The following versions are EOL: 20.0 GA and 20.0 MR1.
For more information, see Retirement calendar.
These release notes are for Sophos Firewall (formerly known as Sophos XG Firewall).
For more information, see Retirement calendar.
This page describes the new features introduced. For details, see the Sophos Firewall help.
SFOS 20.0 MR1 and subsequent 20.0 maintenance versions are FIPS-compliant.
You can configure Sophos Firewall to use a cryptography library that is certified for the Federal Information Processing Standard 140-3 (FIPS 140-3) level 1 for the following appliances:
XG and SG Series hardware appliances and software firewalls don't support FIPS.
For details, read Federal Information Processing Standard 140-3 (FIPS 140-3).
Endpoints that move to a missing heartbeat status in the firewall and then move out of the network continue to appear with this status on the control center and in reports. The missing heartbeat status can only change when they reconnect to the network.
A new CLI command allows you to remove the missing heartbeat status for these endpoints based on the number of days their heartbeats have been missing. You can also remove individual endpoints by specifying their names. For more details, see System command for missing-endpoints.
This maintenance release resolves some issues. To see these, click the Resolved issues tab.
This page describes the new features introduced. For details, see the Sophos Firewall help.
SFOS 20.0 MR2 introduces the new backup-restore assistant and offers greater flexibility in restoring backups. The version also eliminates all practical restrictions.
Backup-restore assistant: The enhanced backup-restore functionality allows you to see and change the default port mapping in the new assistant. The assistant is available for backups from 19.5 MR4 and later versions restored to 20.0 MR2 and later.
Great flexibility: The following features are available for backups from all supported versions restored to 20.0 MR2 and later:
The release eliminates previous limitations that required the target device to have the same number of interfaces and the same dedicated HA link port as the backup.
Backup-restore links
This page describes the new features introduced. For details, see the Sophos Firewall help.
OpenVPN has been upgraded to 2.6.0 in this version. Firewalls upgraded to 20.0 MR1 and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:
For site-to-site IPsec tunnels, see Route-based VPN. For RED tunnels, see Site-to-site RED tunnel.
20.0 MR1 and later versions won't support the following legacy RED devices: RED 15, 15w, and 50. They have been declared end-of-life in 2023. For more details, see the article Sophos RED: End-of-life of RED 15/15(w) and RED 50.
You can configure the following Sophos Firewall platforms to use a cryptography library that meets Spain's National Essential Security Certification (LINCE):
For more details, read National Essential Security Certification (LINCE).
Device access: This release offers enhancements to the device access grid for access from zones to certain services. The grid has also been grouped to offer intuitive configurations and granular control:
Local service ACL exception rule:
TPM-based True Zero Touch is available to remotely deploy firewalls in branch offices through Sophos Central. You'll specify the firewall configuration in Sophos Central. The remote firewall administrator connects the firewall to the internet and turns it on. The firewall connects to Sophos Central, downloads and applies the configuration, and then registers with Sophos Central. For more details, see the Sophos Central help.
SD-RED now supports bridge configuration for WAN interfaces with the RED tunnel.
This page describes the new features introduced. For details, see the Sophos Firewall help.
Active threat response integrates Managed Detection and Response (MDR) threat feeds with Sophos Firewall. Synchronized Security extends to Active threat response, enabling the firewall to automatically shut down active threats in the network.
Active threat response brings the MDR service to Sophos Firewall through MDR threat feeds. Security analysts from the Sophos MDR team (or your XDR SOC team in the future) can share threat intelligence related to your network, pushing active threat information in real time to the firewall. Based on the threat feeds, the firewall automatically blocks traffic, including DNS requests and HTTPS traffic, from any host in the network that tries to communicate with malicious IP addresses, domains, or URLs. Additional rules and policies aren't required for the Active threat response action. Watch the video Active threat response with MDR threat feeds.
Synchronized Security: Active threat response extends Synchronized Security with its automated response based on RED Security Heartbeat to MDR threat feeds in the firewall. Based on the threat feed, the firewall automatically queries any Sophos-managed endpoint attempting to communicate with malicious servers for additional information, such as the host, user, and process, which enables you to determine any Indicators of Compromise (IoC). It prevents compromised endpoints from moving laterally or communicating outward, shutting down active threats in the network.
The release enhances Synchronized Security with added scalability and reduced false missing heartbeats for endpoints in sleep or hibernate status.
Sophos X-Ops threat feeds: Advanced threat protection has been renamed Sophos X-Ops threat feeds. It offers periodic updates of threat feeds from SophosLabs.
Extensible framework for dynamic threat feeds: Active threat response introduces a new extensible API framework for dynamic threat feeds in the firewall. The framework enables the following threat intelligence to be shared with the firewall:
The release offers VPN, IPv6, and SD-WAN enhancements with scalability, security, and interoperability.
These services are no longer available in the user portal, minimizing the need to expose the user portal to WAN and tightening its security. To maintain compatibility, the VPN portal is available by default on the previous user portal port (443). It can share a common port with WAF or SSL VPN. The user portal now uses port 4443 by default. See the help for Port sharing among services.
For migration details and how port settings apply from Sophos Central, see the knowledge base article New VPN portal in SFOS 20.0 and later.
Watch the video VPN enhancements.
In cloud-hosted network security services delivering key remote worker and branch office protection capabilities, ZTNA, SD-WAN, and DNS protection have been integrated into Sophos Firewall (both on-premise and cloud-hosted).
The new Sophos DNS protection service will soon be available for early access.
You can't turn off alias or tunnel interfaces and members of a LAG or bridge interface, but you can turn off the entire LAG or bridge interface.
Watch the video Quality of life enhancements.
Azure Single Arm Deployment Support: For Microsoft Azure public cloud deployments, you can choose a smaller instance size with single arm deployments and save your infrastructure costs. This reduces network and operational complexity.
Issue ID | Component | Description |
---|---|---|
NC-131711 | Authentication | Log message was incorrectly tagged as an error in the access server for STAS. |
NC-138431 | Authentication | MFA tokens didn't work for SSL VPN users after a firmware upgrade to SFOS 20.0 MR1. |
NC-139018 | Authentication | After a Microsoft patch, remote access L2TP and PPTP users couldn't connect with RADIUS authentication using CHAP or MS-CHAPv2. |
NC-141413 | Authentication | Authentication outage occurred because of unresponsive read_from_client. |
NC-141584 | Authentication | Access server service became unresponsive. |
NC-139709 | Backup-Restore | The following error message appears when a backup is restored to 20.0 MR2 XG and SG devices: Can't restore backup, insufficient space. |
NC-132127 | CDB-CFR, CM | The auxiliary device generated alerts that the firewall has lost its connection to Sophos Central. |
NC-139323 | Certificates | IPS service failed after an upgrade to 20.0 MR1. |
NC-135473 | Clientless Access | Unable to download the configuration file from the VPN portal after HA failover. |
NC-139717 | Clientless Access | Hardened XSS protection for the VPN portal. |
NC-133133 | CM | CM group configuration import failed while importing the configuration from XG 86w. |
NC-135944 | CM | Unable to manage or access XG Firewall from Sophos Central. |
NC-140829 | CM | Intermittent issues with internet connectivity. |
NC-137123 | Core Utils | Low swap memory in a device migrated from 17.5 (virtual deployment with two disks). |
NC-135613 | DDNS | DDNS doesn't show data on the web admin console. |
NC-130236 | Email was identified as BULK when the presence of \n concatenates two words in the subject. | |
NC-133859 | DKIM signatures didn't work as expected. Emails were quarantined. | |
NC-133988 | Rejected mail log entries due to message size weren't logged. | |
NC-134038 | Email is bounced or isn't delivered when the subject includes & and SPX is turned on. | |
NC-130017 | IPS-DAQ-NSE | Client-server traffic was dropped without ac_atp exception due to missing support for TCP keepalive attempts on decrypted TLS. |
NC-137792 | IPS-DAQ-NSE | Core dump during MSS update in DPI engine. |
NC-140591 | IPS-DAQ-NSE | An AWS website doesn't work with SSL/TLS decryption in DPI mode. Log viewer shows the following error: "TLS handshake fatal alert occurs: decode error(50)". |
NC-140666 | IPS-DAQ-NSE | Unable to connect Office 365 SMTP with SSL/TLS turned on after an upgrade to 20.0 MR1. |
NC-138180 | IPsec | After an upgrade to 20.0 MR1, the auxiliary device was receiving the NAT-T IPsec packets after a rekey. |
NC-138822 | IPsec | XFRM interface status appears as not configured even when the IPsec tunnel is up. |
NC-141503 | Postgres | IPS becomes unresponsive and can't be restarted because PG connections exceed the limit. |
NC-138286 | Reporting | Custom view wasn't listed in the custom report when accessing the firewall through Sophos Central. |
NC-139458 | SSLVPN | Services page and SSL VPN assistant weren't loading. |
NC-139849 | SSLVPN | Discrepancies in site-to-site SSL VPN import validation. |
NC-141688 | UI Framework | Support automatic language detection for SSO login users. |
NC-135798 | WAF | Setting cache-control to no-cache, no-store for WAF. |
NC-136062 | WAF | Migration failed due to duplicate names of WAF rules. |
NC-136560 | WAF | WAF authentication template files disappeared after upgrading to 20.0 MR1. |
NC-136403 | Web | Web policy override must tell browsers not to autofill bypass codes. |
NC-136616 | Web | AD SSO wasn't working with Kerberos for a specific server and user. |
NC-136099 | WebInSnort | SSL/TLS inspection rules containing only unsupported services behave as Service set to Any. |
NC-140491 | WWAN | Sierra EM9191 modem failed to connect after migration in XGS 116. |
Issue ID | Component | Description |
---|---|---|
NC-131391 | Authentication | L2TP authentication isn't working with Windows Automatic Logon enabled in VPN adapter. |
NC-132907 | Authentication | Access server coredump user disconnection. |
NC-127665 | CDB-CFR, CM | Firewall shows disconnected status on Sophos Central after the firewall restarts. |
NC-136645 | Certificates | Certificates from Starfield Secure Certificate Authority - G2 were untrusted in 20.0 MR1. |
NC-127253 | Clientless Access | HTTP Host header injection in VPN portal. |
NC-132845 | CSC | Log viewer shows a blank username field when a user is deleted in virtual firewall. |
NC-130879 | DHCP | DHCP relay fails intermittently, and clients no longer receive an IP address. Changing the DHCP relay configuration makes it work again. |
NC-136246 | DHCP | DHCP server doesn't start when Boot options are configured with URL. |
NC-126576 | Greylisting doesn't work. | |
NC-128229 | Turning on SPF check isn't an option to block spoofed emails of the internal domain. | |
NC-131106 | Inbound email isn't delivered to the mailbox when SMTP scanning is on in legacy mode. | |
NC-132557 | HA synchronization issue for email encryption SPX template. | |
NC-133157 | Unable to send backups using Amazon SES. | |
NC-135882 | Regression in IMAP proxy. | |
NC-134783 | Firewall | Unable to see IP Host or MAC host in the firewall. |
NC-136153 | Firewall | Local ACL exception rule doesn't work for SMTP relay. |
NC-136681 | Firewall | Unable to access the web admin console of remote firewall with site-to-site VPN using NAT. |
NC-125024 | Firmware Management | Incorrect pop-up message while updating a standalone HA device. |
NC-131100 | Firmware Management | SNMP server shows 100 percent /tmp/npu_diag usage. |
NC-132862 | Firmware Management | SSH Terrapin prefix truncation weakness (CVE-2023-48795). |
NC-135340 | Firmware Management | Restrict parallel firmware upgrade flows. |
NC-130404 | HA | License issue in auxiliary device in active-passive HA pair. |
NC-135699 | HA | Firewall web admin console doesn't respond on HA page. |
NC-133495 | Interface Management | Can't turn off Port1 if web admin console language is set to German. |
NC-136619 | Interface Management | udhcpc isn't sending a renew request with a low lease time of 40 seconds. |
NC-132542 | IPS-DAQ | Memory allocation failure in jumbogram causes IPS log to grow in GBs. |
NC-135467 | IPsec | Unable to connect IPsec tunnel when the port is turned off, and the local gateway is changed to an active port. |
NC-136651 | IPsec] | Charon high CPU for IPsec passthrough traffic. |
NC-133699 | Localization | German language errors in the firewall. |
NC-129242 | Logging Framework | Notification plugin reconfiguration failure causes crash in fca_output. |
NC-136693 | Logging Framework | Control center doesn't show bandwidth utilisation by interfaces. |
NC-133375 | Logging Framework (Central Reporting) | Garner doesn't respond. |
NC-128941 | NFP-Firewall, XGS-IPsec | Traffic doesn't flow through IPsec tunnel when ipsec-acceleration> is on. |
NC-137333 | Service Object | Missing entries for Services on web admin console after changes were made. |
NC-132821 | Static Routing | Staticd service stopped after upgrading the device to 19.5 MR4. |
NC-135342 | SupportAccess | Support access isn't working after a restart. |
NC-131365 | UI Framework | DNS server IP address in DHCP server configuration changes unexpectedly in the XG web admin console. |
NC-131782 | WAF | After a second HA failover, GeoIP settings in WAF rules are lost. |
NC-100895 | Web | Unable to remove URL from web category when URL contains "\" backward slash character. |
NC-113504 | Web | Unable to add a second URL with the same parent domain. |
NC-115849 | Web | Zero-day protection page doesn't load if filename ends in percent. |
NC-131685 | Web | HTTPS error 502 while browsing URL cosmopolitan.com in legacy web proxy mode due to trailers. |
NC-131687 | Web | HTTPS error 502 while browsing URL scottdirect.com in legacy web proxy mode because header size was greater than 8k. |
NC-128897 | WebInSnort | Previously allowed applications get blocked. |
NC-132126 | Wireless | Wi-Fi separate zone doesn't match the firewall rule. |
NC-131582 | XGS BSP | No traffic except on the management port after a restart. |
NC-132065 | XGS BSP | SFP ports don't respond after an upgrade to 20.0. |
Issue ID | Component | Description |
---|---|---|
NC-77828 | API Framework | Unable to import user activity that contains web categories with special characters. |
NC-122760 | AppFilter Policy | Unable to update or push app filter policy from Sophos Central. |
NC-120582 | Authentication | Updated the log message for brute force sign-in event. |
NC-120484 | WebInSnort | Firewall stops responding because of out-of-memory issue. |
NC-120875 | Authentication | AD group import fails when username has special characters. |
NC-121619 | Authentication | Admin access to the web admin console gets blocked after two wrong attempts when MFA is on. |
NC-124603 | Authentication | When the primary user group ID is greater than 9999, captive portal disconnects within 5-10 seconds of signing in. |
NC-124684 | Authentication | Static IP address isn't released sporadically for SSL VPN users. |
NC-127830 | Authentication | RADIUS users who aren't part of VPN group are able to connect to SSL VPN. |
NC-128138 | Authentication | Captive portal with custom code isn't working properly. |
NC-131097 | Authentication | When the AD server connection flaps, ldap_bind blocks for 30 minutes, resulting in time-out and failure of new authentication requests. |
NC-131290 | Authentication | Web admin console sign-in error when Azure AD SSO is used: Firewall is starting. |
NC-125264 | Azure | Firmware upgrade of SFOS on Azure to 20.0 GA fails and results in a single NIC if it was configured with three or more NICs. |
NC-124919 | CDB-CFR, CM, CM (Zero Touch) | Firewall's web admin console shows the ZT and CZT wizard even after ZT and CZT are completed because nvram flag isn't reset. |
NC-119857 | CM | Firewall's Web admin console stops responding on the Sophos Central page. |
NC-124391 | CM | VPN tunnel flaps between the firewall and a third-party firewall. |
NC-129249 | CM, Core Utils | Fixed vulnerabilities in libssh2 CVE-2023-48795 for Sophos Central services. Upgrade to SFOS 20.0 MR2 for the full fix to all firewall services. |
NC-127120 | Core Utils | Fixed NPU log error. |
NC-126965 | DHCP | Firewall stops logging DHCP logs, and Garner service doesn't respond and can't be restarted. |
NC-128820 | DHCP | DHCP server configured with relay agent request with All interface selection doesn't work after migration or restoring a backup. |
NC-129171 | DHCP | DHCP stopped working after upgrade from 19.5.3 to 20 GA. |
NC-117690 | DHCP | DHCP Next server and Boot file ignored PXE Boot DHCP options 66 and 67. |
NC-116339 | Wireless | Hostapd service stops responding after wireless network is added to the access point group. |
NC-126738 | Interface Management | HA isn't established with VLAN over unbound interface as dedicated link. |
NC-125076 | Dynamic Routing (BGP), Dynamic Routing (OSPF) | Zebra continuously restarts when configuration contains a gateway IP address that's actually the broadcast IP address. |
NC-120967 | Inbound and outbound emails are delayed after firmware is upgraded to 19.5.2. | |
NC-121980 | Users receive duplicate emails. | |
NC-122260 | Two email addresses in Return-Path: and From: Header after you release and report emails from Quarantine digest in SFOS 19.5.1 and 19.5.2. | |
NC-123889 | High CPU usage by warren after upgrade to 19.5.3. | |
NC-124266 | Notification emails are getting stuck in mail spool when there is smarthost with RED tunnel setup. | |
NC-124453 | Not able to see, release, or delete emails from SMTP quarantine. | |
NC-125084 | DKIM isn't working as expected. | |
NC-133277 | Email, WAF | UX issue for DH group in IPsec profiles. |
NC-119893 | Firewall | SFOS is accessible to requests from another network for network and broadcast IP addresses. |
NC-123538 | Firewall | MAC filter spoof check doesn't work. SPOOF_CHECK chain entry is missing. |
NC-123249 | Wireless | Access points remain offline if device is restarted after turning off the Wireless Protection option. |
NC-124012 | Firewall | NAT rule isn't marked even after an upgrade to 19.5.3. |
NC-124251 | Firewall | RED service doesn't respond. |
NC-124551 | Firewall | Firewall rules don't work after upgrade from 18.5.3 to 19.5.3. |
NC-127532 | Firewall | Logviewer shows source IPv6 address in dst_trans_ip field for IPv6 hairpin NAT. |
NC-120434 | Firmware Management | Discrepancy in HA role status. |
NC-125791 | Firmware Management | High SWAP memory issue for a virtual appliance. |
NC-132224 | Firmware Management | Upgrade to 20.0 failed on XGS 87 with Invalid firmware error. |
NC-118929 | HA | msyncd stops tracking events and doesn't start tracking again. |
NC-120730 | HA | HA failover results in missing configurations. |
NC-124105 | HA | Configuration changes show the following error: The Operation will take time to complete. The status can be viewed from the Log viewer page. |
NC-128183 | Hardware | Flexi module port doesn't work on XGS 2100 after the firewall restarts. |
NC-122885 | Import-Export Framework | Unable to export user configuration in 20.0.1. |
NC-124721 | Interface Management | Firewall stops responding and requires a restart. |
NC-133495 | Interface Management | Can't turn off Port1 if the web admin console language is set to German. |
NC-119561 | IPS-DAQ | Inject buffer leak causes traffic outage. |
NC-124957 | IPS-DAQ | FIN and RESET packets leave WAN interface with LAN IP address information. |
NC-125294 | IPS-DAQ-NSE | Firewall drops reset packet in LAN-to-LAN communication when DPI is on. |
NC-130365 | IPS-DAQ-NSE | Slower download speed for TLS-inspected traffic from some servers. |
NC-121370 | IPsec | Memory usage of XG 230 has been increasing since it was upgraded to 19.5.1-Build 278. |
NC-123233 | IPsec | IPsec SA establishment is sporadically interrupted. |
NC-123230 | Wireless | LocalWiFi status isn't correctly reflected on the access points page. |
NC-124464 | IPsec | strongSwan service fails to start after HA failover. |
NC-127177 | IPS Engine | IPS logs aren't generated in Log viewer. |
NC-125251 | IPS Ruleset Management | Count issue related to firewall rules with IPS for read-only administrator profile. |
NC-68574 | Logging Framework | Logs with Central Reporting enabled are sent to unreachable syslog server at 127.0.0.1. |
NC-117777 | Logging Framework | Network traffic report calculation shows different values at different times. |
NC-118327 | Logging Framework | Syslog format Standard Syslog Protocol logs with key log_id as both number and string. |
NC-122033 | Logging Framework | WAN interface graph shows incorrect values for historical data collected five minutes before or after the hour limit. |
NC-123602 | Logging Framework | /conf partition gradually increases in XG 86 and XGS 87. |
NC-123771 | Logging Framework (Central Reporting) | Central Report hub doesn't show the past 24-hour statistics from the firewall because SFOS sends reports to Sophos Central at a low rate. |
NC-124987 | NFP-Firewall | Access to remote network over IPsec VPN stops. Packet capture mitigates the issue. |
NC-125112 | NFP-Firewall | RED tunnel down in 19.5.3. Turning off firewall acceleration resolved the issue. |
NC-128656, NC-128159 | nSXLd, CM | nSXLD times out when the first two DNS servers aren't reachable and the third DNS server is reachable. |
NC-133022 | nSXLd | Fixed the "invalid traveller type" error. |
NC-115843 | PPPoE | Scheduled PPPoE reconnect doesn't work. |
NC-115457 | XGS BSP | Fiber interfaces are taking more time to negotiate in XGS than in XG. |
NC-128072 | PPPoE | Missing PPPoE logs. |
NC-123969 | RED | Primary device automatically restarts and fails over to the auxiliary. |
NC-126941 | RED | For site-to-site RED from XG 106, client doesn't automatically reconnect after the tunnel goes down. |
NC-130949 | RED | Some RED devices went down after firewall firmware was downgraded from 20.0 to 19.5.3. |
NC-122948 | SDWAN Routing | Garner logs are full with SD-WAN route gateway resolution message. |
NC-126363 | SDWAN Routing | A firewall rule isn't matched occasionally. |
NC-127524 | SDWAN Routing | SD-WAN route and default MASQ are applied to system-generated traffic for policy-based IPsec VPN. |
NC-124588, NC-124590 | SecurityHeartbeat, LCD Framework | Certain heartbeat opcodes are always called with the debug details even though csc isn't in debug mode. |
NC-129618 | SecurityHeartbeat | Heartbeat service dead due to malformed MAC address. |
NC-123237 | SSLVPN | Grammar error on the web admin console for route-based VPN connection. |
NC-123723 | SSLVPN | XG 86w doesn't reconnect SSL VPNs after a restart. |
NC-124647 | SSLVPN | Unable to connect to SSL VPN after firmware was upgraded to 19.5.3. |
NC-128468 | SSLVPN | Unable to generate the .ovpn file because of missing server_dn in tblsslvpnglobalconf when custom certificate is used. |
NC-128469 | SSLVPN | Some AD users are unable to download the SSL VPN configuration file from the user portal. |
NC-130692 | SSLVPN | Special characters are replaced with encoded values. |
NC-130938 | SSLVPN | More certificates in .ovpn file than before upgrade. |
NC-131180 | SSLVPN | SSL VPN remote access resources become inaccessible. |
NC-118599 | Static Routing | Static route configuration must prevent configuration of the interface IP address as gateway IP address. |
NC-120986 | Static Routing | When HA is disabled, the previous auxiliary isn't able to update its firmware because of Zebra CLI backend routes. |
NC-119425 | Synchronized App Control | Garner log filled with "usercache_output: cannot resolve appcatid 0". |
NC-119289 | Wireless | Hotspot voucher shows SSID WLAN password after removing SSID encryption from wireless network settings. |
NC-79314 | UI Framework | UX issue on SD-WAN profiles. |
NC-118925 | UI Framework | Failed to restore backup if the backup file name has & in the prefix. |
NC-118913 | Wireless | AP firmware isn't automatically updated after AP pattern update. |
NC-123712 | UI Framework | Web admin console stops responding. |
NC-124188 | UI Framework | Fixed HTTP Host Header Injection in the user portal. |
NC-124909 | VFP-Firewall | Firewall automatically restarted. |
NC-124519 | WAF | Form-based authentication doesn't work after upgrade from 19.5.2 to 19.5.3. |
NC-125102 | WAF | WAF outage several times a day due to a coredump. |
NC-130528 | WAF | Missing WAF parameters in XML API. |
NC-130684 | WAF | Unable to update WAF rule after updating the certificate. |
NC-130710 | WAF | Can't upgrade to 20.0 if a rule template exists with the same name as a new template name. |
NC-81555 | Web | Removing all domains or keywords from a custom category doesn't work. |
NC-124040 | Web | Unable to get proper "Web activity category" report under "Blocked Web attempts". |
NC-125115 | Web | awarrenhttp doesn't start if nasm isn't running. |
NC-127260 | Web | Continuous coredumps are generated. |
NC-128631 | Web | Network outage when downloading files with .hpi extension. |
NC-128520 | Wireless | Unable to restore backup from XG 135w to XGS 2100. |
NC-131591 | Web | awarrenhttp must reconnect to nSXLD after a time-out. |
NC-118893 | WebInSnort | WebInSnort logs RSA key size 3072 as key_param="RSA unknown type" in Log viewer. |
Issue ID | Component | Description |
---|---|---|
NC-125331 | Authentication | Azure AD SSO captive portal authentication is stuck when the web proxy listening port isn't 3128. |
NC-125589 | DHCP, DHCP PD | On-link and autonomous settings are turned off in automatically created RA server for delegated interface. |
NC-125595 | DHCP, DHCP PD | Incorrect error message when creating downstream interface with invalid subnet ID. |
NC-124414 | SPX password exposure in plain text (CVE-2023-5552). | |
NC-125369 | Exim libspf2 vulnerability (CVE-2023-42118). | |
NC-125221 | RED | RED doesn't establish site-to-site tunnels when RED server enforces TLS 1.2. |
NC-119334 | Backup-Restore | The backup download button is unresponsive. |
NC-118460 | Dynamic Routing (PIM) | Clicking PIM-SM interface table shows the error "Unable to read routing information". |
NC-116220 | Awarrensmtp was in failed status, and inbound email wasn't delivered, but a non-delivery report wasn't sent to senders. | |
NC-117638 | Emails are quarantined even if the sender address is added in exception. | |
NC-124102 | Unable to turn off legacy TLS protocols. | |
NC-107708 | Firewall | Firewall restarts automatically (RIP 0010muser_match+0x747). |
NC-120016 | Firewall | Local ACL doesn't work when the name contains the backslash character. |
NC-113034 | Hardware | Lost device access to XGS appliances, and logs aren't available. |
NC-116002 | IPsec, SDWAN Routing | Branch office users unable to receive an email, mail is slow, IPsec traffic is slow. |
NC-122180 | Licensing | Unable to access web admin console due to license synchronization issue. |
NC-122699 | nSXLd | Adding a trailing period at the end of the domain bypasses web policies. |
NC-122511 | RED | Vulnerability detected on port 3400. |
NC-119192 | VFP-Firewall | Slow speed using Virtio NICs. |
NC-119052 | WAF | WAF protection policy's display issue on the web admin console. |
NC-121432 | WAF | The /tmp directory doesn't remove files and runs out of space, causing AV scan failure. |
NC-121415 | Web | AVD stops responding after a pattern update because a thread isn't released. |
NC-119829 | WWAN | Verizon Mifi 4G USB modem (U620L) doesn't work after an upgrade to 19.5 MR2. |
NC-114104 | AppFilter Policy | Application filter policy set to block all applications loses risk criteria when the template is pushed from Sophos Central. |
NC-107481 | Authentication | Log viewer doesn't show the source IP address for authenticated SSL VPN users. |
NC-110927 | Authentication | Missing logs for MFA enable-disable events. |
NC-113532 | Authentication | Can't remove authorizers from the data anonymization setting. |
NC-114057 | Authentication | Match known users option in firewall rule drops traffic because user identity isn't being marked. |
NC-114950 | Authentication | View usage doesn't work when the username has a single quote, and web admin console stops responding. |
NC-116602 | Authentication | Log viewer doesn't show the source IP address when authentication fails for SSL VPN Users. |
NC-116880 | Authentication | When two-factor authentication is on, SSH keys disappear if they're added by an administrator other than the default admin. |
NC-116881 | Authentication | Uploading a certificate when the admin signs in through Azure AD SSO results in a sign-out. |
NC-119049 | Authentication | access_server stops responding due to missing nsgencode multi-thread support. |
NC-119183 | Authentication | Transaction failure for eDirectory authentication server. |
NC-119560 | Authentication | Mandatory firmware update through the setup assistant causes the initial setup to start repeatedly. |
NC-94533 | Certificates | Attribute challenge password prevents the issue of a certificate with No-IP. |
NC-119825 | Certificates | Unable to download the default certificate from Web > General Settings. Results in a sign-out when admin clicks the download button. |
NC-102256 | Clientless Access | VNCFreeRDP stops responding. |
NC-108378 | Clientless Access | Clientless access doesn't work if name contains an umlaut character. |
NC-114627 | Clientless Access | Unable to connect to RDP over clientless SSL VPN if the username contains a space. |
NC-115982 | CM | Alert appears in Sophos Central. "Firewall has not checked in with Sophos Central for the past 5 minutes". |
NC-116312 | CM | Garner thread stuck in Central Management plugin. |
NC-118749 | CM | Specific API call doesn't work. |
NC-119198 | CM | Unable to change the password for admin accounts from Sophos Central Firewall Management. |
NC-120519 | CM | Disable Central Management doesn't work per the firewall's API document. |
NC-108562 | Core Utils | Public key authentication for admin can't be managed through Sophos Central. |
NC-117314 | Core Utils | SWAP memory usage full. |
NC-107388 | DDNS | DDNS logs appear every five minutes. |
NC-111790 | DHCP | Unable to configure or edit interfaces. |
NC-113102 | DHCP | Unable to add static MAC entry for specific DHCP pool. |
NC-109623 | Dynamic Routing (BGP) | BGP-FRR doesn't advertise the configured networks if they aren't available in RIB. |
NC-115369 | Dynamic Routing (OSPF) | OSPF repeatedly flaps when running continuous scan with ICMP echo. |
NC-112492 | Dynamic Routing (PIM) | PIMD service doesn't respond. |
NC-107283 | Awarrensmpt service doesn't respond. | |
NC-108237 | Spam emails are allowed with the error "spam scanning failed, unable to connect local antispam". | |
NC-108450 | Inbound forwarded emails with attachments aren't delivered because of malware scan failure. | |
NC-109625 | Inbound emails from specific domains are quarantined because of DKIM verification failure. | |
NC-110897 | Error logs when using Sophos as AV in web server protection policy. | |
NC-111023 | Legacy email mode stops responding frequently. | |
NC-112128 | Release link settings can't be saved in quarantine digest. | |
NC-113038 | Mail communication stopped working after upgrading to 19.5 GA. | |
NC-113458 | MIME type recognition issues when Zero-day protection is turned on. | |
NC-113547 | Invalid IP address causes error for notification mails. | |
NC-116845 | Fix occasional UT error in mailpoller. | |
NC-116899 | Attachment is allowed even if it's blocked in extension or MIME header. | |
NC-117881 | Antispam service stops responding. | |
NC-120138 | EmailUtilityis_valid_messageid is too strict. | |
NC-101846 | Firewall | Connections fail due to a high number of www in FIN_WAIT. |
NC-108536 | Firewall | Firewall rules stopped working after backup-restore due to failure of XML API through which the firewall rules were created. |
NC-109201 | Firewall | Device goes into Failsafe mode after upgrade. Unable to apply firewall framework. |
NC-112136 | Firewall | RED connection interrupted when firewall acceleration is turned on in XG 310. |
NC-116527 | Firewall | Entities.xml shows a firewall rule that doesn't appear on the web admin console. |
NC-116890 | Firewall | NAT rule doesn't get marked after the firewall restarts. |
NC-116939 | Firewall | Pktcapd bpf filter causing device restart (___bpf_prog_run). |
NC-117063 | Firewall | Allowed child connection is logged as dropped. |
NC-118204 | Firewall, SDWAN Routing | Static multicast packet changes reply destination when SD-WAN policy is applied. |
NC-85114 | Firmware Management | kworker process continuously uses high CPU on XG 450. |
NC-109689 | FQDN | Adding a new FQDN host causes the resolver to restart or stop responding and causes DNS resolution failure during the time. |
NC-111423 | FQDN | FQDN resolving with low TTL (2-5 seconds) is creating an issue with wildcard FQDN host. |
NC-111476 | FQDN | Subdomain learning doesn't work for non-SFOS DNS server set for the client. |
NC-117675 | Gateway Management | WWAN gateway update flow updates incorrect monitorid when wwan-gwid isn't the same as its monitorid. |
NC-109626 | HA | Standalone device restarts. Too many open files. |
NC-106738 | Hotspot | Sort functionality doesn't work properly for hotspot vouchers in the user portal. |
NC-119525 | Hotspot | Valid until time on hotspot sign-in uses UTC instead of local system time. |
NC-120118 | Hotspot | Missing information in hotspot voucher created for users. |
NC-116314 | Interface Management | Unable to delete or make changes to bridge interface. |
NC-98796 | IPS-DAQ | Coredump during DAQ shutdown due to incorrect order of thread stop. |
NC-107329 | IPS-DAQ | Snort shows high CPU usage, resulting in low bandwidth. |
NC-114872 | IPS-DAQ | Certificate-based authentication failing for server with small RX win. |
NC-115019 | IPS-DAQ-NSE | Firewall locks up. Snort core generated. |
NC-119321 | IPS-DAQ-NSE | Slow download speed with SSL/TLS inspection turned on along with malware scanning even if TLS isn't being decrypted. |
NC-107042 | IPsec | IPsec VPN path MTU-related connection issues with IPsec acceleration. |
NC-119047 | IPsec | SSL/TLS inspection doesn't work for VPN users. |
NC-119898 | IPsec | XFRM tunnel remains disabled when both site-to-site and route-based VPNs are up simultaneously on the same local-remote gateway pair. |
NC-114411 | IPS Engine | IPS policy behavior issue in Sophos Central. |
NC-116448 | L2TP | A checkbox isn't visible on the first line for L2TP members. |
NC-112138 | Licensing | Licenses not synchronizing. |
NC-107504 | Logging Framework | Unable to update the pattern file at AirGap sites. |
NC-107975 | Logging Framework | Logging stops on device. Database disk image is malformed. |
NC-110678 | Logging Framework | Live logs aren't being generated in log viewer. |
NC-113004 | Logging Framework | Garner stops responding at init_cache_tree during sync cache. |
NC-114652 | Logging Framework (Central Reporting) | After 7200 files, sending files to Sophos Central stops with error on gzclose. |
NC-108003 | NFP-Firewall | Memory utilization increases until firewall stops responding. |
NC-100418 | nSXLd | Internet down with error "nSXLd Connection timeout while connecting to SXL server". |
NC-115360 | nSXLd | Deleted policy from Sophos Central continues to appear in the firewall. |
NC-117753 | PPPoE | Internet through PPPoE doesn't work after HA failover. |
NC-112058 | RED | Some reports for RED tunnel on XG Firewall don't load. |
NC-112117 | RED | Editing a RED configuration in XG Firewall caused the firewall to become unresponsive. |
NC-112621 | RED | Unable to edit some RED interfaces. |
NC-113005 | RED | RED tunnels restart suddenly. |
NC-117243 | RED | Disable DHE cipher support for RED. |
NC-117786 | Reporting | Security Audit Report score data in email differs from what's shown in the firewall. |
NC-111110 | SDWAN Routing | Import-export doesn't reflect changes in SD-WAN profiles. |
NC-112722 | SDWAN Routing | garner.log is flooded with continuous logs for cache failures. |
NC-114075 | SDWAN Routing | Connectivity issue when using route-based VPN with SD-WAN Routes or profiles. |
NC-107178 | SecurityHeartbeat | Improve license enforcement message for Synchronized Security. |
NC-116531 | SecurityHeartbeat | Can't access resources for some time when Security Heartbeat is configured. |
NC-117680 | SecurityHeartbeat | Ipset hb_green entry removed without cause. |
NC-111441 | SSLVPN | Remote access SSL VPN doesn't work after upgrade. |
NC-112065 | SSLVPN | When Azure AD is used as the authentication type, the Authentication > Services page goes into buffering. |
NC-112211 | SSLVPN | /conf/certificate/openvpn directory is missing. |
NC-114163 | SSLVPN | Connections from LAN to static SSL VPN IP address are routed through WAN on XGS. |
NC-117669 | Firewall | "Invalid TCP state" logs in HA appliances for traffic coming from the auxiliary device. |
NC-120190 | SSLVPN | Site-to-site SSL VPN connections fail due to the absence of serveruser.conf file. |
NC-112370 | Gateway Management | Error while updating failover rules in WAN link manager. |
To see the known issues for the firewall, go to the Known issues list.
Set Choose your product to Sophos Firewall. Alternatively, enter a search term.
Firewalls upgraded to 20.0 MR1 and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:
20.0 MR1 and later versions won't support the following legacy RED devices: RED 15, 15w, and 50. They have been declared end-of-life in 2023. For more details, see the article Sophos RED: End-of-life of RED 15/15(w) and RED 50.
We strongly recommend that you migrate only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration.
See how to upgrade.
Upgrade from | Upgrade to 20.0 MR3 Build 427 | Upgrade to 20.0 MR2 Build 378 | Upgrade to 20.0 MR1 Build 342 | Upgrade to 20.0 GA Build 222 |
---|---|---|---|---|
20.0 MR2 Build 378 | ||||
20.0 MR1 Build 342 | ||||
20.0 GA Build 222 | ||||
19.5 MR4 Build 718 | ||||
19.5 MR3 Build 652 | ||||
19.5 MR2 Build 624 | ||||
19.5 MR1 Build 278 | ||||
19.5 GA Build 197 | ||||
All 19.0 versions | ||||
All 18.5 versions |
Indicates the same version or an earlier version. The table only shows upgrade information.
* You can restore backups with or without FIPS turned on to a compatible Sophos Firewall version. For details, read Federal Information Processing Standard 140-3 (FIPS 140-3).
Sophos Central: You can schedule firmware upgrades from Sophos Central.
Previously restored Cyberoam backup: If your appliance uses a configuration previously restored from a Cyberoam backup, the firewall allows you to upgrade to version 20.0.x only if you've regenerated the appliance certificate at least once on SFOS. (The appliance certificate generated on Cyberoam devices uses a weak signature algorithm (MD5). SFOS 20.0.x doesn't support appliance certificates with this algorithm.)
Static route configurations through Zebra advanced shell: We introduced a new routing engine, which enables the firewall to monitor the interface link status and network configuration. This is a change from the earlier behavior. If you're upgrading or restoring the backup from 19.0.x and earlier versions, static routes configured through the Zebra advanced shell CLI commands won't migrate to 19.5.x and later versions. So, in some cases, the firewall won't allow you to upgrade to SFOS 20.0.x. For details, see the knowledge base article Upgrade to 19.5 GA blocked for specific routing configurations.
You can restore backups to firewall models with fewer ports.
Sophos Firewall OS versions 20.0.x are available on all form factors as follows:
20.0.x versions support the following firmware versions:
RED firmware is supported as follows:
You can find technical support for Sophos products in the following ways:
Copyright © Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.