Sophos Firewall

These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).

Version 19.0 MR2 Build 472
Released on January 23, 2023

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

Bulk mail in MTA mode: Enhanced the spam catch rate with SASI. The firewall now offers bulk mail settings in MTA mode.
Xstream SD-WAN enhancements:
- You can configure 4 times the existing number of SD-WAN profiles, supporting scaled deployments.
- Improved gateway management. You can filter gateways based on their status, IP address, interface, and health check.
- Search SD-WAN profiles by their names on Diagnostics > SD-WAN performance.
SD-RED: Shows and emails the RED unlock code for deleted RED devices, enabling you to easily reinstall the RED appliances.
Zero-day protection: Intelix can now request submission of samples above the previous built-in limit of 10 MB.
IPsec VPN:
- Improved security heartbeat selection in remote access IPsec VPN.
- Support for turning off anti-replay protection in IPsec VPN for specific cases.

Version 19.0 MR1 Build 365
Released on August 16, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

VPN

SSL VPN: Introduced static IP address lease for remote access SSL VPN users on the firewall and from an external RADIUS server. Sophos Firewall now maps remote access SSL VPN users with static IP addresses, enhancing user monitoring and visibility and its ability to trace users.

IPsec VPN:

IKEv2 profiles: Added default IKEv2 profiles (Head office (IKEv2) and Branch office (IKEv2)) for site-to-site IPsec connections to deliver improved tunnels between the head office and branch offices. This eliminates the manual fine-tuning required for the existing default head office and branch office profiles, such as rekey interval, dead peer detection (DPD) selection, and key negotiation retries. This helps in eliminating rekey collisions and DPD-related issues.
Tunnel flapping: Changed the defaults to prevent non-TCP (example: VoIP, RDP, Skype, Zoom, UDP) connections from flapping when the IPsec tunnel is established or goes down. The new default settings are as follows:
- vpn conn-remove-tunnel-up: Disabled
- vpn conn-remove-on-failover: Enabled
The change only applies to new configurations and doesn't impact existing configurations after a firmware upgrade or migration.

RED

Supports multiple DHCP servers for RED interfaces.

Licensing

Sophos Firewall offers three free firmware upgrades. A valid support subscription is mandatory for firmware upgrades after the three free upgrades. Free upgrades don't include trial licenses, home use licenses, and firmware upgrades from the installation wizard. See the Sophos Firewall help.

SD-WAN

Added rule-ID and index column to the SD-WAN profile list for easier troubleshooting.

Synchronized Security

Improved firewall management experience from Sophos Central in environments with thousands of endpoint certificates, which are used for Synchronized Security Heartbeat. You can download a maximum of 10,000 certificates at a time. The limit also applies to endpoint certificate download during registration.

Enhancements

The version includes the following enhancements:

Malware engine: Upgrade of malware scan engines and associated components to a full 64-bit operation to ensure optimum performance and future support.

Avira: The vendor of the second malware scan engine, Avira, won't provide detection updates in the current 32-bit form after December 31, 2022.
- We recommend that customers using dual scan mode or Avira as the primary engine upgrade to 19.0 MR1 or 18.5 MR5 (future release) at the earliest. Avira has been upgraded to the latest 64-bit AVD engine on the firewall.
- If you can't upgrade, we recommend switching to just the Sophos engine for email and web malware scanning.
Sophos engine: Customers using only the Sophos engine aren't affected.

Sophos Assistant: Added the option to opt out of Sophos Assistant on the web admin console.

Email: Added the capability to report spam emails as false positives on the quarantine release page.

Version 19.0 GA Build 317
Released on April 21, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

See the video.

SD-WAN profiles

VPN orchestrated SD-WAN network is already available from Sophos Central. It enables you to centrally orchestrate complex SD-WAN overlay networks, simplifying the process. See SD-WAN connection groups.

We now offer Xstream SD-WAN on the firewall:

Xstream SD-WAN profiles support routing strategies for multiple WAN links, including VDSL, DSL, cable, LTE/cellular, and MPLS. You can configure more than two gateways and specify a routing strategy based on the first available link or performance criteria.
Performance-based SLAs automatically select the best WAN link based on jitter, latency, or packet loss. SLAs can be based on best performance or custom SLA values. You can use multiple probe targets to perform a health check.
Zero-impact rerouting maintains application sessions when link performance falls below the thresholds and transitions sessions to a better performing WAN link.
SD-WAN monitoring graphs on Diagnostics > SD-WAN performance provide real-time insights into latency, jitter, and packet loss for all WAN links. You can select the time. You can also click the status on SD-WAN profiles to go to diagnostics.
Logs contain SD-WAN routing information. A new SD-WAN log module allows you to focus on log entries specific to SD-WAN routing and health. Log entries include SD-WAN rule ID and name for route request and reply directions.

Xstream FastPath acceleration

IPsec acceleration: Xstream FastPath acceleration of IPsec traffic automatically places IPsec VPN traffic flows on the FastPath through the Xstream Flow Processor, taking advantage of the processor's hardware crypto capabilities. This moves the CPU-intensive processing required for IPsec tunnels, such as ESP encapsulation and encryption, decapsulation and decryption, to the Xstream Flow Processor, freeing up CPU resources and improving performance.

Xstream FastPath Acceleration for IPsec traffic works for both site-to-site (including policy-based and route-based IPsec) and remote access VPN traffic, but weak cipher or authentication algorithms (DES, 3DES, BlowFish, MD5) aren't offloaded. See FastPath acceleration.

Web

Per-connection authentication: In explicit proxy mode, web authentication can now handle multiple different users coming from the same source address. This is useful in authentication for terminal services, Windows remote desktop, or direct access systems.
Tenant Restrictions: The Tenant Restriction feature of O365 used to restrict the domains a user can sign in to by adding headers to outbound HTTPS requests is available in web policies. This enables Microsoft Azure AD to enforce restrictions, typically used to restrict personal accounts from accessing O365 from Sophos Firewall protected networks.
X-Forwarded-For Header configured in web policies allows the source IP address to be passed upstream to load-balancers or proxies.

VPN

User experience

The VPN menu and user interface have been reorganized to make it more intuitive:

Remote access and site-to-site VPN are individual left menu items.
IPsec, SSL, and L2TP are top menu items with links on the pages to IPsec profiles, client download, and logs for easy access to the corresponding settings.
IPsec policies have been renamed IPsec profiles. It's now under System > Profiles.
The new assistant for remote access SSL VPN streamlines and enables easy configuration.
Clientless policies, bookmarks, and bookmark groups have been consolidated under Clientless SSL VPN policy.
Amazon VPC is available on site-to-site VPN for the easy setup of Amazon Web Services VPC tunnels with the option to import the VPC configuration file or AWS security credentials.

Feature enhancements

Custom policy support for remote access IPsec VPN addresses a potential PCI compliance issue with the default remote access IPsec policy:

Added the ability to configure custom rekey time to prevent MFA prompts every four hours.
Added the option to increase idle time-out from 10 minutes to 6 hours.

Route-Based VPN (RBVPN)

Added support for static multicast routes.
You can specify traffic selectors for route-based VPNs with automatic configuration of the XFRM interface and route management for the selected hosts. Only traffic matching the configured pairs of local and remote addresses enters the tunnel.

GCM and Suite-B cipher suite support for IPsec

AES-GCM for IPsec significantly improves IPsec VPN performance.

SSL VPN

Upgraded OpenVPN and OpenSSL.
Default TLS 1.3 support on SSL VPN tunnels.
AES-NI path-enabled.
GCM encryption support.
Significant performance enhancements (nearly 5x) in SSL VPN capacity with the addition of multi-instance support.
This results in a behavior change that enforces only the default SSL VPN lease ranges for remote access SSL VPN connections. If you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule to allow remote access SSL VPN connections, traffic may not flow through the connections after you migrate to version 19.0.
Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.
The legacy SSL VPN client reached end-of-life on January 31, 2022. It doesn't appear for download on the user portal any longer. Users can download the Sophos Connect client instead. See End-of-Life for Sophos SSL VPN client.

VPN logging

VPN selection is available in the log viewer, making it easy to monitor and troubleshoot VPN connections for remote access and site-to-site IPsec and SSL VPN tunnels. Additionally, IPsec logging messages have been enhanced with more details for greater clarity.

AWS VPC

The new feature enables you to connect your on-premise firewall to your AWS network infrastructure easily. You can now import the VPC configuration XML file from AWS to automate the tunnel setup on your Sophos Firewall, including the related routing and IPsec policies. You can import, monitor, and manage AWS VPC connections on Site-to-site > AWS VPC.

Other enhancements

DHCP: Added DHCP IPv4 options and boot server configuration on the web admin console.
Global IPS switch: Added a global switch on Intrusion Prevention > IPS policies to turn IPS on or off. The switch is automatically set when you migrate to 19.0 based on your previous configuration. For example, if you've been using IPS, it's set to On.
Multi-factor authentication: Added the option to require MFA with a one-time password to sign in to the web admin console for the default admin account. This improves security, workflow, and usability.
Authentication: Improved authentication performance that eases high-load situations with thousands of users.
Synchronized Security: An update to Lateral Movement Protection to guard against the use of spoofed MAC addresses that disrupt legitimate traffic.
Zero-day protection: An additional data center location for cloud-based machine learning file analysis is available for the Asia-Pacific region in Sydney, Australia. This adds to the existing data center locations in Japan, Germany, the UK, and the USA.
Anti-spam engine: For anti-spam scanning, Email Protection now uses the Sophos Anti-Spam Interface (SASI) in place of the anti-spam engine. SASI is already in use in Sophos Email. If you see false positives or false negatives, see how to submit a sample.
Log suppression: Repetitive firewall logs within a module are shown in a single event with a count of the repetition. This improves troubleshooting and optimizes logging scalability and storage efficiency.

User experience

Device and management identity: The device hostname is now shown in the browser tab and the active user ID in the upper right corner of the web admin console. This makes managing multiple firewalls and administrator accounts easier.
Search functionality:
- Global search: A new intelligent search box with auto-completion shows up above the main menu and allows you to find any page or feature in the firewall.
- Object search: You can search for a network object or service for inclusion in rules and policies. It includes a free-text search option that allows you to search by label or value, enhancing the user experience.
Flow monitor: Enhanced the user interface and layout of the flow monitor to make the headers persistent and eliminate horizontal scrolling.

Resolved issues

Version 19.0 MR2 Build 472

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-112368	Core Utils IPsec	cacert is missing in .scx file.
NC-111476	FQDN	Subdomain learning isn't working in case of non-SFOS DNS server set for client.
NC-111110	SDWAN Routing	Import-export doesn't reflect changes in SD-WAN PBR profiles.
NC-111023	Email	Legacy email mode is crashing very frequently.
NC-110927	Authentication	Missing MFA enable and disable event logs.
NC-110026	XGS-BSP	HA cluster fails even after hardware replacement.
NC-109626	HA	Standalone device restarts. msync: too many open files.
NC-109562	WAF	Unable to modify or update the WAF protection policy after selecting it for WAF rule.
NC-109245	WAF	Can't skip CRS rules in application attacks group with exceptions.
NC-108562	Core Utils	Public key authentication for admin can't be managed through Sophos Central.
NC-108536	Firewall	Firewall rules stopped working after backup-restroe due to failure in XML API while creating firewall rule.
NC-108533	API Framework, UI Framework	Need to hook frontend validations for multipart requests.
NC-108354	Wireless	LocalWiFi mac80211 vulnerabilities.
NC-108318	Email	Unable to click a few settings under Email > General settings after updating firmware to version 19.
NC-108237	Email	Spam emails are let through with the error "spam scanning failed".
NC-108213	API Framework, UI Framework	Post-auth code injection (CVE-2022-3696).
NC-108211	Interface Management	Multiple post-auth read-only SQLi vulnerabilities in InterfaceHelper.java (objStr).
NC-108115	Web	Custom category name stored XSS in URL category lookup.
NC-108003	NFP-Firewall	Memory utilization increases until the firewall stops responding.
NC-107999	IPS Ruleset Management	HA cluster configuration fails.
NC-107982	Authentication	Exposing password in setup wizard.
NC-107975	Logging Framework	Logging stopped on the device with an error showing that the database disk image is malformed.
NC-107945	Wireless	APX 530 becomes inactive after HA failover.
NC-107943	Firewall	XG 135 crashed and needed RCA to prevent the issue in future.
NC-107603	SDWAN Routing	Stored XSS in SD-WAN performance graphs.
NC-107481	Authentication	Log viewer isn't showing source IP field information for authenticated SSL VPN users.
NC-107453	WAF	WAF rules not working.
NC-107327	WAF	Upgrade ModSecurity and OWASP CRS to the latest version.
NC-107325	VFP-Firewall	Firewall becomes inaccessible.
NC-107283	Email	AwarrenSMTP service dead.
NC-107239	L2TP	Unable to connect to L2TP after upgrade.
NC-107145	Hotspot	For hotspot vouchers in the user portal, under Manage, the delete icon isn't intuitive.
NC-106907	Hotspot	WLAN voucher not showing correctly.
NC-106834	IPS-DAQ-NSE	Connection untrusted when browsing some sites.
NC-106811	Email	Unable to start anti-spam service.
NC-106783	Email	Unable to send or receive emails with certificate error for pop.ocn.ne.jp domain.
NC-106738	Hotspot	Sort functionality doesn't work properly in the user portal for hotspot vouchers.
NC-106608	IPsec	Duplicate SAs being created.
NC-106424	API Framework, UI Framework	Pre-auth code injection (CVE-2022-3236).
NC-104844	Web	Zero-day protection report shows license warning incorrectly.
NC-103733	IPsec	BGP service keeps restarting, affecting the Amazon VPC connection.
NC-103406	Certificates	Migration fails from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365.
NC-103037	XGS BSP	Failsafe issue due to NPU failure.
NC-102919	Static Routing	Static routes lost at the backend after enabling QuickHA.
NC-102771	Authentication XFOS Migration	Users unable to authenticate through CAA.
NC-102737	SSLVPN	SSL VPN not working as sslvpn service is stuck in busy status. Site-to-site and remote access are affected.
NC-102614	Firewall	Bridge: Traffic not working with Fastpath for bridge with logical members after migrating to version 19. Traffic shouldn't get offloaded to Fastpath.
NC-102558	IPsec	The issue in NC-84750 still occurring on one site after installing the patch.
NC-102436	Firewall	Appliance access lost on backup-restore. Local ACL rules stopped working on backup-restore.
NC-102308	Firewall	Disabled load balancing NAT rules still sending out alerts for disabled NAT rule.
NC-102257	Firewall	Post-auth read-only SQLi through APIController (CVE-2022-3710).
NC-101720	XGS-BSP	Random SFP+ port flap.
NC-101713	Logging Framework	PG trigger entry should be present for login events even when on-box reporting is off.
NC-101703	CDB-CFR CM	Unable to open the web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall.
NC-101326	SSLVPN	OS command injection through SSL VPN configuration upload (CVE-2022-3226).
NC-101300	Email	Unable to send emails after upgrading to 18.5.4 due to failed malware scan.
NC-101271	Dynamic Routing (BGP)	BGP networks in SFOS web admin console show ASCII characters instead of expected networks for config-type cisco.
NC-101046	IPS-DAQ	Website doesn't work due to OCSP must-staple in Firefox browser.
NC-101021	Date/Time Zone	Time zone change allowed in Sophos Central on all HA devices.
NC-100725	XGS-BSP	NPU in failsafe mode after upgrading from 19.0 GA to 19.0 MR1.
NC-100716	FQDN	IPset sporadically not created for wildcard FQDN host.
NC-100707	IPsec	Wrong source IP address in IPsec routes.
NC-100699	IPsec	SMB transfer stops and doesn't recover with IPsec acceleration and policy-based VPN.
NC-100623	Hotspot	Hotspot voucher creation failed.
NC-100418	nSXLd	Internet down with error "nSXLd: Connection timeout while connecting to SXL server".
NC-100334	WAF	Virtual host not removed if firewall rule is turned off.
NC-100325	WAF	Update API JSON fields for encrypted WAF secrets.
NC-100265	Web	Expired certificates in certcache are used rather than generating new ones.
NC-100250	Gateway Management	RCA: Unable to change DGD settings for a specific WAN port.
NC-100084	Firewall	DNAT issue when multiple hosts are added.
NC-99965	Interface Management	SQL injections found in application.
NC-99962	Wireless	Adjacent code injection in Wi-Fi controller (CVE-2022-3713).
NC-99801	Interface Management	Unable to delete a LAG interface.
NC-99604	Email	SQLi in getSmtpQuarantineMailRecord.
NC-99421	Email	Mail issues on XG 430 (split from CPU 100%).
NC-99247	SSLVPN	Unable to download SSL VPN site-to-site server configuration.
NC-99232	Web	Changes to web proxy settings can't be saved when signed in with German language.
NC-99152	Logging Framework	Central reporting: Failed to initiate the mmap case when queue limit is reached with no Sophos Central connectivity.
NC-98712	Core Utils	XGS DT-2 r1: Containment plan to handle production issue causing 10+ sec factory reset feature doesn't work on these units.
NC-98576	IPS Ruleset Management	IPS pattern doesn't update.
NC-98574	SSLVPN	Traffic isn't passing through site-to-site SSL VPN tunnel, although the tunnel is up.
NC-98573	Firewall	Country group stored XSS in DNAT rule in version 19 GA.
NC-98300	Email	High CPU utilization due to Exim.
NC-98296	Email	Attachments getting corrupted while using SPX.
NC-98094	nSXLd	Unable to categorize URLs and IP addresses using external URL database.
NC-98089	Firewall	Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA.
NC-97883	Firewall	Unable to upgrade firmware or perform backup-restore from 17.5.15 to 19.0 GA: Duplicate key value violates unique constraint "tblfirewallrule_unique_name".
NC-97753	IPS Engine IPS Policy	Unable to Upgrade to version 19 from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table.
NC-97743	AppFilter Policy	Unable to export application filter policy.
NC-97711	NFP-Firewall	nfnetmap_queue backing up, appliance may fail.
NC-95926	CDB-CFR Reporting	Reports aren't being generated.
NC-95861	Firewall	Country blocking through firewall rule isn't working.
NC-95633	IPsec	Unable to connect IPsec remote access due to invalid .scx file.
NC-95603	Email	Legacy email mode is crashing every 2 minutes.
NC-95543	Email	Mail logs page stuck in loading status.
NC-95353	Static Routing	Static route to RED disappears in XGS (HA) after a restart.
NC-95351	HA	HA failover isn't working due to auto-restart of auxiliary device.
NC-95239	IPsec	Different gateway entry in the IPsec configurations when using DDNS.
NC-95197	RED	Appliance auto-restarts frequently in a day or two.
NC-94734	IPsec	PPPoE isn't connecting after random disconnect event if XFRM interface is created on PPPoE.
NC-94664	Hotspot	Post-auth read-only SQLi in user portal (CVE-2022-3711).
NC-94661	SSLVPN	Android and iOS users can't import SSL VPN ovpn file.
NC-94418	Logging Framework (Central Reporting)	Reporting and logging to Sophos Central stops randomly.
NC-94362	Email	SPX stops working after unspecified period.
NC-94128	NFP-Firewall	Firewall stopped responding on specific port.
NC-93847	WAF	Stored XSS in WAF exception through IP host.
NC-92598	Authentication	Stored XSS in import group wizard (CVE-2022-3709).
NC-92282	HA	System services page gets stuck in loading.
NC-90794	Authentication	Unable to import groups containing an apostrophe in their name.
NC-90247	IPsec	IPsec VPN failback isn't working.
NC-90151	Authentication	Unable to authenticate with PUSH with Azure MFA.
NC-88628	RED	RED UDP packets are forwarded to the auxiliary device after HA switchover.
NC-86937	VFP-Firewall	Memory utilization increasing gradually.
NC-85961	Authentication	Guest user is created on secondary appliance but not on primary appliance sometimes.
NC-85114	Firmware Management	'kworker' process continuously takes high CPU on XG 450.
NC-84924	Core Utils	Memory utilization increases to 90 percent or above in XGS 3100 due to appcached service.
NC-84910	Authentication	Authentication with STAS stopped working when the appliance restarted until the access_server restarted if AD is reachable through a static route.
NC-84750	IPsec	Auxiliary node sporadically receives IPsec packets.
NC-81219	CM	HA zero downtime upgrade isn't supported if the firmware upgrade is scheduled on Sophos Central.
NC-79378	Web	Uploading user-defined logo in user notification settings gives error.
NC-77804	Firewall	Netlink: 153776 bytes leftover after parsing attributes in process `ipsetelite'.
NC-75655	Email	Arbitrary file write creates a DoS and possibly RCE vector.
NC-75654	Email	Logical error in a global SQL escape function might enable injections.
NC-74241	CaptivePortal	Stored XSS through captive portal customization (CVE-2022-4238).
NC-74120	Spoofing	Traffic through bridge will be blocked as IP_Spoof if spoof protection is enabled for the involved zone.

Version 19.0 MR1 Build 365

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-100971	IPsec	Migration from 19.0 GA to 19.0 MR1 fails.
NC-100737, NC-94019	Wireless	Inbound traffic for hosts connected on Wi-Fi SSID on Separate zone is dropped by firewall rule ID 0, and outbound traffic may experience slowness.
NC-100681	IPS Engine	Increase in snort memory with ATP pattern updates.
NC-100679	CDB-CFR, Reporting	Conf partition usage increases for the primary HA device.
NC-81131	Reporting	Last access time isn't generated if a user's username has an XSS payload.
NC-94337	Reporting	Migration failure to 19.0 GA when SSL/TLS inspection's log retention period isn't set to the default value.
NC-94291	Firmware Management	Small var partition created for VM image using an auxiliary disk.
NC-94253	Licensing	Can't upload airgap license file. Error message: "Certification verification failed. Invalid license file."
NC-93919	SSL VPN	SecurityHeartbeat_over_VPN is removed from SSL VPN policy after updating SSL VPN global settings.
NC-93720	SecurityHeartbeat	Auxiliary device isn't synchronized with the primary HA device for delay-missing-heartbeat-detection.
NC-93689	Up2Date Client	Cosmetic issue with SASI pattern after firmware downgrade.
NC-93380	Email	Anti-spam doesn't work after an upgrade to SFOS 18.5 MR3.
NC-92840	Email	Email isn't received and shows the error message: smtp_check_forward_reply: response arrived without any command.
NC-92745	DNS	Appliance restarts with kdump: stack guard page was hit.
NC-92131	IPS-DAQ-NSE	Unable to upload a large file with SSL/TLS inspection enabled in do-not-decrypt mode.
NC-91300	XGS BSP	npu_version (among other things) missing from telemeter. Large number of missing entries.
NC-91295	Firewall	Zones tab shows up blank after deleting a zone listed on the second page.
NC-90839	RED	RED interface disappears during a change to the DHCP server configuration.
NC-90702	Email	SASI detection problems when too many hits are returned.
NC-90684	Wireless	Multiple APX 320s don't register with XG Firewall. They don't appear on the pending list.
NC-90566	NFP-Firewall	Traffic doesn't traverse XGS firewall under a specific configuration.
NC-90203	SD-WAN Routing	SD-WAN route policy update fails.
NC-90024	Firewall	Backup restore and firmware migration fails when multiple local ACL rules are configured.
NC-89996	Logging	Issue with redirection to IPS policy from log viewer.
NC-89162	Firewall	Auto restart 0010:queued_spin_lock_slowpath+0x148/0x170.
NC-89076	Firewall, VFP-Firewall	Unable to access the website www.radix.ad.jp on the environment tagged VLAN + DPI configured.
NC-88903	Localization	German menu is broken.
NC-88483	SSL VPN	CVE: 2022-0547 openvpn deferred auth vulnerability.
NC-88404	IPsec	Tunnel doesn't come up automatically after a restart of a HA appliance.
NC-88207	Firmware Management	Firmware update fails when space is used in filename.
NC-87659	Wireless	Legacy AP roaming key decryption fails when fast transition is enabled.
NC-87596	SSL VPN	Site-to-site and remote access SSL VPN isn't working after backup is restored.
NC-87240	Email	Avira engine error with axpx files.
NC-86819	Firmware Management, Licensing	AWS instance stuck while starting it.
NC-86690	SD-WAN Routing	SD-WAN FTP proxy traffic isn't working with transparent proxy.
NC-86652	SD-WAN Routing	TFTP traffic doesn't follow SD-WAN routing.
NC-86451	IPS-DAQ-NSE	Unable to access web server through XG Firewall. SSL/TLS inspection error: Dropped due to TLS internal error.
NC-86093	Firewall	Duplicate firewall rule group.
NC-85547	CaptivePortal	Sign-in message and sign-out option don't appear with custom captive portal.
NC-85423	SNMP	Kernel crash on XG 125 with SNMP high memory consumption.
NC-85383	IPsec	Unable to connect remote access IPsec due to invalid .scx file.
NC-85346	Email	Smarthost authentication failed in server_plain authenticator: nsgenc decryption failed.
NC-85151	Authentication	Firewall moved to a group on Sophos Central gets added to the group but changes to "Error needs attention".
NC-84604	Wireless	Unable to restore backup from SG 230 to XGS 2300 due to access point database issue.
NC-84231	Core Utils	Receiving a duplicate copy of the same executive schedule reports.
NC-84146	WAF	Warning about Subject Alternative Name (SAN) not being part of the domain.
NC-84142	Backup-Restore	Unable to delete VLAN interface.
NC-83734	Firewall	Inbound emails are dropped randomly in HA load balancing with SMTP scanning enabled.
NC-83469	SSL VPN	Dashboard doesn't show the remote users.
NC-83445	IPsec	Constant IPsec VPN flapping. Pushed through Central SD-WAN orchestration.
NC-83419	Email	Inbound emails aren't delivered when SMTP scanning is enabled.
NC-83405	Core Utils	Inconsistency with Security Audit Reports (SAR).
NC-83114	Authentication	Web authentication doesn't work in HA mode when the auxiliary node is restarting.
NC-82972	CSC	Appliance in active-active HA mode stopped responding.
NC-82225	HA	Unable to establish HA correctly on fiber ports.
NC-81944	IPsec	WWAN isn't connecting after a random disconnect event if XFRM interface is created on WWAN.
NC-81939	Firewall	The firewall isn't reflecting daylight savings time correctly.
NC-81430	CM and UI Framework	User portal host injection reported.
NC-81207	IPsec	Web admin console shows an error while updating the configuration of any VPN tunnel.
NC-81131	Reporting	Last access time isn't generated when a user exists with the username having XSS payload.
NC-80305	Certificates	Though CA isn't available on the pfx file, CA upload opcode is called.
NC-79359	IPsec	Using AES256GMAC can show invalid configuration in IPsec profiles.
NC-79319	IPsec	Clarification required on the web admin console for remote access IPsec.
NC-79128	IPsec	Memory increase to 90 percent over 20-25 days.
NC-76071	RED	XGS-2100: Interface doesn't have any IP address when backup is restored.
NRF-517	RED	SD-RED 60: LAN switch VLAN configuration is lost after some time.
NRF-509	Firmware	AP doesn't register through the RED 15w tunnel.

Version 19.0 GA Build 317

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-89079	CM	fwcm-eventd agent isn't listening to the IP address availability event.
NC-87798	WAF	Upgraded Apache to 2.4.53+.
NC-87665	API Framework, UI Framework	Fixed pre-auth RCE (CVE-2022-1040).
NC-87165	Core Utils	Fixed OpenSSL DoS vulnerability (CVE-2022-0778).
NC-85549	Wireless	SFOS becomes unresponsive after a restart if time-based SSID is configured.
NC-85412	PPPoE	Two PPPoE links with different passwords in 18.5 MR2.
NC-85339	Security	Resolved multiple XSS vulnerabilities through company name (CVE-2021-25268).
NC-84951	Network Utils	Fixed Diagnostics > Tools > Route lookup.
NC-84281	Authentication	Status column isn't visible on Authentication > Users.
NC-84218	Web	Can't turn on OTP for admin user whose user ID isn't 3.
NC-84158	Web	Sophos Central signing admin out of the firewall console when they click Add user.
NC-84101	UI Framework	Corrected a typo in Spanish on the Control center.
NC-83662	Web	Updated the number of administrator accounts unprotected by MFA shown in the alert on Authentication > Users.
NC-83584	WebInSnort	IPS segfault in libnsg_tcphold_preproc disconnecting live users after a limit.
NC-83581	Gateway Management	Corrected the typo in CLI command to session-persistence.
NC-83470	Firewall, VFP-Firewall	Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG750 during connection rate test.
NC-83430	RED	RED causing massive network traffic after upgrading to SF 18.0 MR6 or SF 18.5 MR2.
NC-83392	CM (Join to Cloud)	Backup isn't generated when the backup name contains [].
NC-83366	SDWAN Routing	Unable to turn off captcha for VPN zone for route-based VPN with SD-WAN routing.
NC-83347	Email, FQDN	Unable to add lx63.hoststar.hosting to email server under notification settings.
NC-83177	IPS Ruleset Management	Unable to turn IPS switch on or off in 18.5 MR2.
NC-83065	IPsec	Ping: sendto: operation not permitted when upgraded from 18.0 MR3 to later firmware on directly connected network.
NC-82566	Firewall	Kernel crash after update to 18.5 MR2.
NC-82332	Firewall	Kernel panic because kernel NULL pointer ip_route_me_harder wasn't handled.
NC-82215	Firewall	Device freeze issue.
NC-81974	IPS-DAQ	Snort soft lockup and device restart.
NC-81956	WebInSnort	HTTP and HTTPS traffic to internal server on 8080 is dropped by IPS tcphold.
NC-81768	Backup-Restore	Couldn't restore backup because of duplicated key.
NC-81517	Firewall	Policy test for firewall not showing correct results.
NC-81069	Email	Import fails for the entity MtaBlockedSenders.
NC-80660	DHCP	DHCP IP lease issue.
NC-79468	Authentication	Outdated users shown in Live Users.
NC-79417	Web	SSL/TLS rules can't be seen on the web admin console.
NC-78563	WAF	WAF not redirecting page to proper domain when there are multiple domains listed in the WAF rule.
NC-74847	Web	Snort crashing with a segfault due to a blank conf file.
NC-74228	Email	Can't show quarantine due to \x1E? in the subject.
NC-73975	Firewall	FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2.
NC-71761	Security	Resolved multiple XSS vulnerabilities (CVE-2021-25267).
NC-71379	Email	MTA doesn't provide the full certificate chain.
NC-69997	Email	Notification test mail has wrong encoded subject when web admin console's language is set to Traditional Chinese or Simplified Chinese.
NC-66163	Email	Report received with garbled characters.
NC-51929	DDNS	DDNS doesn't apply to some generic top-level domains.

Known issues

To see the known issues for the firewall, go to the Known issues list.

Set Choose your product to Sophos Firewall. Alternatively, enter a search term.

Upgrading firmware and restoring backups

Upgrading firmware

Information about 19.0.x is as follows:

The versions are available on all form factors.
The versions aren't FIPS-compliant.

Important changes to consider before you migrate to 19.0.x

Remote access SSL VPN IP lease range: After you upgrade from 18.5 and earlier to 19.0 and later versions, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.

Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.

Versions you can upgrade from

We strongly recommend that you migrate only to the approved versions listed in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

See how to upgrade.

Firewalls on 19.0 MR1 build 350 can migrate to 19.0 MR1 build 365.

Upgrading firmware
Upgrade from	Upgrade to 19.0 (all form factors)
	MR2 Build 472	MR1 Build 365	GA Build 317
19.0 MR1 Build 350 and 365
19.0 GA
18.5 MR5
18.5 MR4
18.5 GA to MR3
18.0 MR3 and later
17.5 MR14 and later

You can downgrade only to compatible versions. You can't downgrade from 19.0 and later to 17.5 and earlier. However, you can roll back to any previous version.

Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.

Previously restored Cyberoam backup: If your appliance is using a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to 19.0.x versions only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.0 doesn't support appliance certificates with this algorithm.)

Restoring backups

You can restore backups from any earlier version to 19.0 GA and later versions.

To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.

Supported platforms

Version 19.0

Sophos Firewall OS 19.0.x versions are available on all form factors as follows:

XGS Series firewalls
XG Series firewalls
SG Series firewalls
Virtual and software appliances
Cloud platforms

For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.

Minimum RAM

19.0.x versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to these versions:

XG 85, XG 85w, XG 105, and XG 105w
SG 105, SG 105w

Supported firmware versions

19.0.x versions support the following firmware versions:

Wi-Fi firmware 11.0.019 and earlier
RED firmware 3.0.008 and earlier
Sophos Connect 2.2 and earlier

Support

You can find technical support for Sophos products in the following ways:

Visit the Sophos Community and search for other users who are experiencing the same problem.
Visit Sophos Support.
Find how-to, configuration, and troubleshooting videos on the Sophos Techvids video hub.

Legal notices

Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall

Version 19.0 MR2 Build 472 Released on January 23, 2023

New features

Version 19.0 MR1 Build 365 Released on August 16, 2022

New features

VPN

RED

Licensing

SD-WAN

Synchronized Security

Enhancements

Version 19.0 GA Build 317 Released on April 21, 2022

New features

SD-WAN profiles

Xstream FastPath acceleration

Web

VPN

Other enhancements

User experience

Resolved issues

Version 19.0 MR2 Build 472

Version 19.0 MR1 Build 365

Version 19.0 GA Build 317

Known issues

Upgrading firmware and restoring backups

Upgrading firmware

Important changes to consider before you migrate to 19.0.x

Versions you can upgrade from

Restoring backups

Supported platforms

Version 19.0

Minimum RAM

Supported firmware versions

Support

Legal notices

Version 19.0 MR2 Build 472
Released on January 23, 2023

Version 19.0 MR1 Build 365
Released on August 16, 2022

Version 19.0 GA Build 317
Released on April 21, 2022