Sophos Firewall

These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).

Version 19.0 MR1 Build 365
Released on August 16, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

VPN

SSL VPN: Introduced static IP address lease for remote access SSL VPN users on the firewall and from an external RADIUS server. Sophos Firewall now maps remote access SSL VPN users with static IP addresses, enhancing user monitoring and visibility and its ability to trace users.

IPsec VPN:

IKEv2 profiles: Added default IKEv2 profiles (Head office (IKEv2) and Branch office (IKEv2)) for site-to-site IPsec connections to deliver improved tunnels between the head office and branch offices. This eliminates the manual fine-tuning required for the existing default head office and branch office profiles, such as rekey interval, dead peer detection (DPD) selection, and key negotiation retries. This helps in eliminating rekey collisions and DPD-related issues.
Tunnel flapping: Changed the defaults to prevent non-TCP (example: VoIP, RDP, Skype, Zoom, UDP) connections from flapping when the IPsec tunnel is established or goes down. The new default settings are as follows:
- vpn conn-remove-tunnel-up: Disabled
- vpn conn-remove-on-failover: Enabled
The change only applies to new configurations and doesn't impact existing configurations after a firmware upgrade or migration.

RED

Supports multiple DHCP servers for RED interfaces.

Licensing

Sophos Firewall offers three free firmware upgrades. A valid support subscription is mandatory for firmware upgrades after the three free upgrades. Free upgrades don't include trial licenses, home use licenses, and firmware upgrades from the installation wizard. See the Sophos Firewall help.

SD-WAN

Added rule-ID and index column to the SD-WAN profile list for easier troubleshooting.

Synchronized Security

Improved firewall management experience from Sophos Central in environments with thousands of endpoint certificates, which are used for Synchronized Security Heartbeat. You can download a maximum of 10,000 certificates at a time. The limit also applies to endpoint certificate download during registration.

Enhancements

The version includes the following enhancements:

Malware engine: Upgrade of malware scan engines and associated components to a full 64-bit operation to ensure optimum performance and future support.

Avira: The vendor of the second malware scan engine, Avira, won't provide detection updates in the current 32-bit form after December 31, 2022.
- We recommend that customers using dual scan mode or Avira as the primary engine upgrade to 19.0 MR1 or 18.5 MR5 (future release) at the earliest. Avira has been upgraded to the latest 64-bit AVD engine on the firewall.
- If you can't upgrade, we recommend switching to just the Sophos engine for email and web malware scanning.
Sophos engine: Customers using only the Sophos engine aren't affected.

Sophos Assistant: Added the option to opt out of Sophos Assistant on the web admin console.

Email: Added the capability to report spam emails as false positives on the quarantine release page.

Version 19.0 GA Build 317
Released on April 21, 2022

New features

This page describes the new features introduced. For details, see the Sophos Firewall help.

See the video.

SD-WAN profiles

VPN orchestrated SD-WAN network is already available from Sophos Central. It enables you to centrally orchestrate complex SD-WAN overlay networks, simplifying the process. See SD-WAN connection groups.

We now offer Xstream SD-WAN on the firewall:

Xstream SD-WAN profiles support routing strategies for multiple WAN links, including VDSL, DSL, cable, LTE/cellular, and MPLS. You can configure more than two gateways and specify a routing strategy based on the first available link or performance criteria.
Performance-based SLAs automatically select the best WAN link based on jitter, latency, or packet loss. SLAs can be based on best performance or custom SLA values. You can use multiple probe targets to perform a health check.
Zero-impact rerouting maintains application sessions when link performance falls below the thresholds and transitions sessions to a better performing WAN link.
SD-WAN monitoring graphs on Diagnostics > SD-WAN performance provide real-time insights into latency, jitter, and packet loss for all WAN links. You can select the time. You can also click the status on SD-WAN profiles to go to diagnostics.
Logs contain SD-WAN routing information. A new SD-WAN log module allows you to focus on log entries specific to SD-WAN routing and health. Log entries include SD-WAN rule ID and name for route request and reply directions.

Xstream FastPath acceleration

IPsec acceleration: Xstream FastPath acceleration of IPsec traffic automatically places IPsec VPN traffic flows on the FastPath through the Xstream Flow Processor, taking advantage of the processor's hardware crypto capabilities. This moves the CPU-intensive processing required for IPsec tunnels, such as ESP encapsulation and encryption, decapsulation and decryption, to the Xstream Flow Processor, freeing up CPU resources and improving performance.

Xstream FastPath Acceleration for IPsec traffic works for both site-to-site (including policy-based and route-based IPsec) and remote access VPN traffic, but weak cipher or authentication algorithms (DES, 3DES, BlowFish, MD5) aren't offloaded. See FastPath acceleration.

Web

Per-connection authentication: In explicit proxy mode, web authentication can now handle multiple different users coming from the same source address. This is useful in authentication for terminal services, Windows remote desktop, or direct access systems.
Tenant Restrictions: The Tenant Restriction feature of O365 used to restrict the domains a user can sign in to by adding headers to outbound HTTPS requests is available in web policies. This enables Microsoft Azure AD to enforce restrictions, typically used to restrict personal accounts from accessing O365 from Sophos Firewall protected networks.
X-Forwarded-For Header configured in web policies allows the source IP address to be passed upstream to load-balancers or proxies.

VPN

User experience

The VPN menu and user interface have been reorganized to make it more intuitive:

Remote access and site-to-site VPN are individual left menu items.
IPsec, SSL, and L2TP are top menu items with links on the pages to IPsec profiles, client download, and logs for easy access to the corresponding settings.
IPsec policies have been renamed IPsec profiles. It's now under System > Profiles.
The new assistant for remote access SSL VPN streamlines and enables easy configuration.
Clientless policies, bookmarks, and bookmark groups have been consolidated under Clientless SSL VPN policy.
Amazon VPC is available on site-to-site VPN for the easy setup of Amazon Web Services VPC tunnels with the option to import the VPC configuration file or AWS security credentials.

Feature enhancements

Custom policy support for remote access IPsec VPN addresses a potential PCI compliance issue with the default remote access IPsec policy:

Added the ability to configure custom rekey time to prevent MFA prompts every four hours.
Added the option to increase idle time-out from 10 minutes to 6 hours.

Route-Based VPN (RBVPN)

Added support for static multicast routes.
You can specify traffic selectors for route-based VPNs with automatic configuration of the XFRM interface and route management for the selected hosts. Only traffic matching the configured pairs of local and remote addresses enters the tunnel.

GCM and Suite-B cipher suite support for IPsec

AES-GCM for IPsec significantly improves IPsec VPN performance.

SSL VPN

Upgraded OpenVPN and OpenSSL.
Default TLS 1.3 support on SSL VPN tunnels.
AES-NI path-enabled.
GCM encryption support.
Significant performance enhancements (nearly 5x) in SSL VPN capacity with the addition of multi-instance support.
This results in a behavior change that enforces only the default SSL VPN lease ranges for remote access SSL VPN connections. If you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule to allow remote access SSL VPN connections, traffic may not flow through the connections after you migrate to version 19.0.
Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.
The legacy SSL VPN client reached end-of-life on January 31, 2022. It doesn't appear for download on the user portal any longer. Users can download the Sophos Connect client instead. See End-of-Life for Sophos SSL VPN client.

VPN logging

VPN selection is available in the log viewer, making it easy to monitor and troubleshoot VPN connections for remote access and site-to-site IPsec and SSL VPN tunnels. Additionally, IPsec logging messages have been enhanced with more details for greater clarity.

AWS VPC

The new feature enables you to connect your on-premise firewall to your AWS network infrastructure easily. You can now import the VPC configuration XML file from AWS to automate the tunnel setup on your Sophos Firewall, including the related routing and IPsec policies. You can import, monitor, and manage AWS VPC connections on Site-to-site > AWS VPC.

Other enhancements

DHCP: Added DHCP IPv4 options and boot server configuration on the web admin console.
Global IPS switch: Added a global switch on Intrusion Prevention > IPS policies to turn IPS on or off. The switch is automatically set when you migrate to 19.0 based on your previous configuration. For example, if you've been using IPS, it's set to On.
Multi-factor authentication: Added the option to require MFA with a one-time password to sign in to the web admin console for the default admin account. This improves security, workflow, and usability.
Authentication: Improved authentication performance that eases high-load situations with thousands of users.
Synchronized Security: An update to Lateral Movement Protection to guard against the use of spoofed MAC addresses that disrupt legitimate traffic.
Zero-day protection: An additional data center location for cloud-based machine learning file analysis is available for the Asia-Pacific region in Sydney, Australia. This adds to the existing data center locations in Japan, Germany, the UK, and the USA.
Anti-spam engine: For anti-spam scanning, Email Protection now uses the Sophos Anti-Spam Interface (SASI) in place of the anti-spam engine. SASI is already in use in Sophos Email. If you see false positives or false negatives, see how to submit a sample.
Log suppression: Repetitive firewall logs within a module are shown in a single event with a count of the repetition. This improves troubleshooting and optimizes logging scalability and storage efficiency.

User experience

Device and management identity: The device hostname is now shown in the browser tab and the active user ID in the upper right corner of the web admin console. This makes managing multiple firewalls and administrator accounts easier.
Search functionality:
- Global search: A new intelligent search box with auto-completion shows up above the main menu and allows you to find any page or feature in the firewall.
- Object search: You can search for a network object or service for inclusion in rules and policies. It includes a free-text search option that allows you to search by label or value, enhancing the user experience.
Flow monitor: Enhanced the user interface and layout of the flow monitor to make the headers persistent and eliminate horizontal scrolling.

Resolved issues

Version 19.0 MR1 Build 365

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-100971	IPsec	Migration from 19.0 GA to 19.0 MR1 fails.
NC-100737, NC-94019	Wireless	Inbound traffic for hosts connected on Wi-Fi SSID on Separate zone is dropped by firewall rule ID 0, and outbound traffic may experience slowness.
NC-100681	IPS Engine	Increase in snort memory with ATP pattern updates.
NC-100679	CDB-CFR, Reporting	Conf partition usage increases for the primary HA device.
NC-81131	Reporting	Last access time isn't generated if a user's username has an XSS payload.
NC-94337	Reporting	Migration failure to 19.0 GA when SSL/TLS inspection's log retention period isn't set to the default value.
NC-94291	Firmware Management	Small var partition created for VM image using an auxiliary disk.
NC-94253	Licensing	Can't upload airgap license file. Error message: "Certification verification failed. Invalid license file."
NC-93919	SSL VPN	SecurityHeartbeat_over_VPN is removed from SSL VPN policy after updating SSL VPN global settings.
NC-93720	SecurityHeartbeat	Auxiliary device isn't synchronized with the primary HA device for delay-missing-heartbeat-detection.
NC-93689	Up2Date Client	Cosmetic issue with SASI pattern after firmware downgrade.
NC-93380	Email	Anti-spam doesn't work after an upgrade to SFOS 18.5 MR3.
NC-92840	Email	Email isn't received and shows the error message: smtp_check_forward_reply: response arrived without any command.
NC-92745	DNS	Appliance restarts with kdump: stack guard page was hit.
NC-92131	IPS-DAQ-NSE	Unable to upload a large file with SSL/TLS inspection enabled in do-not-decrypt mode.
NC-91300	XGS BSP	npu_version (among other things) missing from telemeter. Large number of missing entries.
NC-91295	Firewall	Zones tab shows up blank after deleting a zone listed on the second page.
NC-90839	RED	RED interface disappears during a change to the DHCP server configuration.
NC-90702	Email	SASI detection problems when too many hits are returned.
NC-90684	Wireless	Multiple APX 320s don't register with XG Firewall. They don't appear on the pending list.
NC-90566	NFP-Firewall	Traffic doesn't traverse XGS firewall under a specific configuration.
NC-90203	SD-WAN Routing	SD-WAN route policy update fails.
NC-90024	Firewall	Backup restore and firmware migration fails when multiple local ACL rules are configured.
NC-89996	Logging	Issue with redirection to IPS policy from log viewer.
NC-89162	Firewall	Auto restart 0010:queued_spin_lock_slowpath+0x148/0x170.
NC-89076	Firewall, VFP-Firewall	Unable to access the website www.radix.ad.jp on the environment tagged VLAN + DPI configured.
NC-88903	Localization	German menu is broken.
NC-88483	SSL VPN	CVE: 2022-0547 openvpn deferred auth vulnerability.
NC-88404	IPsec	Tunnel doesn't come up automatically after a restart of a HA appliance.
NC-88207	Firmware Management	Firmware update fails when space is used in filename.
NC-87659	Wireless	Legacy AP roaming key decryption fails when fast transition is enabled.
NC-87596	SSL VPN	Site-to-site and remote access SSL VPN isn't working after backup is restored.
NC-87240	Email	Avira engine error with axpx files.
NC-86819	Firmware Management, Licensing	AWS instance stuck while starting it.
NC-86690	SD-WAN Routing	SD-WAN FTP proxy traffic isn't working with transparent proxy.
NC-86652	SD-WAN Routing	TFTP traffic doesn't follow SD-WAN routing.
NC-86451	IPS-DAQ-NSE	Unable to access web server through XG Firewall. SSL/TLS inspection error: Dropped due to TLS internal error.
NC-86093	Firewall	Duplicate firewall rule group.
NC-85547	CaptivePortal	Sign-in message and sign-out option don't appear with custom captive portal.
NC-85423	SNMP	Kernel crash on XG 125 with SNMP high memory consumption.
NC-85383	IPsec	Unable to connect remote access IPsec due to invalid .scx file.
NC-85346	Email	Smarthost authentication failed in server_plain authenticator: nsgenc decryption failed.
NC-85151	Authentication	Firewall moved to a group on Sophos Central gets added to the group but changes to "Error needs attention".
NC-84604	Wireless	Unable to restore backup from SG 230 to XGS 2300 due to access point database issue.
NC-84231	Core Utils	Receiving a duplicate copy of the same executive schedule reports.
NC-84146	WAF	Warning about Subject Alternative Name (SAN) not being part of the domain.
NC-84142	Backup-Restore	Unable to delete VLAN interface.
NC-83734	Firewall	Inbound emails are dropped randomly in HA load balancing with SMTP scanning enabled.
NC-83469	SSL VPN	Dashboard doesn't show the remote users.
NC-83445	IPsec	Constant IPsec VPN flapping. Pushed through Central SD-WAN orchestration.
NC-83419	Email	Inbound emails aren't delivered when SMTP scanning is enabled.
NC-83405	Core Utils	Inconsistency with Security Audit Reports (SAR).
NC-83114	Authentication	Web authentication doesn't work in HA mode when the auxiliary node is restarting.
NC-82972	CSC	Appliance in active-active HA mode stopped responding.
NC-82225	HA	Unable to establish HA correctly on fiber ports.
NC-81944	IPsec	WWAN isn't connecting after a random disconnect event if XFRM interface is created on WWAN.
NC-81939	Firewall	The firewall isn't reflecting daylight savings time correctly.
NC-81430	CM and UI Framework	User portal host injection reported.
NC-81207	IPsec	Web admin console shows an error while updating the configuration of any VPN tunnel.
NC-81131	Reporting	Last access time isn't generated when a user exists with the username having XSS payload.
NC-80305	Certificates	Though CA isn't available on the pfx file, CA upload opcode is called.
NC-79359	IPsec	Using AES256GMAC can show invalid configuration in IPsec profiles.
NC-79319	IPsec	Clarification required on the web admin console for remote access IPsec.
NC-79128	IPsec	Memory increase to 90 percent over 20-25 days.
NC-76071	RED	XGS-2100: Interface doesn't have any IP address when backup is restored.
NRF-517	RED	SD-RED 60: LAN switch VLAN configuration is lost after some time.
NRF-509	Firmware	AP doesn't register through the RED 15w tunnel.

Version 19.0 GA Build 317

Fixed issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description
NC-89079	CM	fwcm-eventd agent isn't listening to the IP address availability event.
NC-87798	WAF	Upgraded Apache to 2.4.53+.
NC-87665	API Framework, UI Framework	Fixed pre-auth RCE (CVE-2022-1040).
NC-87165	Core Utils	Fixed OpenSSL DoS vulnerability (CVE-2022-0778).
NC-85549	Wireless	SFOS becomes unresponsive after a restart if time-based SSID is configured.
NC-85412	PPPoE	Two PPPoE links with different passwords in 18.5 MR2.
NC-85339	Security	Resolved multiple XSS vulnerabilities through company name (CVE-2021-25268).
NC-84951	Network Utils	Fixed Diagnostics > Tools > Route lookup.
NC-84281	Authentication	Status column isn't visible on Authentication > Users.
NC-84218	Web	Can't turn on OTP for admin user whose user ID isn't 3.
NC-84158	Web	Sophos Central signing admin out of the firewall console when they click Add user.
NC-84101	UI Framework	Corrected a typo in Spanish on the Control center.
NC-83662	Web	Updated the number of administrator accounts unprotected by MFA shown in the alert on Authentication > Users.
NC-83584	WebInSnort	IPS segfault in libnsg_tcphold_preproc disconnecting live users after a limit.
NC-83581	Gateway Management	Corrected the typo in CLI command to session-persistence.
NC-83470	Firewall, VFP-Firewall	Unable to handle kernel NULL pointer dereference at 0000000000000003 in XG750 during connection rate test.
NC-83430	RED	RED causing massive network traffic after upgrading to SF 18.0 MR6 or SF 18.5 MR2.
NC-83392	CM (Join to Cloud)	Backup isn't generated when the backup name contains [].
NC-83366	SDWAN Routing	Unable to turn off captcha for VPN zone for route-based VPN with SD-WAN routing.
NC-83347	Email, FQDN	Unable to add lx63.hoststar.hosting to email server under notification settings.
NC-83177	IPS Ruleset Management	Unable to turn IPS switch on or off in 18.5 MR2.
NC-83065	IPsec	Ping: sendto: operation not permitted when upgraded from 18.0 MR3 to later firmware on directly connected network.
NC-82566	Firewall	Kernel crash after update to 18.5 MR2.
NC-82332	Firewall	Kernel panic because kernel NULL pointer ip_route_me_harder wasn't handled.
NC-82215	Firewall	Device freeze issue.
NC-81974	IPS-DAQ	Snort soft lockup and device restart.
NC-81956	WebInSnort	HTTP and HTTPS traffic to internal server on 8080 is dropped by IPS tcphold.
NC-81768	Backup-Restore	Couldn't restore backup because of duplicated key.
NC-81517	Firewall	Policy test for firewall not showing correct results.
NC-81069	Email	Import fails for the entity MtaBlockedSenders.
NC-80660	DHCP	DHCP IP lease issue.
NC-79468	Authentication	Outdated users shown in Live Users.
NC-79417	Web	SSL/TLS rules can't be seen on the web admin console.
NC-78563	WAF	WAF not redirecting page to proper domain when there are multiple domains listed in the WAF rule.
NC-74847	Web	Snort crashing with a segfault due to a blank conf file.
NC-74228	Email	Can't show quarantine due to \x1E? in the subject.
NC-73975	Firewall	FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow 2.
NC-71761	Security	Resolved multiple XSS vulnerabilities (CVE-2021-25267).
NC-71379	Email	MTA doesn't provide the full certificate chain.
NC-69997	Email	Notification test mail has wrong encoded subject when web admin console's language is set to Traditional Chinese or Simplified Chinese.
NC-66163	Email	Report received with garbled characters.
NC-51929	DDNS	DDNS doesn't apply to some generic top-level domains.

Known issues

Known issues, listed by ID, description, explanation and Workaround.
Issue ID	Component	Description	Workaround
NC-99867	Email	When the blocked senders' list is large, it may not add new entries. The number of entries you can add depends on the length of each email address. A warning message appears that the operation will take time to complete.	Replace duplicate entries with wildcards to reduce the number of entries in the blocklist if possible. For example, the entries smith@domain1 and joe@domain1 can be reduced to *@domain1.
NC-99835	DDNS	Can't delete MyFirewall.co Sophos DDNS.	Known issue
NC-98205	Wireless	When Radius SSO is configured, and the clients roam between APXs, they have to reauthenticate to connect again.	Known issue
NC-94863	CM	HA zero downtime upgrade isn't supported if the firmware upgrade is scheduled on Sophos Central. When a scheduled firmware upgrade is run from Sophos Central, both HA devices restart at the same time.	Upgrade the HA devices from the firewall's web admin console to maintain zero downtime.
NC-94355	Logging framework	If your device is using a configuration previously restored from a Cyberoam backup, and you haven't regenerated the appliance certificate on SFOS, upgrading to 19.0 results in the appliance operating in fail-safe mode. The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.0 doesn't support appliance certificates with this algorithm. How to verify before upgrading: To verify the signature algorithm of the appliance certificate, run the following command on Advanced shell: openssl x509 -in /conf/certificate/ApplianceCertificate.pem -text -noout Do not upgrade to 19.0 if the output shows the signature algorithm md5WithRSAEncryption.	You must regenerate the appliance certificate. See Appliance goes into fail-safe mode when firmware upgrades to 19.0 GA.
NC-94354	Web	Upgrading to 19.0 results in a factory reset. If you've changed SSL/TLS inspection's log retention period from the default value (1 month), upgrading to SFOS 19.0 resets the device to the factory configuration.	Do as follows: To see the Log retention period, go to Reports > Show report settings > Data management and see Retain SSL/TLS inspection logs of the past. It's the last option on the list. Change Retain SSL/TLS inspection logs of the past to 1 month. Upgrade to 19.0. Change the setting back to the previous selection if you want. The firewall deletes logs beyond the specified period at midnight. To retain the logs based on your previous selection, revert to your selection before midnight. See Upgrade to 19.0 GA results in factory reset.
NC-94073	XGS BSP	XGS 10G interfaces don't work when Interface speed is set to Auto-negotiation for physical and LAG interfaces. Affected platform: Only XGS Series hardware with 10G interface.	Set "Interface speed" to "10000 Mbps - Full Duplex" for physical and LAG interfaces.
NC-93678	Email	SASI engine appears to fail if the returned value from the engine is too large for the buffer. The returned value includes the spam rule hits detected on the message. The following error message appears: “spam scanning failed, unable to connect local antispam”. Spam emails are delivered instead of being blocked or quarantined.	Contact Sophos Support.
NC-89077	IPsec	Unable to connect remote access IPsec VPN with iOS when local ID is specified.	Clear the local ID value and import the configuration file again. The iOS profile doesn't support local or remote IDs.
NC-87676	WAF	WAF may stop working after a backup is restored for firewalls that first started with a version earlier than 18.0 GA and are currently running a version later than 18.0 GA.	If WAF does't start and reverseproxy.log shows the following message, contact Sophos Support: Invalid encrypted key
NC-85343	Network utils	Unable to update interface name using the following terms: "port", "eth", or "ge".	The names of physical and virtual interfaces, wireless networks, and IP tunnels can't start with system-reserved names, such as port, eth, ge, and xfrm, except when the Name is the same as the Hardware name.
NC-85313	API framework	No status code in API response.	You must use one of the tags <Set>, <Get>, or <Remove>, after the <Login> tag.
NC-85063	WAF	WAF does not permit file uploads larger than 1 MB in OWA.	Contact Sophos Support.
NC-84972	Web	When you use the web proxy, files that undergo anti-virus scanning are stored in /tmp. If web caching is turned on (Web > General settings > Enable web content cache) the /tmp directory may run out of space. To determine if the issue affects the firewall, enter the following command: df -h /tmp If the availble space shows 0 MB, enter the following command: du -c /tmp/0x1* Non-zero length files can take up a significant portion of the partition. Large numbers of files that are of zero length don't cause the issue.	Do one of the following: Go to Web > General settings, and clear the check box "Enable web content". This option is turned off by default. Restart the firewall.
NC-84550	Reporting	Local reports on Sophos Firewall differ from CFR reports. If the number of bytes transferred exceeds 32 bits, log viewer shows the truncated value.	Will be resolved shortly.
NC-84517	Firewall	Firewall rule isn't applied to terminal server traffic from Server Protection SATC.	The firewall must join the EAP for New Server Protection features and confirm the machine is added to EAP. See details.
NC-84171	L2TP	Multiple clients behind NATed device cause traffic issues. When these try to connect to Sophos Firewall, tunnels are established. However, ping from the first client drops after a few seconds. There's no ping from a client when the other client's ping works.	Will be resolved shortly.
NC-84054	SecuirtyHeartBeat	Configuration migration fails due to invalid byte sequence. Backup isn't restored if there's an error with the database tblappstoeps since it may contain an invalid byte sequence for encoding "UTF8".	Contact Sophos Support.
NC-83527	SecurityHeartbeat	Unable to register Firewall with Sophos Central account because Amazon certificate isn't present in /conf/.	To check if an Amazon certificate is present, enter the following command openssl crl2pkcs7 -nocrl -certfile /conf/certificate/internalcas/cloud-ca.crt \| openssl pkcs7 -print_certs -text -noout \| grep Issuer If Amazon CA isn't present, do as follows: mount -o rw,remount / cp ""/conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt.org"" cp ""/_conf/certificate/internalcas/cloud-ca.crt"" ""/conf/certificate/internalcas/cloud-ca.crt"" mount -o remount,ro / These steps don't require downtime.
NC-83108	Config Migration Framework	Upgrading from 18.0.MR6 to 18.5.MR1 results in a factory reset.	Downgrade to the previous firmware and then upgrade to 18.5.MR2. Alternatively, you can upgrade to 18.5.GA and then to 18.5.MR1.
NC-82331	Security Heartbeat	From 18.5 MR2, Sophos Firewall encrypts certificate keys. So, when you upgrade to this version, the firewall refreshes the certificate used by synchronized endpoints to send a Security Heartbeat. If DNS resolution to sophos.com fails, the endpoints may not get the new certificate from Sophos Central, and the heartbeat fails.	Do as follows: Make sure the endpoints have network connectivity during the upgrade. They can then fetch the new certificate from Sophos Central. If the endpoints are blocked from getting DNS resolution for sophos.com to download the new certificate, go to the corresponding firewall rule and temporarily clear the checkbox "Block clients with no heartbeat".
NC-81520	Hotspot	Password isn't printed on the hotspot voucher for bridge to AP LAN and bridge to AP VLAN.	Use a wireless network with Client traffic set to Separate zone instead. Do as follows: Go to Wireless > Wireless networks. Select the network you want and set Client traffic to Separate zone. Go to Hotspots and select the hotspot you want. Set Interfaces to this wireless network.
NC-81039	Licensing	SFOS gets stuck after a restart. On the hardware, hyperthreading was turned on, stopping the kernel from starting. It only happens when SFOS RAM/CPU are lower than that purchased in the license and hyperthreading is turned on on Dell hardware.	Turn off hyperthreading on the server.
NC-79348	Email	awarrensmtp and warren services go down after a Cyberoam backup is restored. This occurs when the Cyberoam backup doesn't have the default CA certificate generated or configured, and the backup is restored in 19 EAP0 or later versions.	After restoring the Cyberoam backup, regenerate the Default CA certificate as follows: Sign in to the web admin console, and go to Certificates > Certificate authorities. Edit the Default CA. Restart the firewall.
NC-76186	Hardware-XG Series	4X10G Flexiport module with the Intel 700 series NVM data and driver isn't recognized.	Known behavior
NC-73174	Logging framework	Log viewer shows the DDNS events for success and failure twice.	Known behavior
NC-71401	Central Management	Unable to register XG Series firewalls with Central Manager using email addresses with more than 50 characters.	Enter an email address with fewer than 50 characters.
NC-70369	Dynamic routing (OSPF)	Auto-interface cost calculation doesn't work for OSPF.	Go to Routing > OSPF > Override interface configuration. Click Select interface, clear the check box for Interface Cost and enter the cost.
NC-69633	Email	Wildcard SMTP exceptions for FQDN hosts appear on the exceptions list. However, when editing the exception, they aren't visible.	Will be resolved shortly.
NC-69491	Authentication	Unable to access the web admin console after an auto-restart. When a high number of RADIUS SSO users sign in simultaneously and the firewall restarts, sometimes the web admin console isn't available after the restart. However, LAN users can connect, and you can access the firewall through SSH.	Known behavior
NC-69439	Web	For the internet scheme web policy in devices migrating from CROS to SFOS, Policy tester doesn't show the web filter ID.	Known behavior
NC-68438	Web	Web policy rule doesn't support users with the character "/" in the name.	Known behavior
NC-67790	DHCP	DHCP doesn't assign multiple IP addresses to the same MAC address. Example: For the captive portal to work over a bridged interface with a VLAN, the access point creates a virtual interface and needs an IP address from the VLAN. When the captive portal asks for an IP address over VLAN, the discover request comes with the interface's MAC address. If one scope is set to static and the other to dynamic, the IP assignment doesn't work.	Set both the DHCP scopes to dynamic or static.
NC-67688	HA	For 18.0 MR1, when the backup contained redundant information, it increased the backup size. If a larger backup is taken and restored, the /conf may be larger than expected.	Run the following commands on the advanced shell: rm -rf /conf/httpclient/httpclient rm -rf /conf/iview_images/iview_images/ Take a backup again.
NC-65961	Web	Log viewer for Firewall and Web filter shows Allowed for all port 80/443 traffic from WAN to WAN and LAN zones, although users initiating traffic from the WAN zone are shown a block page.	Known behavior
NC-65625	SSL VPN	OpenSSL limits the CN (Common Name) to 64. OpenVPN limits the CN to 63 + 1 (null character). This limits the <username>@<domain name> length to 51 characters since a 12-character random string is added to the CN.	Only use up to 51 characters for <username>@<domain name>.
NC-63913	IPS policy	When XG Series firewall is in FETCH mode in SFM, and users change the Advanced threat setting using the template, the SFM event log shows a failure message.	Known behavior
NC-63535	Email	Modifications aren't allowed to the block email senders list. On Email > General settings > Block senders, when users add a domain or email address, the error "Request could not be completed" appears, and the domain or email address isn't added.	Remove any of the domains or email addresses from the block senders list and add them again.
NC-62786	VFP-Firewall	Turning firewall-acceleration on or off bounces the ports.	Will be resolved shortly.
NC-60401	Central Management	When you downgrade the firmware or reset a firewall registered with Sophos Central (and services accepted on Sophos Central), the firewall loses its central registration information. When it's registered again, and Central management is turned on, endpoints already known to Sophos Central and the Central Management API consider this a bad request since Central services have already been approved.	Deregister the firewall. For HA devices, deregister both firewalls from Sophos Central. Sign in to Sophos Central., go to Firewall management and click Remove from Central for the firewall. Alternatively, run the following command on the advanced shell: /bin/central-register --register -u <email_of_central_account> -p <password_of_central_account> -s <serialnumber_of_firewall> Once the registration passes, you can deregister the firewall from the Sophos Central console.
NC-60381	Firewall	When heartbeat is set to block endpoints with a red status in the firewall rule configured for a bridge interface, and the firewall blocks the MAC address, it also blocks DHCP requests from the endpoints.	Create a firewall rule with Rule position set to Top and Services set to DHCP. Don't specify the Synchronized Security Heartbeat settings.
NC-60294	Authentication	Users aren't removed immediately from the Live user list when they sign out using the Sophos Network Agent (iOS or Android), although the app disconnects immediately.	Enter the following commands through the advanced shell: echo 0 > /content/caaios echo 0 > /content/caaand restart access_server
NC-59839	Firewall	Email logs for bounced emails may show IP addresses that aren't configured as the source address. Log entries are generated for connection table entries rather than from routing. For conntrack creation, the firewall uses any gateway IP address as the original source address (example: Port4: 10.24.255.254). When routing is done on layer 3, the decision may be to route that connection through Port2, but the original source isn't changed.	Known behavior
NC-59800	Firewall	Creating new firewall rules above the automatic SMTP rule (Email MTA mode) may result in a mail queue on the firewall. The firewall then accepts SMTP traffic but can't deliver the emails to the next hop. Mail queue and time-out errors appear on the /log/smtpd_main.log This can happen with manually configured firewall rules that include SMTP service and automatically created firewall rules (example: with VPN connections).	Place manually created firewall rules for SMTP and automatically created rules below the automatic MTA rule. If mails are already in queue on the firewall, before you reposition the firewall rules, contact Sophos Support for help in using the following script to correct the issue: /scripts/mail/replace_firewall_id.pl.
NC-58684	Firmware management	Upgrade from 17.5.x to 18.0 and later takes about 50 minutes. This is due to the additional checks for file system correction, which take longer based on the hard disk size and status.	Known behavior
NC-55423	Network services (deprecated)	Difference in data transfer traffic usage between WAN link manager and WAN zone report.	For more information, see Difference between WAN link manager and WAN zone report.
NC-55068	Hardware	XG 115 Rev.3 models show no HDMI output unless a monitor is connected before the device starts.	Known behavior
NC-54697	IPS Policy	The show ips-settings command shows only eight firewall rules even when more are configured. The related database entry contains all the firewall rules.	Will be resolved shortly.
NC-54667	Authentication	Sophos Firewall supports up to 3042 simultaneous Corporate Authentication Agent (CAA) connections. When the number of users exceeds the limit, the message "Failed to establish connection! Too many open files" appears in the access server log file. The limit is only for users using CAA. Live user count for other authentication mechanisms aren't part of this limit.	Known behavior
NC-53886	Hardware-SG and XG Series	40Gbit QSFP+ Flexiport module isn't recognized on SG/XG 430/450 firewalls.	Known behavior
NC-53094	RED	WAN gateway becomes active, causing RED site-to-site tunnels to flap. When you configure multiple WAN gateways, actions that result in the backup gateway or the unused gateway for the RED tunnel to reconnect, cause all RED tunnels to reconnect.	Known behavior
NC-52129	Email	Avira is unable to scan encrypted split files.	Use the Sophos antivirus engine.
NC-51322	Email	Chinese characters in the mail subject don't appear correctly within the quarantine digest email.	Change the encoding used in the end user's mail client to UTF-8.
NC-48871	L2TP	Username with the special character "\" isn't authenticated when signing in with the domain through L2TP.	Will be resolved shortly.
NC-47523	Reporting	Auxiliary HA device sends reports about its own scheduled report.	Known behavior
NC-47092	Firewall	SSH session to a target behind an SFOS firewall appears with delay in the log viewer.	Known behavior
NC-46108	DHCP	DHCP relay configured on an interface with a DHCP server configuration doesn't function.	Expected behavior
NC-44003	SNMP	SNMP query for supportSubStatus and appExpiryDate returns unexpected values.	Known behavior
NC-43721	Hardware	Half-duplex isn't working on the upper four ports of XG 125 and XG 135 Rev.3	Use ports 5, 6, 7, or 8 with half-duplex.
NC-43682	Email	Mail queue is delayed or fails after update to 17.5. A manual change to disable_offline_relate is lost during firmware upgrade. Before the upgrade, if you've changed the /static/proxy/smtp/scanner.conf file to set the disable_offline_relate setting to No, the change is lost during firmware update.	After the firmware upgrade is complete, edit the /static/proxy/smtp/scanner.conf file, and update disable_offline_relate.
NC-43145	Hardware	HA pair becomes unstable if you use the shared port as the dedicated link on XG 106	Don't use the shared port (Port 4) for the HA dedicated link.
NC-42570	WAF, Web	When LAN users want to access a web server deployed in the LAN zone and protected by a WAF rule, these requests don't work. Requests from the LAN zone reach the web server directly without passing the firewall.	WAF rules control traffic for sites hosted on the WAN interface. For internal servers, configure the DNS server to resolve the domain to the backend server directly. Alternatively, to host the site in the LAN zone through WAF, you need a second WAF rule that listens on the internal interface with a different, internal-only domain.
NC-42364	Networking (deprecated)	IPsec route precedence isn't applied. When system route_precedence is configured to give VPN routes higher priority than static routes, the firewall doesn't send the traffic through the IPsec tunnel. Instead, it routes the traffic through a matching static route. This occurs if a static or local route exists, directing the traffic to a non-WAN zone. The route precedence command only applies to traffic destined for the WAN zone.	Manually create an IPsec route for the remote subnet. Example: console> system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname <tunnelname> Then press Tab twice to see the list of available tunnels.
NC-42227	Authentication clients	Currently, Sophos Firewall devices don't support SATC (Sophos Authentication for Thin Client) with Edge browser.	Known behavior
NC-42226	SSL VPN	Locally-signed certificates aren't supported as server certificates in SSL VPN.	Only certificates signed by the local CA are supported. Example: ApplianceCertificate.
NC-38227	RED	Can't turn on RED functionality with DHCP from Network > DHCP.	Go to Interfaces > RED for the RED device. Under RED network settings, turn on DHCP.
NC-35231	ATP framework	Limit of 128 characters to add a threat exception.	Known behavior
NC-35230	Wireless	Can assign only 8 SSIDs or networks to an access point.	Known behavior
NC-33997	Authentication	SSO client installation doesn't work with RDP sessions.	Known behavior
NC-33500	Web	Unable to get the file scanned by Sandstorm. The captive portal shows a cannot reach page. This happens when there's an Any to Any firewall rule with Action set to Drop.	Select a LAN or WAN zone instead of Any zone for the firewall rule with Action set to Drop.
NC-30324	Firewall	Internal hosts can't ping remote access SSL VPN.	Give priority to static routes because SSL VPN routes are static routes. VPN routes represent IPsec routes.
NC-29938	Networking (deprecated)	Static routes won't apply to the system for connected networks, such as RED tunnels. So, you can't use them for route failover for these networks.	Use SD-WAN routes for route failover.
NC-29517	Date and time zone	Time zone is different on the web admin and CLI consoles.	Copy the content from /etc/zoneinfo/<timezone> to /conf/TZ. Then restart the firewall.
NC-27906	Email	In legacy mode, when you turn on greylisting on the server, emails are rejected because legacy Mode doesn't support retrying of emails. Failed emails are rejected with the following log message: 451 Temporary local problem, please try again!	For more information, see How to work around the issue when legacy mode doesn't support email retry.
NC-27452	WAF	No support for Microsoft RDG protocol suite.	WAF only supports RPC_IN_DATA and RPC_OUT_DATA. These are the only types supported when Pass Outlook Anywhere is turned on.
NC-26865	Wireless	Link/Activity LED glows on Port3 and Port4 even when the ports are disabed in XG 85(w), XG 125(w), and XG 135(w).	Known behavior
NC-25733	IPsec	Can't see custom IPsec profiles that use a preshared key with aggressive mode after upgrading to 17.0 MR1 although the profile is in use in an IPsec connection.	The firewall doesn't support preshared keys in aggressive mode. It only supports aggressive mode with RSA key and digital certificate.
NC-22697	Web	Citrix-based web application isn't working with Allow all web policy. In transparent mode, Citrix clients aren't aware that there's an HTTP or HTTPS proxy in the middle. So, they start using a proprietary protocol (not HTTP or HTTPS) using the HTTP and HTTPS ports. The proxy doesn't understand this and waits for a client request while the Citrix client waits for the server to respond. So, launching a .ica file with Citrix web or application fails.	You need to punch a hole in the firewall. Do as follows: For traffic from the LAN zone to the destination IP addresses of your URL in the WAN zone to launch the .ica file, create a LAN to WAN firewall rule with web policy set to None. Then create a firewall rule with web policy set to Allow all from LAN to WAN.
NC-22372	Email	Missing prefix subject with IMAP and many email clients. With IMAP, some mail clients download only the root headers from the server. They download the complete email only when users click the email subject. Sophos Firewall doesn't scan headers for spam since headers don't have enough information to detect spam. The IMAP proxy scans emails for spam only when the mail client downloads the complete email. The firewall then scans and adds a prefix to the subject for spam. So, the spam prefix doesn't appear in the email client's folder view.	Known behavior
NC-22206	Clientless access (HTTP and HTTPS)	Bookmarks of websites that require NTLM authentication don't work with clientless authentication.	Sophos Firewall doesn't support NTLM authentication with clientless web access.
NC-19628	Authentication	Sophos Firewall doesn't support browsing on IE11 in protective mode with SATC authentication.	Known behavior
NC-19479	Clientless access (HTTP and HTTPS)	Can't access websites that require the destination domain in the URL host through clientless access. Example: CNN.com.	Known behavior
NC-19478	Clientless access (HTTP and HTTPS)	Can't access websites with UTF-16 characters in the URL using bookmarks. Clientless access needs HTML links to be rewritten within the response document to ensure that links work for users outside the proxy. The firewall doesn't rewrite URLs with UTF-16 encoded special characters. So, these sites won't open through clientless access. Example: http:\u002f\u002fportal.example.com	Known behavior
NC-19476	Clientless access (HTTP and HTTPS)	Can't access web servers containing JavaScript-based dynamically generated URLs through HTTP and HTTPS bookmarks.	Known behavior
NC-18385	WAF	After successful form-based authentication, users are redirected to the defined path in the corresponding site path routing profile rather than to the original requested path.	Known behavior
NC-17808	Email	Wrong decoding if a policy with Change prefix subject is configured with umlaut characters.	Known behavior
NC-17457	Networking (deprecated)	Username for PPPoE interfaces is limited to 50 characters.	Insert a dummy username using less than 50 characters on the web admin console for the PPPoE interface. Go to the advanced shell and enter the following: psql -U nobody -d corporate Go to the corporate DB and enter the following: corporate> update tblpppoeconf set "user"='john.doe@example.com' Now disconnect the PPPoE connection and reconnect to bring the changes into effect.
NC-16462	Reporting	When generating a custom report, only the results appearing on the current page are exported to HTML, PDF, and CSV formats. The full list isn't exported.	Known behavior
NC-14880	Web	Safe search is enforced on all the policies without exception.	Known behavior
NC-13946	Authentication	STAS users with special characters (',/") in the name don't appear.	Sophos Firewall doesn't support usernames with these special characters.
NC-13934	Reporting	Auxiliary device sends only a few configured scheduled reports.	If reports don't contain data in auxiliary devices, report notifications aren't sent.
NC-13659	Security Heartbeat	Host information for blocked sources is shown on ATP flipside but isn't updated.	Manually reopen the flipside to see the change in host status. Example: Green, red, missing
NC-13639	Captive portal	Local users with names containing umlaut characters (example: ööööööö) can't sign in. They can sign in through AD and STAS. Unable to create local users with special characters (UTF-8). Existing AD users with such names can't sign in.	Known behavior
NC-13637	Routing (deprecated)	Route precedence isn't followed for policy-based routing in RED site-to-site tunnels.	Known behavior
NC-13636	VPN (deprecated)	Can't create L2TP connection with preshared key for mobile phones.	Known behavior
NC-13632	RED	Unable to do offline provisioning of RED 50 device using USB device.	Do online provisioning centrally. REDs are then upgraded to the latest firmware. You can then perform offline provisioning.
NC-13618	Clientless access (HTTP and HTTPS)	Unable to access the web admin console of a firewall by using bookmarks from the same firewall.	Known behavior
NC-13598	Firewall	10G SFP+ network cards on software appliances aren't recognized.	Known behavior
NC-9641	WAF	Outlook Anywhere doesn't work when Common threat filter is turned on in the web server protection policy.	RPC (Remote Procedural Call) doesn't work when Common threat filter is on. CTF checks the validity of HTTP requests and responses and compliance with HTTP standards and common practices. MS_RPC, the protocol underlying some of MS Outlook’s Anywhere feature doesn't meet all these rules and common practices. Turn off Common threat filter in the web server protection policy.
NC-9132	WAF	Websockets aren't supported for WAF.	Known behavior
NC-9124	Firewall	STAS isn't working when AD servers are only reachable on WAN.	Known behavior
NC-9106	Framework part of base (deprecated)	Mail notification isn't working with Microsoft Office365.	Sophos Firewall supports STARTTLS and SSL/TLS to encrypt emails. However, for SMTP, it only supports PLAIN authentication, which Office 365 doesn't support. Configure an intermediate relay to workaround this behavior.
NC-9102	Hotspot	Custom logo doesn't appear on the hotspot sign-in page if the hotspot name contains whitespace.	Don't use white spaces in hotspot names.
NC-9063	Firewall	Unable to create a hotspot through SFM with an HTML filename that has a space.	Don't use spaces in filenames.
NC-8891	VPN	CHAP and CHAPV2 in L2TP and PPTP VPN with AD configuration isn't working.	Use PAP as authentication method.
NC-8888	VPN (deprecated)	IPsec (site-to-site) between SFOS and SonicWall isn't working in aggressive mode.	Use main mode.

Upgrading firmware and restoring backups

Upgrading firmware

Information about 19.0 GA and later is as follows:

The versions are available on all form factors.
The versions aren't FIPS-compliant.

Important changes to consider before you migrate to 19.0

Remote access SSL VPN IP lease range: After you upgrade from 18.5 and earlier to 19.0 and later versions, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.

Go to the firewall rule, and select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. See SSL VPN IPv4 lease range changes in SFOS 19.0.

Versions you can upgrade from

We strongly recommend that you migrate only to the approved versions listed in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.

See how to upgrade.

Firewalls on 19.0 MR1 build 350 can migrate to 19.0 MR1 build 365.

Upgrading firmware
Upgrade from	Upgrade to 19.0 (all form factors)
	MR1 Build 365	GA Build 317
18.5 MR4
18.5 GA to MR3
18.0 MR3 and later
17.5 MR14 and later

You can downgrade only to compatible versions. You can't downgrade from 19.0 and later to 17.5 and earlier. However, you can roll back to any previous version.

Sophos Central: You can schedule firmware upgrades from Sophos Central for firewalls using 18.0 MR3 and later.

Previously restored Cyberoam backup: If your appliance is using a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to 19.0.x versions only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 19.0 doesn't support appliance certificates with this algorithm.)

Restoring backups

You can restore backups from any earlier version to 19.0 GA and later versions.

To take a backup and restore the configuration between XG Series and XGS Series appliances, see Backup-restore compatibility check.

Supported platforms

Version 19.0

Sophos Firewall OS version 19.0 GA and later versions are available on all form factors as follows:

XGS Series firewalls
XG Series firewalls
SG Series firewalls
Virtual and software appliances
Cloud platforms

For more information about the supported firmware versions, licenses, and migration, see Sophos Firewall: Licensing guide.

Minimum RAM

19.0 GA and later versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to these versions:

XG 85, XG 85w, XG 105, and XG 105w
SG 105, SG 105w

Supported firmware versions

19.0 GA and later support the following firmware versions:

Wi-Fi firmware 11.0.019 and earlier
RED firmware 3.0.008 and earlier
Sophos Connect 2.2 and earlier

Support

You can find technical support for Sophos products in the following ways:

Visit the Sophos Community and search for other users who are experiencing the same problem.
Visit Sophos Support.
Find how-to, configuration, and troubleshooting videos on the Sophos Techvids video hub.

Legal notices

Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Sophos Firewall

Version 19.0 MR1 Build 365 Released on August 16, 2022

New features

VPN

RED

Licensing

SD-WAN

Synchronized Security

Enhancements

Version 19.0 GA Build 317 Released on April 21, 2022

New features

SD-WAN profiles

Xstream FastPath acceleration

Web

VPN

Other enhancements

User experience

Resolved issues

Version 19.0 MR1 Build 365

Version 19.0 GA Build 317

Known issues

Upgrading firmware and restoring backups

Upgrading firmware

Important changes to consider before you migrate to 19.0

Versions you can upgrade from

Restoring backups

Supported platforms

Version 19.0

Minimum RAM

Supported firmware versions

Support

Legal notices

Version 19.0 MR1 Build 365
Released on August 16, 2022

Version 19.0 GA Build 317
Released on April 21, 2022