u <email_of_central_account> -p <password_of_central_account> -s <serialnumber_of_firewall> Once the registration passes, you can deregister the firewall from the Sophos Central console.
NC-60381	Firewall	When heartbeat is set to block endpoints with a red status in the firewall rule configured for a bridge interface, and the firewall blocks the MAC address, it also blocks DHCP requests from the endpoints.	Create a firewall rule with Rule position set to Top and Services set to DHCP. Don't specify the Synchronized Security Heartbeat settings.
NC-60294	Authentication	Users aren't removed immediately from the Live user list when they sign out using the Sophos Network Agent (iOS or Android), although the app disconnects immediately.	Enter the following commands through the advanced shell: echo 0 > /content/caaios echo 0 > /content/caaand restart access_server
NC-59839	Firewall	Email logs for bounced emails may show IP addresses that aren't configured as the source address. Log entries are generated for connection table entries rather than from routing. For conntrack creation, the firewall uses any gateway IP address as the original source address (example: Port4: 10.24.255.254). When routing is done on layer 3, the decision may be to route that connection through Port2, but the original source isn't changed.	Known behavior
NC-59800	Firewall	Creating new firewall rules above the automatic SMTP rule (Email MTA mode) may result in a mail queue on the firewall. The firewall then accepts SMTP traffic but can't deliver the emails to the next hop. Mail queue and time-out errors appear on the /log/smtpd_main.log This can happen with manually configured firewall rules that include SMTP service and automatically created firewall rules (example: with VPN connections).	Place manually created firewall rules for SMTP and automatically created rules below the automatic MTA rule. If mails are already in queue on the firewall, before you reposition the firewall rules, contact Sophos Support for help in using the following script to correct the issue: /scripts/mail/replace_firewall_id.pl.
NC-58684	Firmware management	Upgrade from 17.5.x to 18.0 and later takes about 50 minutes. This is due to the additional checks for file system correction, which take longer based on the hard disk size and status.	Known behavior
NC-55423	Network services (deprecated)	Difference in data transfer traffic usage between WAN link manager and WAN zone report.	For more information, see Difference between WAN link manager and WAN zone report.
NC-55068	Hardware	XG 115 Rev.3 models show no HDMI output unless a monitor is connected before the device starts.	Known behavior
NC-54697	IPS Policy	The show ips-settings command shows only eight firewall rules even when more are configured. The related database entry contains all the firewall rules.	Will be resolved shortly.
NC-54667	Authentication	Sophos Firewall supports up to 3042 simultaneous Corporate Authentication Agent (CAA) connections. When the number of users exceeds the limit, the message "Failed to establish connection! Too many open files" appears in the access server log file. The limit is only for users using CAA. Live user count for other authentication mechanisms aren't part of this limit.	Known behavior
NC-53886	Hardware-SG and XG Series	40Gbit QSFP+ Flexiport module isn't recognized on SG/XG 430/450 firewalls.	Known behavior
NC-53094	RED	WAN gateway becomes active, causing RED site-to-site tunnels to flap. When you configure multiple WAN gateways, actions that result in the backup gateway or the unused gateway for the RED tunnel to reconnect, cause all RED tunnels to reconnect.	Known behavior
NC-52129	Email	Avira is unable to scan encrypted split files.	Use the Sophos antivirus engine.
NC-51322	Email	Chinese characters in the mail subject don't appear correctly within the quarantine digest email.	Change the encoding used in the end user's mail client to UTF-8.
NC-48871	L2TP	Username with the special character "\" isn't authenticated when signing in with the domain through L2TP.	Will be resolved shortly.
NC-47523	Reporting	Auxiliary HA device sends reports about its own scheduled report.	Known behavior
NC-47092	Firewall	SSH session to a target behind an SFOS firewall appears with delay in the log viewer.	Known behavior
NC-46108	DHCP	DHCP relay configured on an interface with a DHCP server configuration doesn't function.	Expected behavior
NC-44003	SNMP	SNMP query for supportSubStatus and appExpiryDate returns unexpected values.	Known behavior
NC-43721	Hardware	Half-duplex isn't working on the upper four ports of XG 125 and XG 135 Rev.3	Use ports 5, 6, 7, or 8 with half-duplex.
NC-43682	Email	Mail queue is delayed or fails after update to 17.5. A manual change to disable_offline_relate is lost during firmware upgrade. Before the upgrade, if you've changed the /static/proxy/smtp/scanner.conf file to set the disable_offline_relate setting to No, the change is lost during firmware update.	After the firmware upgrade is complete, edit the /static/proxy/smtp/scanner.conf file, and update disable_offline_relate.
NC-43145	Hardware	HA pair becomes unstable if you use the shared port as the dedicated link on XG 106	Don't use the shared port (Port 4) for the HA dedicated link.
NC-42570	WAF, Web	When LAN users want to access a web server deployed in the LAN zone and protected by a WAF rule, these requests don't work. Requests from the LAN zone reach the web server directly without passing the firewall.	WAF rules control traffic for sites hosted on the WAN interface. For internal servers, configure the DNS server to resolve the domain to the backend server directly. Alternatively, to host the site in the LAN zone through WAF, you need a second WAF rule that listens on the internal interface with a different, internal-only domain.
NC-42364	Networking (deprecated)	IPsec route precedence isn't applied. When system route_precedence is configured to give VPN routes higher priority than static routes, the firewall doesn't send the traffic through the IPsec tunnel. Instead, it routes the traffic through a matching static route. This occurs if a static or local route exists, directing the traffic to a non-WAN zone. The route precedence command only applies to traffic destined for the WAN zone.	Manually create an IPsec route for the remote subnet. Example: console> system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname <tunnelname> Then press Tab twice to see the list of available tunnels.
NC-42227	Authentication clients	Currently, Sophos Firewall devices don't support SATC (Sophos Authentication for Thin Client) with Edge browser.	Known behavior
NC-42226	SSL VPN	Locally-signed certificates aren't supported as server certificates in SSL VPN.	Only certificates signed by the local CA are supported. Example: ApplianceCertificate.
NC-38227	RED	Can't turn on RED functionality with DHCP from Network > DHCP.	Go to Interfaces > RED for the RED device. Under RED network settings, turn on DHCP.
NC-35231	ATP framework	Limit of 128 characters to add a threat exception.	Known behavior
NC-35230	Wireless	Can assign only 8 SSIDs or networks to an access point.	Known behavior
NC-33997	Authentication	SSO client installation doesn't work with RDP sessions.	Known behavior
NC-33500	Web	Unable to get the file scanned by Sandstorm. The captive portal shows a cannot reach page. This happens when there's an Any to Any firewall rule with Action set to Drop.	Select a LAN or WAN zone instead of Any zone for the firewall rule with Action set to Drop.
NC-30324	Firewall	Internal hosts can't ping remote access SSL VPN.	Give priority to static routes because SSL VPN routes are static routes. VPN routes represent IPsec routes.
NC-29938	Networking (deprecated)	Static routes won't apply to the system for connected networks, such as RED tunnels. So, you can't use them for route failover for these networks.	Use SD-WAN routes for route failover.
NC-29517	Date and time zone	Time zone is different on the web admin and CLI consoles.	Copy the content from /etc/zoneinfo/<timezone> to /conf/TZ. Then restart the firewall.
NC-27906	Email	In legacy mode, when you turn on greylisting on the server, emails are rejected because legacy Mode doesn't support retrying of emails. Failed emails are rejected with the following log message: 451 Temporary local problem, please try again!	For more information, see How to work around the issue when legacy mode doesn't support email retry.
NC-27452	WAF	No support for Microsoft RDG protocol suite.	WAF only supports RPC_IN_DATA and RPC_OUT_DATA. These are the only types supported when Pass Outlook Anywhere is turned on.
NC-26865	Wireless	Link/Activity LED glows on Port3 and Port4 even when the ports are disabed in XG 85(w), XG 125(w), and XG 135(w).	Known behavior
NC-25733	IPsec	Can't see custom IPsec profiles that use a preshared key with aggressive mode after upgrading to 17.0 MR1 although the profile is in use in an IPsec connection.	The firewall doesn't support preshared keys in aggressive mode. It only supports aggressive mode with RSA key and digital certificate.
NC-22697	Web	Citrix-based web application isn't working with Allow all web policy. In transparent mode, Citrix clients aren't aware that there's an HTTP or HTTPS proxy in the middle. So, they start using a proprietary protocol (not HTTP or HTTPS) using the HTTP and HTTPS ports. The proxy doesn't understand this and waits for a client request while the Citrix client waits for the server to respond. So, launching a .ica file with Citrix web or application fails.	You need to punch a hole in the firewall. Do as follows: For traffic from the LAN zone to the destination IP addresses of your URL in the WAN zone to launch the .ica file, create a LAN to WAN firewall rule with web policy set to None. Then create a firewall rule with web policy set to Allow all from LAN to WAN.
NC-22372	Email	Missing prefix subject with IMAP and many email clients. With IMAP, some mail clients download only the root headers from the server. They download the complete email only when users click the email subject. Sophos Firewall doesn't scan headers for spam since headers don't have enough information to detect spam. The IMAP proxy scans emails for spam only when the mail client downloads the complete email. The firewall then scans and adds a prefix to the subject for spam. So, the spam prefix doesn't appear in the email client's folder view.	Known behavior
NC-22206	Clientless access (HTTP and HTTPS)	Bookmarks of websites that require NTLM authentication don't work with clientless authentication.	Sophos Firewall doesn't support NTLM authentication with clientless web access.
NC-19628	Authentication	Sophos Firewall doesn't support browsing on IE11 in protective mode with SATC authentication.	Known behavior
NC-19479	Clientless access (HTTP and HTTPS)	Can't access websites that require the destination domain in the URL host through clientless access. Example: CNN.com.	Known behavior
NC-19478	Clientless access (HTTP and HTTPS)	Can't access websites with UTF-16 characters in the URL using bookmarks. Clientless access needs HTML links to be rewritten within the response document to ensure that links work for users outside the proxy. The firewall doesn't rewrite URLs with UTF-16 encoded special characters. So, these sites won't open through clientless access. Example: http:\u002f\u002fportal.example.com	Known behavior
NC-19476	Clientless access (HTTP and HTTPS)	Can't access web servers containing JavaScript-based dynamically generated URLs through HTTP and HTTPS bookmarks.	Known behavior
NC-18385	WAF	After successful form-based authentication, users are redirected to the defined path in the corresponding site path routing profile rather than to the original requested path.	Known behavior
NC-17808	Email	Wrong decoding if a policy with Change prefix subject is configured with umlaut characters.	Known behavior
NC-17457	Networking (deprecated)	Username for PPPoE interfaces is limited to 50 characters.	Insert a dummy username using less than 50 characters on the web admin console for the PPPoE interface. Go to the advanced shell and enter the following: psql -U nobody -d corporate Go to the corporate DB and enter the following: corporate> update tblpppoeconf set "user"='john.doe@example.com' Now disconnect the PPPoE connection and reconnect to bring the changes into effect.
NC-16462	Reporting	When generating a custom report, only the results appearing on the current page are exported to HTML, PDF, and CSV formats. The full list isn't exported.	Known behavior
NC-14880	Web	Safe search is enforced on all the policies without exception.	Known behavior
NC-13946	Authentication	STAS users with special characters (',/") in the name don't appear.	Sophos Firewall doesn't support usernames with these special characters.
NC-13934	Reporting	Auxiliary device sends only a few configured scheduled reports.	If reports don't contain data in auxiliary devices, report notifications aren't sent.
NC-13659	Security Heartbeat	Host information for blocked sources is shown on ATP flipside but isn't updated.	Manually reopen the flipside to see the change in host status. Example: Green, red, missing
NC-13639	Captive portal	Local users with names containing umlaut characters (example: ööööööö) can't sign in. They can sign in through AD and STAS. Unable to create local users with special characters (UTF-8). Existing AD users with such names can't sign in.	Known behavior
NC-13637	Routing (deprecated)	Route precedence isn't followed for policy-based routing in RED site-to-site tunnels.	Known behavior
NC-13636	VPN (deprecated)	Can't create L2TP connection with preshared key for mobile phones.	Known behavior
NC-13632	RED	Unable to do offline provisioning of RED 50 device using USB device.	Do online provisioning centrally. REDs are then upgraded to the latest firmware. You can then perform offline provisioning.
NC-13618	Clientless access (HTTP and HTTPS)	Unable to access the web admin console of a firewall by using bookmarks from the same firewall.	Known behavior
NC-13598	Firewall	10G SFP+ network cards on software appliances aren't recognized.	Known behavior
NC-9641	WAF	Outlook Anywhere doesn't work when Common threat filter is turned on in the web server protection policy.	RPC (Remote Procedural Call) doesn't work when Common threat filter is on. CTF checks the validity of HTTP requests and responses and compliance with HTTP standards and common practices. MS_RPC, the protocol underlying some of MS Outlook’s Anywhere feature doesn't meet all these rules and common practices. Turn off Common threat filter in the web server protection policy.
NC-9132	WAF	Websockets aren't supported for WAF.	Known behavior
NC-9124	Firewall	STAS isn't working when AD servers are only reachable on WAN.	Known behavior
NC-9106	Framework part of base (deprecated)	Mail notification isn't working with Microsoft Office365.	Sophos Firewall supports STARTTLS and SSL/TLS to encrypt emails. However, for SMTP, it only supports PLAIN authentication, which Office 365 doesn't support. Configure an intermediate relay to workaround this behavior.
NC-9102	Hotspot	Custom logo doesn't appear on the hotspot sign-in page if the hotspot name contains whitespace.	Don't use white spaces in hotspot names.
NC-9063	Firewall	Unable to create a hotspot through SFM with an HTML filename that has a space.	Don't use spaces in filenames.
NC-8891	VPN	CHAP and CHAPV2 in L2TP and PPTP VPN with AD configuration isn't working.	Use PAP as authentication method.
NC-8888	VPN (deprecated)	IPsec (site-to-site) between SFOS and SonicWall isn't working in aggressive mode.	Use main mode.

Upgrading firmware and restoring backups

Upgrading firmware

19.0 GA is available on all form factors.

Warning We strongly recommend that you migrate only to the approved versions listed in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

Upgrading firmware
Upgrade from	Upgrade to 19.0
	GA Build 317 (all form factors)
18.5 GA to MR3
18.0 MR3 and later
17.5 MR14 and later

You can downgrade only to compatible versions. You can't downgrade from 19.0 and later to 17.5 and earlier. However, you can roll back to any previous version.

Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.

Restoring backups

You can restore backups from any earlier version to version 19.0 GA.

You can restore backups with or without FIPS turned on to any compatible Sophos Firewall version. See details.

To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.

Supported platforms

Version 19.0 GA

Sophos Firewall OS version 19.0 GA is available on all form factors as follows:

XGS Series firewalls
XG Series firewalls
SG Series firewalls
Virtual and software appliances
Cloud platforms

For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.

Minimum RAM

19.0 GA requires a minimum of 4 GB RAM. So, you can't upgrade the following models to 19.0 GA:

XG 85, XG 85w, XG 105, and XG 105w
SG 105, SG 105w

Supported firmware versions

19.0 GA supports the following firmware versions:

Wi-Fi firmware 11.0.019 and earlier
RED firmware 3.0.007 and earlier

Support

You can find technical support for Sophos products in the following ways:

Visit the Sophos Community and search for other users who are experiencing the same problem.
Visit Sophos Support.
Find how-to, configuration, and troubleshooting videos on the Sophos Techvids video hub.

Legal notices

Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall

Version 19.0 GA Build 317 Released on April 21, 2022

New features

SD-WAN profiles

Xstream FastPath acceleration

Web

VPN

Other enhancements

User experience

Version 18.5

Resolved issues

Version 19.0 GA Build 317

Known issues

Upgrading firmware and restoring backups

Upgrading firmware

Restoring backups

Supported platforms

Version 19.0 GA

Minimum RAM

Supported firmware versions

Support

Legal notices

Version 19.0 GA Build 317
Released on April 21, 2022