This maintenance release resolves some issues. To see these, click the Resolved issues tab.
For other details, see the Sophos Firewall help.
These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).
This maintenance release resolves some issues. To see these, click the Resolved issues tab.
For other details, see the Sophos Firewall help.
This page describes the new features introduced. For details, see the Sophos Firewall help.
This page describes the new features introduced. For details, see the Sophos Firewall help.
SSL VPN: Introduced static IP address lease for remote access SSL VPN users on the firewall and from an external RADIUS server. Sophos Firewall now maps remote access SSL VPN users with static IP addresses, enhancing user monitoring and visibility and its ability to trace users.
IPsec VPN:
Supports multiple DHCP servers for RED interfaces.
Sophos Firewall offers three free firmware upgrades. A valid support subscription is mandatory for firmware upgrades after the three free upgrades. Free upgrades don't include trial licenses, home use licenses, and firmware upgrades from the installation wizard. See the Sophos Firewall help.
Added rule-ID and index column to the SD-WAN profile list for easier troubleshooting.
Improved firewall management experience from Sophos Central in environments with thousands of endpoint certificates, which are used for Synchronized Security Heartbeat. You can download a maximum of 10,000 certificates at a time. The limit also applies to endpoint certificate download during registration.
The version includes the following enhancements:
Malware engine: Upgrade of malware scan engines and associated components to a full 64-bit operation to ensure optimum performance and future support.
Sophos Assistant: Added the option to opt out of Sophos Assistant on the web admin console.
Email: Added the capability to report spam emails as false positives on the quarantine release page.
This page describes the new features introduced. For details, see the Sophos Firewall help.
See the video.
VPN orchestrated SD-WAN network is already available from Sophos Central. It enables you to centrally orchestrate complex SD-WAN overlay networks, simplifying the process. See SD-WAN connection groups.
We now offer Xstream SD-WAN on the firewall:
IPsec acceleration: Xstream FastPath acceleration of IPsec traffic automatically places IPsec VPN traffic flows on the FastPath through the Xstream Flow Processor, taking advantage of the processor's hardware crypto capabilities. This moves the CPU-intensive processing required for IPsec tunnels, such as ESP encapsulation and encryption, decapsulation and decryption, to the Xstream Flow Processor, freeing up CPU resources and improving performance.
Xstream FastPath Acceleration for IPsec traffic works for both site-to-site (including policy-based and route-based IPsec) and remote access VPN traffic, but weak cipher or authentication algorithms (DES, 3DES, BlowFish, MD5) aren't offloaded. See FastPath acceleration.
User experience
The VPN menu and user interface have been reorganized to make it more intuitive:
Feature enhancements
Custom policy support for remote access IPsec VPN addresses a potential PCI compliance issue with the default remote access IPsec policy:
Route-Based VPN (RBVPN)
GCM and Suite-B cipher suite support for IPsec
SSL VPN
Significant performance enhancements (nearly 5x) in SSL VPN capacity with the addition of multi-instance support.
This results in a behavior change that enforces only the default SSL VPN lease ranges for remote access SSL VPN connections. If you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule to allow remote access SSL VPN connections, traffic may not flow through the connections after you migrate to version 19.0.
Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.
VPN logging
VPN selection is available in the log viewer, making it easy to monitor and troubleshoot VPN connections for remote access and site-to-site IPsec and SSL VPN tunnels. Additionally, IPsec logging messages have been enhanced with more details for greater clarity.
AWS VPC
The new feature enables you to connect your on-premise firewall to your AWS network infrastructure easily. You can now import the VPC configuration XML file from AWS to automate the tunnel setup on your Sophos Firewall, including the related routing and IPsec policies. You can import, monitor, and manage AWS VPC connections on Site-to-site > AWS VPC.
| Issue ID | Component | Description |
|---|---|---|
| NC-116519 | DDNS | DDNS logs appear every five minutes. |
| NC-116312 | CM | Garner thread stuck in Central Management plugin. |
| NC-114652 | Logging Framework | Files not sent to Sophos Central. |
| NC-114586 | WAF | Unable to restore backup taken in Sophos Central. |
| NC-114092 | Wireless | Wireless APX stopped working. No traffic flow for Wi-Fi clients after 19.5 GA upgrade. |
| NC-109201 | Firewall | Device goes into failsafe mode after upgrading firmware to 19.0.1. Unable to apply firewall framework. |
| NC-107708 | Firewall | Firewall automatically restarts. |
| NC-102979 | Backup-Restore | Backup-restore doesn't take place from XG 310 to XG 230. |
| Issue ID | Component | Description |
|---|---|---|
| NC-112368 | Core Utils IPsec | cacert is missing in .scx file. |
| NC-111476 | FQDN | Subdomain learning isn't working in case of non-SFOS DNS server set for client. |
| NC-111110 | SDWAN Routing | Import-export doesn't reflect changes in SD-WAN PBR profiles. |
| NC-111023 | Legacy email mode is crashing very frequently. | |
| NC-110927 | Authentication | Missing MFA enable and disable event logs. |
| NC-110026 | XGS-BSP | HA cluster fails even after hardware replacement. |
| NC-109626 | HA | Standalone device restarts. msync: too many open files. |
| NC-109562 | WAF | Unable to modify or update the WAF protection policy after selecting it for WAF rule. |
| NC-109245 | WAF | Can't skip CRS rules in application attacks group with exceptions. |
| NC-108562 | Core Utils | Public key authentication for admin can't be managed through Sophos Central. |
| NC-108536 | Firewall | Firewall rules stopped working after backup-restroe due to failure in XML API while creating firewall rule. |
| NC-108533 | API Framework, UI Framework | Need to hook frontend validations for multipart requests. |
| NC-108354 | Wireless | LocalWiFi mac80211 vulnerabilities. |
| NC-108318 | Unable to click a few settings under Email > General settings after updating firmware to version 19. | |
| NC-108237 | Spam emails are let through with the error "spam scanning failed". | |
| NC-108213 | API Framework, UI Framework | Post-auth code injection (CVE-2022-3696). |
| NC-108211 | Interface Management | Multiple post-auth read-only SQLi vulnerabilities in InterfaceHelper.java (objStr). |
| NC-108115 | Web | Custom category name stored XSS in URL category lookup. |
| NC-108003 | NFP-Firewall | Memory utilization increases until the firewall stops responding. |
| NC-107999 | IPS Ruleset Management | HA cluster configuration fails. |
| NC-107982 | Authentication | Exposing password in setup wizard. |
| NC-107975 | Logging Framework | Logging stopped on the device with an error showing that the database disk image is malformed. |
| NC-107945 | Wireless | APX 530 becomes inactive after HA failover. |
| NC-107943 | Firewall | XG 135 crashed and needed RCA to prevent the issue in future. |
| NC-107603 | SDWAN Routing | Stored XSS in SD-WAN performance graphs. |
| NC-107481 | Authentication | Log viewer isn't showing source IP field information for authenticated SSL VPN users. |
| NC-107453 | WAF | WAF rules not working. |
| NC-107327 | WAF | Upgrade ModSecurity and OWASP CRS to the latest version. |
| NC-107325 | VFP-Firewall | Firewall becomes inaccessible. |
| NC-107283 | AwarrenSMTP service dead. | |
| NC-107239 | L2TP | Unable to connect to L2TP after upgrade. |
| NC-107145 | Hotspot | For hotspot vouchers in the user portal, under Manage, the delete icon isn't intuitive. |
| NC-106907 | Hotspot | WLAN voucher not showing correctly. |
| NC-106834 | IPS-DAQ-NSE | Connection untrusted when browsing some sites. |
| NC-106811 | Unable to start anti-spam service. | |
| NC-106783 | Unable to send or receive emails with certificate error for pop.ocn.ne.jp domain. | |
| NC-106738 | Hotspot | Sort functionality doesn't work properly in the user portal for hotspot vouchers. |
| NC-106608 | IPsec | Duplicate SAs being created. |
| NC-106424 | API Framework, UI Framework | Pre-auth code injection (CVE-2022-3236). |
| NC-104844 | Web | Zero-day protection report shows license warning incorrectly. |
| NC-103733 | IPsec | BGP service keeps restarting, affecting the Amazon VPC connection. |
| NC-103406 | Certificates | Migration fails from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365. |
| NC-103037 | XGS BSP | Failsafe issue due to NPU failure. |
| NC-102919 | Static Routing | Static routes lost at the backend after enabling QuickHA. |
| NC-102771 | Authentication XFOS Migration | Users unable to authenticate through CAA. |
| NC-102737 | SSLVPN | SSL VPN not working as sslvpn service is stuck in busy status. Site-to-site and remote access are affected. |
| NC-102614 | Firewall | Bridge: Traffic not working with Fastpath for bridge with logical members after migrating to version 19. Traffic shouldn't get offloaded to Fastpath. |
| NC-102558 | IPsec | The issue in NC-84750 still occurring on one site after installing the patch. |
| NC-102436 | Firewall | Appliance access lost on backup-restore. Local ACL rules stopped working on backup-restore. |
| NC-102308 | Firewall | Disabled load balancing NAT rules still sending out alerts for disabled NAT rule. |
| NC-102257 | Firewall | Post-auth read-only SQLi through APIController (CVE-2022-3710). |
| NC-101720 | XGS-BSP | Random SFP+ port flap. |
| NC-101713 | Logging Framework | PG trigger entry should be present for login events even when on-box reporting is off. |
| NC-101703 | CDB-CFR CM | Unable to open the web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall. |
| NC-101326 | SSLVPN | OS command injection through SSL VPN configuration upload (CVE-2022-3226). |
| NC-101300 | Unable to send emails after upgrading to 18.5.4 due to failed malware scan. | |
| NC-101271 | Dynamic Routing (BGP) | BGP networks in SFOS web admin console show ASCII characters instead of expected networks for config-type cisco. |
| NC-101046 | IPS-DAQ | Website doesn't work due to OCSP must-staple in Firefox browser. |
| NC-101021 | Date/Time Zone | Time zone change allowed in Sophos Central on all HA devices. |
| NC-100725 | XGS-BSP | NPU in failsafe mode after upgrading from 19.0 GA to 19.0 MR1. |
| NC-100716 | FQDN | IPset sporadically not created for wildcard FQDN host. |
| NC-100707 | IPsec | Wrong source IP address in IPsec routes. |
| NC-100699 | IPsec | SMB transfer stops and doesn't recover with IPsec acceleration and policy-based VPN. |
| NC-100623 | Hotspot | Hotspot voucher creation failed. |
| NC-100418 | nSXLd | Internet down with error "nSXLd: Connection timeout while connecting to SXL server". |
| NC-100334 | WAF | Virtual host not removed if firewall rule is turned off. |
| NC-100325 | WAF | Update API JSON fields for encrypted WAF secrets. |
| NC-100265 | Web | Expired certificates in certcache are used rather than generating new ones. |
| NC-100250 | Gateway Management | RCA: Unable to change DGD settings for a specific WAN port. |
| NC-100084 | Firewall | DNAT issue when multiple hosts are added. |
| NC-99965 | Interface Management | SQL injections found in application. |
| NC-99962 | Wireless | Adjacent code injection in Wi-Fi controller (CVE-2022-3713). |
| NC-99801 | Interface Management | Unable to delete a LAG interface. |
| NC-99604 | SQLi in getSmtpQuarantineMailRecord. | |
| NC-99421 | Mail issues on XG 430 (split from CPU 100%). | |
| NC-99247 | SSLVPN | Unable to download SSL VPN site-to-site server configuration. |
| NC-99232 | Web | Changes to web proxy settings can't be saved when signed in with German language. |
| NC-99152 | Logging Framework | Central reporting: Failed to initiate the mmap case when queue limit is reached with no Sophos Central connectivity. |
| NC-98712 | Core Utils | XGS DT-2 r1: Containment plan to handle production issue causing 10+ sec factory reset feature doesn't work on these units. |
| NC-98576 | IPS Ruleset Management | IPS pattern doesn't update. |
| NC-98574 | SSLVPN | Traffic isn't passing through site-to-site SSL VPN tunnel, although the tunnel is up. |
| NC-98573 | Firewall | Country group stored XSS in DNAT rule in version 19 GA. |
| NC-98300 | High CPU utilization due to Exim. | |
| NC-98296 | Attachments getting corrupted while using SPX. | |
| NC-98094 | nSXLd | Unable to categorize URLs and IP addresses using external URL database. |
| NC-98089 | Firewall | Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA. |
| NC-97883 | Firewall | Unable to upgrade firmware or perform backup-restore from 17.5.15 to 19.0 GA: Duplicate key value violates unique constraint "tblfirewallrule_unique_name". |
| NC-97753 | IPS Engine IPS Policy | Unable to Upgrade to version 19 from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table. |
| NC-97743 | AppFilter Policy | Unable to export application filter policy. |
| NC-97711 | NFP-Firewall | nfnetmap_queue backing up, appliance may fail. |
| NC-95926 | CDB-CFR Reporting | Reports aren't being generated. |
| NC-95861 | Firewall | Country blocking through firewall rule isn't working. |
| NC-95633 | IPsec | Unable to connect IPsec remote access due to invalid .scx file. |
| NC-95603 | Legacy email mode is crashing every 2 minutes. | |
| NC-95543 | Mail logs page stuck in loading status. | |
| NC-95353 | Static Routing | Static route to RED disappears in XGS (HA) after a restart. |
| NC-95351 | HA | HA failover isn't working due to auto-restart of auxiliary device. |
| NC-95239 | IPsec | Different gateway entry in the IPsec configurations when using DDNS. |
| NC-95197 | RED | Appliance auto-restarts frequently in a day or two. |
| NC-94734 | IPsec | PPPoE isn't connecting after random disconnect event if XFRM interface is created on PPPoE. |
| NC-94664 | Hotspot | Post-auth read-only SQLi in user portal (CVE-2022-3711). |
| NC-94661 | SSLVPN | Android and iOS users can't import SSL VPN ovpn file. |
| NC-94418 | Logging Framework (Central Reporting) | Reporting and logging to Sophos Central stops randomly. |
| NC-94362 | SPX stops working after unspecified period. | |
| NC-94128 | NFP-Firewall | Firewall stopped responding on specific port. |
| NC-93847 | WAF | Stored XSS in WAF exception through IP host. |
| NC-92598 | Authentication | Stored XSS in import group wizard (CVE-2022-3709). |
| NC-92282 | HA | System services page gets stuck in loading. |
| NC-90794 | Authentication | Unable to import groups containing an apostrophe in their name. |
| NC-90247 | IPsec | IPsec VPN failback isn't working. |
| NC-90151 | Authentication | Unable to authenticate with PUSH with Azure MFA. |
| NC-88628 | RED | RED UDP packets are forwarded to the auxiliary device after HA switchover. |
| NC-86937 | VFP-Firewall | Memory utilization increasing gradually. |
| NC-85961 | Authentication | Guest user is created on secondary appliance but not on primary appliance sometimes. |
| NC-85114 | Firmware Management | 'kworker' process continuously takes high CPU on XG 450. |
| NC-84924 | Core Utils | Memory utilization increases to 90 percent or above in XGS 3100 due to appcached service. |
| NC-84910 | Authentication | Authentication with STAS stopped working when the appliance restarted until the access_server restarted if AD is reachable through a static route. |
| NC-84750 | IPsec | Auxiliary node sporadically receives IPsec packets. |
| NC-81219 | CM | HA zero downtime upgrade isn't supported if the firmware upgrade is scheduled on Sophos Central. |
| NC-79378 | Web | Uploading user-defined logo in user notification settings gives error. |
| NC-77804 | Firewall | Netlink: 153776 bytes leftover after parsing attributes in process `ipsetelite'. |
| NC-75655 | Arbitrary file write creates a DoS and possibly RCE vector. | |
| NC-75654 | Logical error in a global SQL escape function might enable injections. | |
| NC-74241 | CaptivePortal | Stored XSS through captive portal customization (CVE-2022-4238). |
| NC-74120 | Spoofing | Traffic through bridge will be blocked as IP_Spoof if spoof protection is enabled for the involved zone. |
| Issue ID | Component | Description |
|---|---|---|
| NC-100971 | IPsec | Migration from 19.0 GA to 19.0 MR1 fails. |
| NC-100737, NC-94019 | Wireless | Inbound traffic for hosts connected on Wi-Fi SSID on Separate zone is dropped by firewall rule ID 0, and outbound traffic may experience slowness. |
| NC-100681 | IPS Engine | Increase in snort memory with ATP pattern updates. |
| NC-100679 | CDB-CFR, Reporting | Conf partition usage increases for the primary HA device. |
| NC-81131 | Reporting | Last access time isn't generated if a user's username has an XSS payload. |
| NC-94337 | Reporting | Migration failure to 19.0 GA when SSL/TLS inspection's log retention period isn't set to the default value. |
| NC-94291 | Firmware Management | Small var partition created for VM image using an auxiliary disk. |
| NC-94253 | Licensing | Can't upload airgap license file. Error message: "Certification verification failed. Invalid license file." |
| NC-93919 | SSL VPN | SecurityHeartbeat_over_VPN is removed from SSL VPN policy after updating SSL VPN global settings. |
| NC-93720 | SecurityHeartbeat | Auxiliary device isn't synchronized with the primary HA device for delay-missing-heartbeat-detection. |
| NC-93689 | Up2Date Client | Cosmetic issue with SASI pattern after firmware downgrade. |
| NC-93380 | Anti-spam doesn't work after an upgrade to SFOS 18.5 MR3. | |
| NC-92840 | Email isn't received and shows the error message: smtp_check_forward_reply: response arrived without any command. | |
| NC-92745 | DNS | Appliance restarts with kdump: stack guard page was hit. |
| NC-92131 | IPS-DAQ-NSE | Unable to upload a large file with SSL/TLS inspection enabled in do-not-decrypt mode. |
| NC-91300 | XGS BSP | npu_version (among other things) missing from telemeter. Large number of missing entries. |
| NC-91295 | Firewall | Zones tab shows up blank after deleting a zone listed on the second page. |
| NC-90839 | RED | RED interface disappears during a change to the DHCP server configuration. |
| NC-90702 | SASI detection problems when too many hits are returned. | |
| NC-90684 | Wireless | Multiple APX 320s don't register with XG Firewall. They don't appear on the pending list. |
| NC-90566 | NFP-Firewall | Traffic doesn't traverse XGS firewall under a specific configuration. |
| NC-90203 | SD-WAN Routing | SD-WAN route policy update fails. |
| NC-90024 | Firewall | Backup restore and firmware migration fails when multiple local ACL rules are configured. |
| NC-89996 | Logging | Issue with redirection to IPS policy from log viewer. |
| NC-89162 | Firewall | Auto restart 0010:queued_spin_lock_slowpath+0x148/0x170. |
| NC-89076 | Firewall, VFP-Firewall | Unable to access the website www.radix.ad.jp on the environment tagged VLAN + DPI configured. |
| NC-88903 | Localization | German menu is broken. |
| NC-88483 | SSL VPN | CVE: 2022-0547 openvpn deferred auth vulnerability. |
| NC-88404 | IPsec | Tunnel doesn't come up automatically after a restart of a HA appliance. |
| NC-88207 | Firmware Management | Firmware update fails when space is used in filename. |
| NC-87659 | Wireless | Legacy AP roaming key decryption fails when fast transition is enabled. |
| NC-87596 | SSL VPN | Site-to-site and remote access SSL VPN isn't working after backup is restored. |
| NC-87240 | Avira engine error with axpx files. | |
| NC-86819 | Firmware Management, Licensing | AWS instance stuck while starting it. |
| NC-86690 | SD-WAN Routing | SD-WAN FTP proxy traffic isn't working with transparent proxy. |
| NC-86652 | SD-WAN Routing | TFTP traffic doesn't follow SD-WAN routing. |
| NC-86451 | IPS-DAQ-NSE | Unable to access web server through XG Firewall. SSL/TLS inspection error: Dropped due to TLS internal error. |
| NC-86093 | Firewall | Duplicate firewall rule group. |
| NC-85547 | CaptivePortal | Sign-in message and sign-out option don't appear with custom captive portal. |
| NC-85423 | SNMP | Kernel crash on XG 125 with SNMP high memory consumption. |
| NC-85383 | IPsec | Unable to connect remote access IPsec due to invalid .scx file. |
| NC-85346 | Smarthost authentication failed in server_plain authenticator: nsgenc decryption failed. | |
| NC-85151 | Authentication | Firewall moved to a group on Sophos Central gets added to the group but changes to "Error needs attention". |
| NC-84604 | Wireless | Unable to restore backup from SG 230 to XGS 2300 due to access point database issue. |
| NC-84231 | Core Utils | Receiving a duplicate copy of the same executive schedule reports. |
| NC-84146 | WAF | Warning about Subject Alternative Name (SAN) not being part of the domain. |
| NC-84142 | Backup-Restore | Unable to delete VLAN interface. |
| NC-83734 | Firewall | Inbound emails are dropped randomly in HA load balancing with SMTP scanning enabled. |
| NC-83469 | SSL VPN | Dashboard doesn't show the remote users. |
| NC-83445 | IPsec | Constant IPsec VPN flapping. Pushed through Central SD-WAN orchestration. |
| NC-83419 | Inbound emails aren't delivered when SMTP scanning is enabled. | |
| NC-83405 | Core Utils | Inconsistency with Security Audit Reports (SAR). |
| NC-83114 | Authentication | Web authentication doesn't work in HA mode when the auxiliary node is restarting. |
| NC-82972 | CSC | Appliance in active-active HA mode stopped responding. |
| NC-82225 | HA | Unable to establish HA correctly on fiber ports. |
| NC-81944 | IPsec | WWAN isn't connecting after a random disconnect event if XFRM interface is created on WWAN. |
| NC-81939 | Firewall | The firewall isn't reflecting daylight savings time correctly. |
| NC-81430 | CM and UI Framework | User portal host injection reported. |
| NC-81207 | IPsec | Web admin console shows an error while updating the configuration of any VPN tunnel. |
| NC-81131 | Reporting | Last access time isn't generated when a user exists with the username having XSS payload. |
| NC-80305 | Certificates | Though CA isn't available on the pfx file, CA upload opcode is called. |
| NC-79359 | IPsec | Using AES256GMAC can show invalid configuration in IPsec profiles. |
| NC-79319 | IPsec | Clarification required on the web admin console for remote access IPsec. |
| NC-79128 | IPsec | Memory increase to 90 percent over 20-25 days. |
| NC-76071 | RED | XGS-2100: Interface doesn't have any IP address when backup is restored. |
| NRF-517 | RED | SD-RED 60: LAN switch VLAN configuration is lost after some time. |
| NRF-509 | Firmware | AP doesn't register through the RED 15w tunnel. |
| Issue ID | Component | Description |
|---|---|---|
| NC-89079 | CM | fwcm-eventd agent isn't listening to the IP address availability event. |
| NC-87798 | WAF | Upgraded Apache to 2.4.53+. |
| NC-87665 | API Framework, UI Framework | Fixed pre-auth RCE (CVE-2022-1040). |
| NC-87165 | Core Utils | Fixed OpenSSL DoS vulnerability (CVE-2022-0778). |
| NC-85549 | Wireless | SFOS becomes unresponsive after a restart if time-based SSID is configured. |
| NC-85412 | PPPoE | Two PPPoE links with different passwords in 18.5 MR2. |
| NC-85339 | Security | Resolved multiple XSS vulnerabilities through company name (CVE-2021-25268). |
| NC-84951 | Network Utils | Fixed Diagnostics > Tools > Route lookup. |
| NC-84281 | Authentication | Status column isn't visible on Authentication > Users. |
| NC-84218 | Web | Can't turn on OTP for admin user whose user ID isn't 3. |
| NC-84158 | Web | Sophos Central signing admin out of the firewall console when they click Add user. |
| NC-84101 | UI Framework | Corrected a typo in Spanish on the Control center. |
| NC-83662 | Web | Updated the number of administrator accounts unprotected by MFA shown in the alert on Authentication > Users. |
| NC-83584 | WebInSnort | IPS segfault in libnsg_tcphold_preproc disconnecting live users after a limit. |
| NC-83581 | Gateway Management | Corrected the typo in CLI command to session-persistence. |
| NC-83470 | Firewall, VFP-Firewall | Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG750 during connection rate test. |
| NC-83430 | RED | RED causing massive network traffic after upgrading to SF 18.0 MR6 or SF 18.5 MR2. |
| NC-83392 | CM (Join to Cloud) | Backup isn't generated when the backup name contains []. |
| NC-83366 | SDWAN Routing | Unable to turn off captcha for VPN zone for route-based VPN with SD-WAN routing. |
| NC-83347 | Email, FQDN | Unable to add lx63.hoststar.hosting to email server under notification settings. |
| NC-83177 | IPS Ruleset Management | Unable to turn IPS switch on or off in 18.5 MR2. |
| NC-83065 | IPsec | Ping: sendto: operation not permitted when upgraded from 18.0 MR3 to later firmware on directly connected network. |
| NC-82566 | Firewall | Kernel crash after update to 18.5 MR2. |
| NC-82332 | Firewall | Kernel panic because kernel NULL pointer ip_route_me_harder wasn't handled. |
| NC-82215 | Firewall | Device freeze issue. |
| NC-81974 | IPS-DAQ | Snort soft lockup and device restart. |
| NC-81956 | WebInSnort | HTTP and HTTPS traffic to internal server on 8080 is dropped by IPS tcphold. |
| NC-81768 | Backup-Restore | Couldn't restore backup because of duplicated key. |
| NC-81517 | Firewall | Policy test for firewall not showing correct results. |
| NC-81069 | Import fails for the entity MtaBlockedSenders. | |
| NC-80660 | DHCP | DHCP IP lease issue. |
| NC-79468 | Authentication | Outdated users shown in Live Users. |
| NC-79417 | Web | SSL/TLS rules can't be seen on the web admin console. |
| NC-78563 | WAF | WAF not redirecting page to proper domain when there are multiple domains listed in the WAF rule. |
| NC-74847 | Web | Snort crashing with a segfault due to a blank conf file. |
| NC-74228 | Can't show quarantine due to \x1E? in the subject. | |
| NC-73975 | Firewall | FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2. |
| NC-71761 | Security | Resolved multiple XSS vulnerabilities (CVE-2021-25267). |
| NC-71379 | MTA doesn't provide the full certificate chain. | |
| NC-69997 | Notification test mail has wrong encoded subject when web admin console's language is set to Traditional Chinese or Simplified Chinese. | |
| NC-66163 | Report received with garbled characters. | |
| NC-51929 | DDNS | DDNS doesn't apply to some generic top-level domains. |
To see the known issues for the firewall, go to the Known issues list.
Set Choose your product to Sophos Firewall. Alternatively, enter a search term.
Information about 19.0.x is as follows:
Remote access SSL VPN IP lease range: After you upgrade from 18.5 and earlier to 19.0 and later versions, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.
Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.
We strongly recommend that you migrate only to the approved versions listed in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.
See how to upgrade.
Firewalls on 19.0 MR1 build 350 can migrate to 19.0 MR1 build 365.
| Upgrade from | Upgrade to 19.0 (all form factors) |
|||
|---|---|---|---|---|
| MR3 Build 517 | MR2 Build 472 | MR1 Build 365 | GA Build 317 | |
| 19.0 MR2 Build 472 | ||||
| 19.0 MR1 Build 350 and 365 | ||||
| 19.0 GA | ||||
| 18.5 MR5 | ||||
| 18.5 MR4 | ||||
| 18.5 GA to MR3 | ||||
| 18.0 MR3 and later | ||||
| 17.5 MR14 and later | ||||
Indicates the same version or an earlier version. The table only shows upgrade information.
You can downgrade only to compatible versions. You can't downgrade from 19.0 and later to 17.5 and earlier. However, you can roll back to any previous version.
Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.
Previously restored Cyberoam backup: If your appliance is using a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to 19.0.x versions only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.0 doesn't support appliance certificates with this algorithm.)
You can restore backups from any earlier version to 19.0 GA and later versions.
To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.
Sophos Firewall OS 19.0.x versions are available on all form factors as follows:
For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.
19.0.x versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to these versions:
19.0.x versions support the following firmware versions:
You can find technical support for Sophos products in the following ways:
Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.