2024-12-03 08:01:31.341329
Sophos Known Issues list

Central - Platform

Generated on:
03 Dec 2024 - 08:00:02 UTC
Last modified on:
28 Nov 2024 - 19:01:20 UTC
Key Affected versions Fix versions Summary Description Workaround
CPLAT-59640
      CDB: Alert Description Missing for Non-Super Admin Users

      The "Alert Description" field is not visible to any user roles except for the Super Admin. This issue prevents non-Super Admin users from accessing alert details.

      As we work towards resolving the current issue, we kindly request that you use Superadmin role and see the Description of the Alert

      CPLAT-59445
      • CPG 2024.48
        After Nov 18th 2024: Total Detection Count widget: "Something went wrong. We'll get it fixed as soon as we can. Please try again in a few minutes by refreshing the page"

        After November 18th some customers may see the following error specifically on the "Total Detection Count" widget:
        "Something went wrong. We'll get it fixed as soon as we can. Please try again in a few minutes by refreshing the page."

        • This is due to a one-time update for this widget, which can be seen if a customer had previously changed the default view settings prior to this update.

        • Following an update on the 18th, the cached preference will fail to load the widget correctly the first time before the preference is updated.

        In this scenario, refreshing the page will not resolve the issue. To resolve the issue, just re-select the drop-down menu within the widget that currently shows blank > Then select the same option, ‘Mitre Tactics’. This will now refresh the preference and resolve the issue with the widget not correctly loading.

        In this scenario, refreshing the page will not resolve the issue. To resolve the issue, just re-select the drop-down menu within the widget that currently says ‘Mitre Tactics’ > Then select the same option, ‘Mitre Tactics’. This will now refresh the preference and resolve the issue with the widget not correctly loading.

        CPLAT-51647
            My Sophos API related integration stopped working and/or I cannot find the API credential used.

            If the API credential previously used is no longer present within Settings > API Credentials Management; and there is nothing in the Audit log showing it was removed, then the credential has aged out.

            Sophos Central API credentials have defined lifetimes during which they may be used to authenticate to Sophos APIs for data collection and alerting. By design, when an API credential expires it will no longer be allowed to authenticate to Sophos APIs. Creating new API credentials to replace the prior credentials will quickly resolve any access interruption from expired API credentials.


            The creation, last used, and expiration dates for unexpired API credentials can be reviewed in Sophos Central's API Credentials Management page. Since expired API credentials are unusable any references to them are automatically removed from the Sophos Central console by design.

            CPUI-11655
                Central Dashboard: Selecting the Sophos Logo redirects to the MDR dashboard when licensed for MDR

                Sophos is aware of an unexpected redirection behavior when a customer is licensed for MDR.

                • Selecting the Sophos logo in the top left corner of the Central Dashboard will send you to the MDR dashboard.

                • Selecting the logo should revert the administrator back to the main Central Dashboard.

                To go back to the main Central Dashboard, select the 'Dashboards' drop-down next to the Sophos logo, and choose 'Central Overview' (or the name of the custom dashboard you wish to view)

                CPUI-11648
                • CPG 2024.45
                  UI Issue: Automatically disable policy at a specific time Displays as ' Nov. 2025' only - at Browser Zoom Levels 100%+"

                  There is a UI issue where the date display for the "Automatically disable policy at a specific time" feature only shows "Nov. 2025" when the browser zoom level is set to 100% or higher. This prevents users from selecting other months or dates.

                  This issue occurs in Sophos Central when viewing the Server Protection policy. It affects the date selection functionality in the Policy Expires section.

                  • The date/month box should display all months and years (e.g., "2024, 2025") regardless of the browser zoom level.

                  • The functionality should work correctly at zoom levels of 100% and higher.

                  • The arrows for navigating between months should be visible and functional.

                  As we work towards resolving the current issue, we kindly request that you set the browser zoon level at 90% and lower.

                  CPLAT-59370
                  • CPG 2024.39
                    Exported PDF report from a custom dashboard displays the Custom logo too large which blocks some of the report data.

                    There is a known behavior where previously uploaded custom logos' may display larger than needed after exporting a Custom Dashboard report. The logo in the top right of the PDF report will block some of the data. This is due to the original upload size being larger than the currently allowed logo size.

                    The logo will need to be re-uploaded to the current specification/requirements (that are smaller than what they were originally)

                    • Image width: Between 50px and 80px

                    • Image height: Between 40px and 70px (48px recommended)

                    • Acceptable formats:.JPEG,.PNG,.GIF,.JPG

                    • Max file size: 100K

                    To resolve this issue, the logo will need to be reuploaded at a smaller size that fits within the current size limits above.

                    CPLAT-59328
                        Partner Dashboard: Unable to access the Connectwise PSA page - seeing a 'Get Started' instead of the 'Manage Configuration' button

                        Sophos is aware of an issue where a partner may not be able to access their previously configured ConnectWise PSA section within the Partner Dashboard

                        Issue: The ‘Manage Configuration’ button shows ‘Get Started’. Selecting this opens an empty configuration window instead of the already configured PSA page.

                        This is a UI/ url redirect issue - The original PSA configuration is still in place and running, and can be accessed using the direct url: https://cloud.sophos.com/manage/partner/integrations/connectwisePsa

                        To access the Connectwise PSA page in the interim of this being resolved - paste the direct url into your browser after you are logged into the Partner Dashboard - https://cloud.sophos.com/manage/partner/integrations/connectwisePsa

                        CPLAT-59329
                        • CPG 2024.42
                          Partner Dashboard: unexpected Audit log entries for 'Setup PSA Mapping'

                          Some Partners may see unexpected entries in their Audit log for 'Setup PSA Mapping'.

                          These are incorrectly added when a Partner Dashboard administrator has the Connectwise PSA page open.

                          In the interim of this being resolved, these entries can be ignored.

                          In the interim of this being resolved, these entries can be ignored.

                          CPERF-9262
                          • CPG 2024.39
                            API: Partner Service principal roles are not able to access a customers /switch/v1/tasks or /wifi/v1/tasks api calls

                            Sophos is aware of an issue where a Partners API service principal roles do not have the needed permissions to access their customers' Wifi or Switch api calls:

                            This will currently return a 403 error ‘BadServerResponse’

                            There are no workarounds for this in the interim of this being resolved.

                            CPLAT-57559
                                Partner Dashboard: the "Delete Scheduled Unlink" button does not show in Marketplace Partner Dashboards

                                There is a known issue with Sophos Marketplace specific Partners who will not see the "Delete Scheduled Unlink" button on their customers' page within the Partner Dashboard.

                                The "Delete Scheduled Unlink" function is used when a partner wants to cancel a previously scheduled unlink request.

                                If a Marketplace partner needs to cancel a previously scheduled unlink, please request this within a new Technical Support case. Please include 1. the UUID for your Partner Dashboard, 2. The UUID of the customer you want to cancel the scheduled unlink for and 3. This Known issue ID https://sophos.atlassian.net/browse/CPLAT-57559#icft=CPLAT-57559 in your request to Sophos.

                                CPLAT-58626
                                    Autotask PSA integration: Error "Cannot insert duplicate key row in object 'dbo.activity_entity' with unique index 'AK_activity_entity_contract_id'"

                                    Partner Administrators may see the following error displayed in the “Usage Sync Status” column on the Sophos Autotask PSA page:

                                    • Partner Dashboard > Settings & Policies > PSA Integration > Autotask Manage Settings > Usage Sync Status column

                                    • "errorMessage": "Cannot insert duplicate key row in object 'dbo.activity_entity' with unique index 'AK_activity_entity_contract_id'. The duplicate key value is (………)."

                                    This is an audit message Sophos receives from Autotask that is displayed. The usage syncing is successful, though only this message will remain.

                                    Currently, this message cannot be cleared or hidden in the Sophos UI (this may change in the future). This error can be ignored.

                                    Currently, this message cannot be cleared or hidden in the Sophos UI (this may change in the future). This error can be ignored.

                                    CPLAT-57201
                                        Sophos Automate or Kaseya VSA plugins: repeated 403 errors recorded with each sync due to unmanaged or trial-based customers.

                                        There is a known error/behavior that will be triggered with each Sophos Automate plugin (or Sophos Kaseya VSA plugin) for any partner customers that are either

                                        1. Unmanaged

                                        2. Trial licensed

                                        Errors will be seen in the plugin logs

                                        • “Failed API request for …. status code: 403 …. “

                                        • “Failed to retrieve Alert(s) for …. status code: 403 …. “

                                        • “Failed to retrieve Computers(s) for …. status code: 403 …. “

                                        • “Warning occurred while syncing tenant/endpoint”

                                        Specific to Automate Plugin: the Computers and Alert sections may show the orange warning message “Sync completed with some warnings”

                                        Note: This is the same known issue/behavior that can also be seen in a Customer or Partners Audit logs (see Known Issue item CPLAT-48961 below)

                                        In the interim of any future Sophos Automate or Kaseya VSA plugin updates that may address this, these errors/entries are expected and can be ignored.

                                        CPLAT-48961
                                            Central Dashboard Audit Logs: repeated "Access Denied" entries referencing 'alerts:read' and 'endpoint-state:read'

                                            Customers (Central Dashboard and Enterprise Dashboard), as well as Partners (Partner Dashboard) - could see excess amounts of Audit log entries that reference both 'alerts:read' and 'endpoint-state:read'.

                                            What are these audit log entries?

                                            Why do I see this in my Audit Log?

                                            • The RMM Sophos software plug-in is polling all of the Partner's Customers. This currently includes any of the Partners customers who are either not managed by the Partner or are currently Trial/Evaluation customers.

                                            • Our APIs handle the rejection of non-managed tenants by understanding the permissions embedded in the API token, and returning a 403 when the credential does not have permission for that tenant. This in turn results in an Audit log entry for access denied being logged in both the Central Dashboard (and the corresponding Partner and/Enterprise Dashboards)

                                            Can these entries be prevented?

                                            • If the entries are once every 20 to 30 minutes, this is currently expected until there are further improvements made within Sophos plugins.

                                            • If the polling happens once every 6 minutes, it is possible to have this reduced to every 20 minutes.

                                              • The Partner is expected to be using an older version of RMM plugin software (Automate) that includes an update to reduce this.

                                              • When the Partner updates this plugin, the polling will be reduced to average of once every 20 minutes.

                                            How can I tell if this is related or something different?

                                            • It will match this known issue when:

                                              • Your Central Dashboard is not managed by your partner, or you currently have an evaluation/trial license.

                                              • The IP address in the audit log entry will be the source of the script (linked to your Partner)

                                              • The ‘ClientID’ # will be an API ID used by your Partner.

                                            • If there are any questions or concerns about these entries, please contact Sophos Technical Support for help or clarification on what is being logged. Please reference this Known Issue entry.

                                            If there are any questions or concerns about these entries, please contact Sophos Technical Support for help or clarification on what is being logged. Please reference this Known Issue entry. Note that in the interim of any future Sophos Automate or Kaseya VSA plugin updates that may address this, these errors/entries are expected and can be ignored.

                                            CPLAT-55906
                                                Partner Dashboard - PSA Ticketing integration: Duplicate tickets are sometimes seen being created for the same endpoint detection event

                                                There is a known behavior where a Partner utilizing our PSA ticketing may see duplicate tickets getting created for an Endpoint detection event.

                                                • You will also see what appears to be duplicate alerts created in both the Partner Dashboard and Central Dashboard.

                                                • This can be seen when there are multiple detections of the same kind but happen to be in different locations within an archive file.

                                                • While these are different detections (within the archive), when viewed in Central, they appear to be only from the same archive file. This makes it appear as if they are duplicates when, in fact, they are separate detections.

                                                For example, if you have 10 copies of psexec in 10 different locations within a single archive file, and you are scanning for PUAs, the endpoint will detect each of the 10 separate PUA locations and trigger 10 separate detection alerts that will also be seen in your Partner Dashboard and PSA Ticketing integration.

                                                How to handle the multiple tickets will depend on how an organization will address this scenario. If the single archive file will be removed or addressed, then only one of the tickets needs to be open. If the archive file needs to remain, then each one of the individual paths (and alerts/tickets created) will be valid until they are resolved.

                                                CPLAT-55393
                                                • CPG 2024.15
                                                  Enterprise Dashboard: Any custom dashboards created, edited, or deleted by an Enterprise Administrator will be reflected in all subestates.

                                                  It is expected behavior that when an Enterprise Administrator creates, edits or deleted a Custom Dashboard within one Subestate, it will be also be created, updated, or deleted for all Subestates in the Enterprise environment.

                                                  If an administrator would like a custom dashboard that is only shown in one subestate, this can be done by a local administrator for the Central account.

                                                  CSA-11622
                                                  • CPG 2022.18
                                                    Central Dashboard: Custom firewall reports are only able to be sent to local Central Administrators (not Partner or Enterprise administrators)

                                                    Central Dashboard: Custom firewall reports are only able to be sent to local Central Administrators (not Partner or Enterprise administrators)

                                                    If a Partner or Enterprise Administrator attempts to add non local administrators to firewall reports (Firewall Management > Report Generator > (add or edit any report) > Available Recipients section.

                                                    If you add any Partner or Enterprise Dashboard administrators, these will not receive the report via email. Additionally, when you reopen the report, these administrator names added will show as UUIDs.

                                                    There is no workaround to this issue

                                                    There is no workaround to this issue. Currently only local administrators are able to be used for Firewall report delivery at the Central Dashboard level

                                                    CPLAT-39841
                                                    • CPG 2022.09
                                                      Central Dashboard Audit log - "anonymous failed authentication" entry is due to an expected API Service Principal JWT renewal error.

                                                      When using API credentials (Service Principals) - certain jwt token refresh errors can be logged in the Central Dashboards Audit log as 'anonymous:' and 'failed authentication' with the IP of source. (eg. siem.py script/ ADsync utility/ etc). This is an expected logging event that can occur during normal operation and it does not require any follow up action.

                                                      These entries can be ignored. See https://support.sophos.com/support/s/article/KB-000043845 for more information.

                                                      CPERF-8317
                                                          Entra AD directory sync: It is not possible to both sync AD users with the userType attribute 'Guest', and also prevent those users from having an associated Central Email mailbox (if licensed for Central Email

                                                          When a customer has a Central Email license, any Entra Directory Sync user object that has an email address will have a mailbox created. A customer may want Guest users to be sync’d (for ZTNA) but not want them to have a mailbox created.

                                                          It is not possible to do this (prevent Guest userType from having a Central Email mailbox if they are sync’d into Central and are licensed for Central Email)

                                                          Administrators can configure their Sophos Central Entra Directory services sync to filter out/exclude syncing Guest users.

                                                          To prevent a Guest userType from creating a mailbox in this scenario, requires preventing them from being sync'd into your Central Dashboard. To do this, configure your Sophos Central Entra Directory services sync to filter out/exclude syncing Guest users.

                                                          CPLAT-41524
                                                          • CPG 2022.21
                                                            Partner Dashboard: Sophos Customers page - A Cloud Optix trial icon may incorrectly show for next to some Customers.

                                                            The Partner Dashboard ‘Sophos Customers’ page, may incorrectly show an empty Optix trial icon for one or more customers. The customers' dashboard does not have an Optix trial enabled.

                                                            In the interim of this being removed, the icon should be ignored.

                                                            CPLAT-51642
                                                            • CPG 2023.37
                                                              Central Dashboard: The 'Reset MFA' option will not be able to be selected if the account in question has not set up their MFA.

                                                              This is an expected behavior when the user/admin in question does not have any configured MFA settings. This can be due to the MFA reset option already having been selected, or this user/admin has not yet logged in for the first time to configure their login yet.

                                                              The Central Admin user in question will already be prompted to set up their MFA when they next log into Central.

                                                              CPLAT-48387
                                                                  Some regions may see unreliable reception of SMS security codes for Sophos multi-factor authentication

                                                                  The regulatory authorities in certain countries have specific SMS requirements, which may result in some customers not receiving SMS or receiving them as potential spam when signing in.

                                                                  List of countries with special SMS requirements:

                                                                  • Belarus

                                                                  • Egypt

                                                                  • Jordan

                                                                  • Kuwait

                                                                  • Philippines

                                                                  • Qatar

                                                                  • Russia

                                                                  • Saudi Arabia

                                                                  • Sri Lanka

                                                                  • Thailand

                                                                  • Turkey

                                                                  • United Arab Emirates (UAE)

                                                                  • Vietnam.

                                                                  You may use the Multi-factor Authentication's authenticator app or the email and pin method to complete the sign-in process in any scenario where the SMS code is not being received.

                                                                  CSA-9819
                                                                  • CPG 2019.45
                                                                    Central Dashboard: Event report (both the UI and Exporting) results may contain extra events depending on Timezone in use.

                                                                    When using custom date ranges within an Event report, the returned results may incorrectly include events that go beyond the expected Timezone offset. 

                                                                    Additional information can be found in our knowledge base article https://support.sophos.com/support/s/article/KB-000036898

                                                                    CPLAT-50471
                                                                        Unable to enable Enterprise Dashboard (EDB) option due to the Central Dashboard being unlinked from a different EDB.

                                                                        When a subestate is unlinked from an Enterprise Dashboard (EDB) it will be removed from EDB, but locally (under the Account Preferences section) - the top ‘Enterprise Management’ section will show it is part of the EDB it was unlinked from, with directions to contact the EDB administrator. (the EDB administrator is not able to resolve this)

                                                                        This will prevent this Central Dashboard from being able to enable EDB from this account in this state.

                                                                        To resolve this in the interim of this being resolved, you will want to contact Sophos Customer Care Support team and request that a new ‘Customer’ account be applied to your Central account. This will fully remove the previous EDB connection and allow you to enable EDB in this Central Dashboard if needed.

                                                                        CPLAT-49121
                                                                            Central Federation login: "Failed to change IDP status" or "Expected 200 OK, got: 403 Forbidden" errors

                                                                            Possible errors seen

                                                                            • (ADFS) "Failed to change IDP status" error attempting to add a new Identity Provider configuration.

                                                                            • (Okta) Attempting to log in via SSO you receive an "Expected 200 OK, got: 403 Forbidden" error

                                                                            One common reason for these errors is a result of customers' local IDP server being behind a firewall with regional restrictions that is preventing communication with Auth0 services hosted in Europe.

                                                                            Sophos Federation login utilizes Auth0 as a third-party proxy service for integration with different IDP providers. This requires customers on-premise IDP server to be able to communicate with Auth0’s servers. Please whitelist the IP addresses from the Europe region: https://auth0.com/docs/secure/security-guidance/data-security/allowlist

                                                                            CPLAT-36758
                                                                            • 2017.32
                                                                              Central Admin: 'Logs and Reports' date behaviour is based off of UTC backend and not customer/dashboard timezone

                                                                              When viewing or exporting events based on Dates from the 'Logs & Reports' section of Sophos Central Admin;

                                                                              The resulting events will be shown based off of a 24 hour UTC day instead of a 24 hour period within the time zone of the user.

                                                                              "This is currently expected behavior though there are plans to have this changed in the future to better match the time zone of the user generating the report.

                                                                              Additional information can be found in KBA: https://support.sophos.com/support/s/article/KB-000036898

                                                                              CPLAT-44954
                                                                              • CPG 2022.27
                                                                                Sophos Kaseya plugin reports 'Invalid credentials supplied' with valid API credentials

                                                                                If the API credentials used are active and confirmed valid (this can be tested using postman or curl to do a basic whoami and tenent list query outside of Kaseya) and this continues to trigger this error - Please ensure that the following is open (without any regional restrictions) from your VSA server:

                                                                                Please ensure that the following is open (without any regional restrictions) from your VSA server:

                                                                                • Open traffic to and from kaseya.int100fra.ctr.sophos.com

                                                                                • Ensure the following IP Addresses are whitelisted - 18.159.54.20 , 3.123.181.234 , 52.59.169.88

                                                                                Documented in https://community.sophos.com/sophos-integrations/w/integrations/105/sophos-integration-with-kaseya-vsa

                                                                                CPLAT-36682
                                                                                • CPG 2020.14
                                                                                  CDB/EDB - Internet Explorer performance with Central Dashboards is slower

                                                                                  When using Internet explorer please note that you may experience longer than normal page load times working in Sophos Enterprise and/or Sophos Central dashboards.

                                                                                  We expect to address this in the future, in the interim please use Chrome or Firefox to manage Sophos Dashboards.

                                                                                  CSA-10514
                                                                                      Central Dashboard: Events Report - Server re-protected events remain visible, even after unticking Event type Computer and Server re-protected

                                                                                      There is a known behavior when viewing particular events on the Events Report page (https://cloud.sophos.com/manage/reports/protection/events/create). The Server re-protected events will remain visible, even after unticking the Event type ‘Computer and Server re-protected’ category.

                                                                                      Until this is resolved, the “Computer or server re-protected” event needs to be ignored in the report. As we understand that this can be annoying, there is a limitation in our current design, and the fix required, unfortunately, needs a good amount of changes. We are in the transformative process of handling all events to go through a centralized workflow.

                                                                                      CPERF-4307
                                                                                          Times presented in exported reports look different between PDF and CSV formats.

                                                                                          "Reports that are exported as a PDF have times annotated as UTC

                                                                                          Reports that are exported as CSV have times listed in the time zone of the user running the report.

                                                                                          The times are the same in UTC "

                                                                                          This difference in how the times are presented between reports will be addressed in a future version of Central Admin.

                                                                                          This is an example of what to expect (all times are equal):

                                                                                          1. PDF is UTC time (Regardless of time zone where report is pulled)
                                                                                          = 9/8/17 10:57 PM

                                                                                          2. CSV report pulled from system in EST
                                                                                          = 2017-09-08 T 17:57:01-05:00

                                                                                          3. CSV report pulled from the system in PST
                                                                                          = 2017-09-08 T 14:57:01-08:00

                                                                                          CPLAT-37411
                                                                                          • CPG 2020.47
                                                                                            Enabling or Disabling Enterprise Dashboard can cause an 'Authentication failure' for the admin who triggered the process

                                                                                            Sometimes during the EDB enablement process, the conversion of the Central Super Admin to Enterprise Super Admin may fail. In that scenario, you will get an 'Authentication Failure' when trying to log back into your newly created Enterprise Dashboard.

                                                                                            If you encounter this, please follow the 'Forgot Password' link/process which will repair your login and access for that account.

                                                                                            CPERF-4306
                                                                                            • CPG 2019.15
                                                                                              If a CSV upload of users takes longer than 5 minutes to complete, this will timeout, and the loading/spinning wheel will continue indefinitely in the UI

                                                                                              While there is no limit given to the number of users that can be attempted to upload (outside of the 2MB file size limitation).

                                                                                              It is recommended to upload users in batches of 1000 at a time. It is possible to upload more at once, though depending on the time of day (peak business hours) you may experience this timeout behavior.

                                                                                              Additional information can be found in customer KBA https://support.sophos.com/support/s/article/KB-000038811?language=en_US

                                                                                              CPLAT-36752
                                                                                                  Using certain browser extensions, error 403 or 404 is received during the selection of the authentication type during MFA setup

                                                                                                  Using certain browser extensions, error 403 or 404 is received during the selection of the authentication type during MFA setup

                                                                                                  Additional information can be found in customer KBA https://support.sophos.com/support/s/article/KB-000038802?language=en_US

                                                                                                  Central Endpoint - Mac

                                                                                                  Generated on:
                                                                                                  03 Dec 2024 - 08:00:02 UTC
                                                                                                  Last modified on:
                                                                                                  19 Nov 2024 - 18:44:58 UTC
                                                                                                  Reference Planned fixed version Summary Description Workaround
                                                                                                  MACEP-9081
                                                                                                  • TBD
                                                                                                  macOS devices may de-duplicate unexpectedly

                                                                                                  We’re aware of an issue where macOS devices may de-duplicate unexpectedly. If you notice macOS devices de-duplicating, we recommend contacting Sophos support to open a support case and provide an SDU (Sophos Diagnostic utility) log from the affected endpoint.

                                                                                                  None

                                                                                                  MACEP-6874
                                                                                                  • No plans to fix
                                                                                                  Web Browsing may fail when running Ava Reveal alongside Sophos for MacOS

                                                                                                  Ava Reveal’s web protection filter and the Sophos web protection filters may cause web browsing to fail when both are loaded.

                                                                                                  Sophos has worked with Ava and we have found that multiple content filters and a transparent proxy triggers an OS issue. As of August 2022, this is considered an incompatibility due to the OS.

                                                                                                  Turn off Ava Reveal extension or uninstall Sophos for MacOS

                                                                                                  MACEP-6987
                                                                                                  • No plans to fix
                                                                                                  Incompatibility with LightSpeed relay agent

                                                                                                  When Sophos and LightSpeed relay agent are installed together, web browsing will fail to load webpages and installs will fail.

                                                                                                  Uninstall LightSpeed relay agent

                                                                                                  MACEP-8816
                                                                                                  • 2024.1 MR1, 2024.2 plus exclusions
                                                                                                  Slow OneDrive/Sharepoint performance on macOS 14 Sonoma, high CPU usage by Trustd/TCCd

                                                                                                  There can be slow performance while opening or editing documents with Microsoft Office apps on macOS 14 Sonoma plus our endpoint protection software. Users experience sluggish or unresponsive apps and the Apple system processes ‘trustd’ and/or ‘tccd’ are shown to be consuming significant CPU resources in Activity Monitor.

                                                                                                  More information is contained in this KB https://support.sophos.com/support/s/article/KB-000045805

                                                                                                  Update Sophos Endpoint for macOS to version 2024.1 MR1 (10.6.3) or higher, and add exclusions to the Scanning exclusions and Cryptoguard exclusions. See the linked KB for more details.

                                                                                                  MACEP-6842
                                                                                                  • TBD
                                                                                                  Heartbeat false positive alerts with macOS 12 Monterey and later

                                                                                                  Multiple times per day the security heartbeat can report drops for macOS Monterey (and later macOS versions e.g. Ventura, Sonoma) clients when they did not actually drop.

                                                                                                  None

                                                                                                  MACEP-7926
                                                                                                  • No plans to fix
                                                                                                  Central Endpoint for macOS: Domain Name Override for reported users only works for Mobile accounts

                                                                                                  The feature to enable domain name override for reported users on macOS, detailed in this KB: https://support.sophos.com/support/s/article/KB-000036151 , requires that the user account type is Mobile.

                                                                                                  By default, a direct Active Directory join uses this user type, however some other providers may not set it. Sophos’ detection of the user as a domain one requires the user account type to be mobile to trigger. There are no plans to change this behavior at this time.

                                                                                                  If the provider allows it, set the user account type to Mobile. Apple has provided information here: https://support.apple.com/en-ca/guide/mac-help/mh32157/mac

                                                                                                  MACEP-9232
                                                                                                  • To be fixed in 2024.3
                                                                                                  Missing /Library/Caches/com.sophos.sau folders may cause update failures

                                                                                                  If the Sophos folders under /Library/Caches/com.sophos.sau are damaged or removed, it may cause updates to fail. This can be caused by the OS clearing cache files to make room.

                                                                                                  To check if this is the cause of an update failure, from Terminal, run the following command:
                                                                                                  sudo log show --predicate "subsystem == 'com.sophos.macendpoint'" --last 1h | grep -i 'path does not exist: /Library/Caches/com.sophos.sau'

                                                                                                  Any results show that this issue has occurred.

                                                                                                  Restart the computer, or use Activity Monitor to terminate the process SophosUpdater. It will restart and re-create any missing folders.

                                                                                                  MACEP-9027
                                                                                                  • no plans to fix
                                                                                                  Unable to browse the internet using Google Chrome or Microsoft Edge after version 124 update

                                                                                                  Google Chrome and Microsoft Edge for macOS have updated to version "124" which enabled the feature "TLS 1.3 hybridized Kyber support".  When this setting is enabled and running alongside Sophos Central Endpoint for macOS, some web pages may not load

                                                                                                  Join the Early Access Program for macOS which will enable "Sophos Modern Web Intelligence"
                                                                                                  https://community.sophos.com/intercept-x-endpoint/macos-endpoint-eap/b/announcements/posts/macos-endpoint-eap--august-2023-update

                                                                                                  Or

                                                                                                  Within Google Chrome go to: "chrome://flags"
                                                                                                  Select "TLS 1.3 hybridized Kyber support" and change it from "Default" to "Disabled"
                                                                                                  Restart the browser

                                                                                                  Within Microsoft Edge go to: "edge://flags/"
                                                                                                  Select "TLS 1.3 hybridized Kyber support" and change it from "Default" to "Disabled"
                                                                                                  Restart the browser

                                                                                                  MACEP-8266
                                                                                                  • No plans to fix
                                                                                                  Apple Advanced Tracking and Fingerprint Protection on macOS 14 (Sonoma) is not protected by Web Protection / Web Control

                                                                                                  Apple Advanced Tracking and Fingerprint Protection on macOS 14 (Sonoma) by design does not pass traffic to any web filters on the system. While this feature is enabled, Web Protection / Web Control will not be able to see the traffic.

                                                                                                  This feature is enabled for Private browsing tabs in Safari by default on macOS 14 (Sonoma), and only affects that OS. In the Safari security preferences, it is possible to also enable this feature for all browser connections, or none. Any connections with this feature enabled will not be checked for Web Protection / Control

                                                                                                  This feature can be disabled in the Safari security preferences.

                                                                                                  MACEP-8100
                                                                                                  • No plans to fix
                                                                                                  Application Control cannot block scripting or JAR applications

                                                                                                  Application Control cannot detect/block script applications or Java JAR applications during direct execution. It requires a binary package such as .app, .pkg, .dmg to detect/block. On access scanning is not affected by this limitation.

                                                                                                  None

                                                                                                  MACEP-7802
                                                                                                  • No plans to fix
                                                                                                  Apple iCloud Private Relay is not protected by Web Protection / Web Control

                                                                                                  Apple iCloud Private Relay uses an isolated connection that the OS does not provide to Sophos for purposes of web protection or control. If a user enables this (paid subscription from Apple), we cannot provide web protection or control on the system for non-local traffic.

                                                                                                  None

                                                                                                  Central Endpoint/Server - General

                                                                                                  Generated on:
                                                                                                  03 Dec 2024 - 08:00:02 UTC
                                                                                                  Last modified on:
                                                                                                  19 Nov 2024 - 19:16:20 UTC
                                                                                                  Reference Planned fixed version Summary Description Workaround
                                                                                                  CESG-35323
                                                                                                  • No plans to fix
                                                                                                  Allowed application report can show blocked applications if scheduled scans are run

                                                                                                  Schedules scans will detect any controlled applications during their scan. These will be listed as “allowed”, as they are not being executed. This means an application can appear in reporting as both blocked and allowed, due to scheduled scans.

                                                                                                  CESG-33680
                                                                                                    Sophos Central reports with large amounts of data may fail to export

                                                                                                    Reports that contain a large amount of data may fail to export as it exceeds the memory limit for exports in the Central database.

                                                                                                    We cannot provide an exact number of events that can be exported, as each event contains a different amount of data.

                                                                                                    You need to lower the report size by filtering the timeframe of the report data to a smaller window.

                                                                                                    CESG-30147
                                                                                                    • TBD
                                                                                                    Web Control tags not displaying for IP addresses in Central events

                                                                                                    Website management tag names won’t show up in Central events for the following conditions:

                                                                                                    - Match by CIDR, e.g. tag of X.X.X.X/24 to match a url of http://X.X.X.X/
                                                                                                    - Domain lookup to match exact IP, e.g. tag of X.X.X.X to match url of https://www.DOMAIN.com/
                                                                                                    - Domain lookup to match CIDR range, e.g. tag of X.X.X.X/24 to match a url of https://www.DOMAIN.com/
                                                                                                    - Reverse lookup to match domain name, e.g. tag of www.DOMAIN.com to match http://X.X.X.X/
                                                                                                    - Reverse lookup to match domain suffix, e.g. tag of www.DOMAIN.com to match http://X.X.X.X/
                                                                                                    - Reverse lookup to match domain suffix, e.g. tag of www.DOMAIN.com to match http://X.X.X.X/
                                                                                                    - Reverse lookup to match TLD, e.g. tag of .ca to match http://X.X.X.X/

                                                                                                    CESG-32907
                                                                                                    • No plans to fix
                                                                                                    "Default" user assignment will count as 1 additonal license

                                                                                                    After an unattended installation, endpoint devices may be assigned with the user “Default” which will consume a user license for each device. The usage will be corrected once a user has logged into the device, and the default user will no longer appear.

                                                                                                    Log into the system with a user account.

                                                                                                    CESG-31075
                                                                                                      Difference in the "lastSeenAt" field (API versus WebGUI)

                                                                                                      The endpoint API results may show the lastSeenAt result for a device as being further back than the last active time within Sophos Central. This is due to a data sync delay.

                                                                                                      CESG-33588
                                                                                                      • Not planned to be changed
                                                                                                      A Sophos Central account with "Intercept X Essentials" license may allow cloning the Threat Protection policy for Endpoints

                                                                                                      Despite "Intercept X Essentials" only allowing a single base policy of each policy type, customers may be able to clone the “Threat Protection” policy for Endpoints.

                                                                                                      KB-000042816 Sophos Central Admin: Central Endpoint Protection (CEP) and Central Server Protection (SVRC) license changes feature list

                                                                                                      CESG-25447
                                                                                                        The device summary in Sophos Central lists ‘Endpoint Protection' or 'Server'Protection' as 'Pending...'

                                                                                                        The device summary in Sophos Central lists ‘Endpoint Protection' or 'Server'Protection' as 'Pending...', when the Endpoint is assigned with a Special or Static Package via the Sophos Central 'Software Management’ functionality.

                                                                                                        This is a cosmetic issue as static or special packages no longer provide information about the legacy ‘Endpoint Protection' or 'Server'Protection' modules and can be ignored.

                                                                                                        None

                                                                                                        CESG-31327
                                                                                                          Sophos Central does not strip blank characters from the end of Exploit Mitigation and Ransomware Protection exclusion paths

                                                                                                          A blank character at the end of an Exploit Mitigation or Ransomware Protection exclusion will be accepted by Sophos Central and passed down to the endpoint. This may not match the intended process, and so will not be excluded.

                                                                                                          CESG-23373
                                                                                                            Central decision to generate a new registration token is case sensitive causing unexpected duplicates

                                                                                                            The checks performed by Sophos Central determining if a device is a duplicate or not is case sensitive.

                                                                                                            Sophos Central checks for the following information before making the decision to create a new entry or keep the existing one during the client registration:

                                                                                                            -Domain name
                                                                                                            -Computer name (Netbios name)
                                                                                                            -OS (e.g. Win10, not more specific/detailed than that)
                                                                                                            -FQDN
                                                                                                            -Mac serial number (if a Mac)
                                                                                                            -Whether SSPL or not (Linux)
                                                                                                            -If it is marked as a clone always create a new entry

                                                                                                            All of the checks are case-sensitive.

                                                                                                            CESG-25605
                                                                                                            • known limitation, not planned to be fixed
                                                                                                            Hero Report - Exporting PDF of Hero reports is empty when in dark mode

                                                                                                            CDB Hero Reports export PDF contains no data when created with Central Admin Dark Mode enabled.

                                                                                                            Use light mode to generate a PDF report

                                                                                                            Central Endpoint/Server - Linux

                                                                                                            Generated on:
                                                                                                            03 Dec 2024 - 08:00:02 UTC
                                                                                                            Last modified on:
                                                                                                            03 Dec 2024 - 08:00:12 UTC
                                                                                                            No known issues!

                                                                                                            Central Endpoint/Server - Windows

                                                                                                            Generated on:
                                                                                                            03 Dec 2024 - 08:00:02 UTC
                                                                                                            Last modified on:
                                                                                                            28 Nov 2024 - 14:49:57 UTC
                                                                                                            Reference Planned fixed version Installed Product Summary Description Workaround
                                                                                                            WINEP-56888
                                                                                                            • Core Agent 2025.1
                                                                                                            • Intercept X
                                                                                                            Disabling "Turn on anti-ransomware protection and all exploit mitigations" doesn't reflect the changes on the SophosUI Settings tab

                                                                                                            Disabling "Turn on anti-ransomware protection and all exploit mitigations" from the Threat Protection Advanced Settings fully disabled Ransomware as well as Exploit Mitigation functionality on the Endpoint.

                                                                                                            The policy change is not reflected on the SophosUI as the sliders for “Ransomware Detection” and “Exploit Mitigation” (and technically Safe Browsing) remain enabled.

                                                                                                            This is a UI issue, there is no workaround required.

                                                                                                            WINEP-56715
                                                                                                            • No plans to fix
                                                                                                            • Intercept X
                                                                                                            The CiGuard Exploit Mitigation does not work on Windows 10 Version 1507

                                                                                                            Due to differences in the C:\Windows\System32\CI.dll found on this particular version of Windows, the CiGuard Exploit Mitigation does not work on Windows 10 Version 1507.

                                                                                                            Update to newer Windows 10 version.

                                                                                                            WINEP-55741
                                                                                                            • Intercept X 2024.3, 2024.2.2 Maintenance Release 2
                                                                                                            • Intercept X
                                                                                                            "Microsoft 365 network connectivity test" fails with a BrowserAncestorPowershell

                                                                                                            The "Microsoft 365 network connectivity test" fails with a BrowserAncestorPowershell alert against the NetworkOnboardingClient 1.9. This is a legitimate detection caused by the network connectivity test behavior, which gets blocked by the Lockdown mitigation policy. The alert will be suppressed with the release of Intercept X 2024.3 and the network connectivity test can be completed successfully.

                                                                                                            WINEP-58102
                                                                                                              • Intercept X
                                                                                                              Turbo (formerly Spoon and Xenocode) application virtualization technology may trigger DynamicShellcode detections

                                                                                                              Applications that integrate Turbo (formerly Spoon and Xenocode) application virtualization technology by Code Systems Corporation may raise a DynamicShellcode detection when the virtualized executables are started.

                                                                                                              Exclude the DynamicShellcode detection per detection ID.

                                                                                                              WINEP-52570
                                                                                                                • Core Agent
                                                                                                                Disabling a scheduled scan in policy fails to locally disable the scan if a scan is running when the change is made

                                                                                                                If a scheduled scan is disabled in the Sophos Central Threat Protection policy, the change in policy will fail to apply to a device if a scan is running when the change is made. Affected devices will still report scan completion events.

                                                                                                                Re-enable the scan in the Threat Protection policy and Save. Edit the policy and this time disable the scan and Save.
                                                                                                                Note: Ensure a scheduled scan is not currently running on a device.

                                                                                                                WINEP-51789
                                                                                                                • 2023.2 core agent
                                                                                                                • Core Agent
                                                                                                                Enabling IMDSv2 on AWS restricts AWS information being displayed on Central dashboard

                                                                                                                When using AWS IMDSv2, AWS info like Instance ID, AWS Region and AWS Account ID is no longer present in Central server status.

                                                                                                                Using IMDSv1 on AWS as an alternative.

                                                                                                                WINEP-55270
                                                                                                                • No Plans to Fix
                                                                                                                • Core Agent
                                                                                                                Live sessions remain when using run-as with SATC

                                                                                                                Running a live session as another user using the run-as utility will send a SATC login to the XG Firewall however on termination of the session the connection remains as an active connection on the firewall. The connection must be manually terminated on the XG.

                                                                                                                WINEP-56971
                                                                                                                • No plans to fix
                                                                                                                • Core Agent
                                                                                                                Microsoft RDP Connnections over ZTNA may experience latency

                                                                                                                Microsoft Remote Desktop (RDP) may experience latency when connecting over Sophos ZTNA due to additional encryption work on the packets. If the RDP Transport protocol has been set to TCP Only (not default), the impact can be worse.

                                                                                                                Note: This would need to be done on the RDP Host (not client).

                                                                                                                Set RDP to use TCP and UDP. Using Group Policies (or the group policy editor locally, gpedit.msc): Local Computer Policy->Computer Configurations->Administrative Templates->Windows Components->Remote Desktop Services->Remote Desktop Session Hosts->Connections->Select RDP Transport Protocols. Set the value to "Use either UDP or TCP", or Not Configured (default is Use Either UDP or TCP)

                                                                                                                WINEP-42285
                                                                                                                • Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)
                                                                                                                • Core Agent
                                                                                                                Firefox intermittently does not load Gmail

                                                                                                                Some customers have reported Firefox having issues loading Gmail intermittently. This is due to a connection reset issue.

                                                                                                                Applies to Core Agent version 2.20.13 and above. This has been improved in Core Agent 2022.2.1

                                                                                                                In the Threat Protection policy, turn off Real-Time Scanning - Internet
                                                                                                                In the Web Control policy, turn off Web Control

                                                                                                                WINEP-53005
                                                                                                                • No plans to fix
                                                                                                                • Core Agent
                                                                                                                Windows Security Eventlog logs EventID 5038 code integrity validation failures against SophosAmsiProvider.dll

                                                                                                                With the release of Sophos Core Agent 2024.2, the SophosAMSIProvider.dll is now Microsoft attestation signed.

                                                                                                                This allows it to be successfully loaded in processes with integrity level 8 or lower, instead of integrity level 7 or lower. While this will prevent the majority of events from being logged, processes running at a higher integrity level that are attempting to load the SophosAMSIProvider.dll will still produce an event.

                                                                                                                WINEP-52375
                                                                                                                    A Red health state may occur due to delays during shutdown

                                                                                                                    During a shutdown of the Operating System, when the Sophos HitmanPro.Alert service has already been stopped but a 3rd party service (i.e. HPAudioAnalytics service) is delaying the shutdown as its not correctly responding to the stop request, the Sophos Health Service marks the Sophos HitmanPro.Alert service as stopped and changes the Endpoint health state from Green to Red.

                                                                                                                    On the subsequent startup of the Operating System, the Endpoint health state is still Red. This may lead to the Endpoint being isolated if the option 'Allow computers to isolate themselves on red health' is enabled in the Threat Protection policy.

                                                                                                                    The Endpoint health changes to Green automatically after around two minutes, which also removes the Endpoint from isolation.

                                                                                                                    See KBA for details: https://support.sophos.com/support/s/article/KB-000045873

                                                                                                                    WINEP-55379
                                                                                                                    • No plans to fix
                                                                                                                    • Core Agent
                                                                                                                    Website exclusion will not exclude a site when Web Control is configured to block Risky File Types - Legacy platforms

                                                                                                                    Platforms such as Windows 10 32-bit, Windows 7 and Windows 8 may encounter an issue when Web Control is configured to block file types from being downloaded. If the URL/IP address of the site is excluded as a “Website” exclusion, the exclusion will not apply to these platforms and the file download will be blocked.

                                                                                                                    Change the setting for "Risky File Types" under "Additional security options" to "Allow" or "Warn"
                                                                                                                    or
                                                                                                                    Upgrade to W10 64-bit platform (or above)

                                                                                                                    WINEP-44278
                                                                                                                    • TBD
                                                                                                                    • Intercept X
                                                                                                                    Credential Guard alerts against tasklist.exe when creating a Diagnose Log in Monitor Mode

                                                                                                                    With ‘Monitor Mode’ enabled for the Sophos Central Account (Account Details -> Account Preferences -> Evaluation Modes -> Monitor mode), creating a Diagnose Log from Sophos Central will trigger a Credential Guard alert when Diagnose calls “C:\Windows\System32\tasklist.exe /M /FO CSV”

                                                                                                                    This is a detection that only occurs in Monitor Mode.

                                                                                                                    None

                                                                                                                    WINEP-43576
                                                                                                                    • TBD
                                                                                                                    • Core Agent
                                                                                                                    Devices being detected as a clone when using VMware Horizon with ClonePrep

                                                                                                                    The gold image switch is not working for VMware Horizon with ClonePrep environment.

                                                                                                                    The issue occurs here because when using “ClonePrep” the device is snapshotted and then spun up - a snapshot is then created from this new machine before it's snapshotted and cloned again.

                                                                                                                    As an example: The machine they use as the “GoldImage” GOLD-W10 is then renamed to W10-1 itself and then from W10-1 a new machine is created called W10-2 and this then repeats.

                                                                                                                    The workaround is to use the older style gold image prep script

                                                                                                                    The workaround is to use the gold image prep script during the shutdown.
                                                                                                                    Details are described in the following KB: https://support.sophos.com/support/s/article/KB-000035040

                                                                                                                    WINEP-43578
                                                                                                                    • Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)
                                                                                                                    • Core Agent
                                                                                                                    Clicking on multiple links multiple times in Firefox generating error - ERR_SSL_BAD_RECORD_MAC_ALERT

                                                                                                                    When using Firefox and browsing a website (IE: Google) and clicking on different links quickly can generate an error: ERR_SSL_BAD_RECORD_MAC_ALERT

                                                                                                                    1. Close and re-launch Firefox
                                                                                                                    2. Turn off Web Control and Real-time scanning - Internet
                                                                                                                    3. Set "security.tls.enable_0rtt_data" = false on the about:config page for Firefox

                                                                                                                    WINEP-45827
                                                                                                                      • Core Agent
                                                                                                                      The Sophos Network Threat Protection service may get stuck in the start pending state when a Microsoft Azure computer running Windows Server 2016 with a Mellanox network interface is started from the "Stopped (deallocated)" state

                                                                                                                      If a Microsoft Azure computer running Windows Server 2016 with a Mellanox network interface is started from the "Stopped (deallocated)" state, the Sophos Network Threat Protection service may get stuck in the start pending state. The service is pending a Windows Filtering Platform (WFP) call from the system which is not being returned when the system starts from a “Stopped (deallocated)” state, resulting in the issue.

                                                                                                                      This is an environmental/driver issue. No solution is available from Sophos Central Endpoint.

                                                                                                                      To prevent the issue on Windows Server 2016, avoid using the “Stopped (deallocated)” state when turning off the server. However, when the state has to be used, restart the server once again after it started from that state and is in the problematic state.

                                                                                                                      This issue only occurs on Windows Server 2016. In Windows Server 2019 and Windows Server 2022, starting the server from the “Stopped (deallocated)” state correctly returns the WFP call to the Sophos Network Threat Protection service, which allows the service to start correctly.

                                                                                                                      Please see KBA for additional information - https://support.sophos.com/support/s/article/KB-000044781

                                                                                                                      WINEP-51827
                                                                                                                          Windows Server 2022 Backup jobs may fail intermittently with the error "failed to get an exclusive lock on the EFI system partition (ESP)"

                                                                                                                          Windows Server 2022 backup jobs are failing with the error:
                                                                                                                          Backup of volume \\?\GLOBALROOT\Device\HarddiskVolume1\ has failed. Windows Backup failed to get an exclusive lock on the EFI system partition (ESP). This may happen if another application is using files on the ESP. Please retry the operation.

                                                                                                                          Check KB - 000045621 | Sophos Central Servers: Windows Backup failed to get an exclusive lock on the EFI system partition (ESP)

                                                                                                                          WINEP-56625
                                                                                                                          • Core Agent 2024.3
                                                                                                                          • Intercept X
                                                                                                                          Slow debugging performance in Embarcadero Delphi after upgrade to Intercept X 2024.1.1 (HitmanPro.Alert 3.9.4)

                                                                                                                          Intercept X 2024.1.1 enabled a new version of the Hollow Process Exploit Mitigation, which can lead to slow debugging in Embarcadero Delphi, as the debugging executables are constantly being hashed when executed.

                                                                                                                          Applying the Maintenance Release FTS 2024.2.2-MR4 (or later) or disabling the option "Prevent process hollowing attacks" in the Threat Protection policy mitigates the issue.

                                                                                                                          More details: https://support.sophos.com/support/s/article/KBA-000009926

                                                                                                                          WINEP-46360
                                                                                                                          • Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)
                                                                                                                          • Core Agent
                                                                                                                          Right-click scan of a UNC path does not scan all sub-folders

                                                                                                                          Right-click scan of all files and folders in a UNC path only scan files in that folder and one layer of sub-folders. This issue affects legacy platforms only (W10 32bit/W8.1/W7/WinServer 2012/R2/SBS 2011/2008R2).

                                                                                                                          The right-click scan operation will need to be performed on each sub-folder

                                                                                                                          WINEP-42551
                                                                                                                          • Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)
                                                                                                                          • Core Agent
                                                                                                                          Uploading larger files to FileVine or other document management systems may fail

                                                                                                                          Uploading larger files to FileVine or other document management systems may fail.

                                                                                                                          Turn off Web Control
                                                                                                                          Turn off Real-time scanning Internet

                                                                                                                          WINEP-43580
                                                                                                                              Various types of intermittent networking issues on platforms running Red Hat VirtIO Ethernet Adapter

                                                                                                                              Virtualization platforms (e.g. Red Hat KVM, Nutanix VM, Proxmox) running Red Hat VirtIO Ethernet Adapter Service with the default netkvm.sys driver (C:\Windows\system32\drivers\netkvm.sys from 11/08/2016) may show various types of intermittent networking issues when Sophos Network Threat Protection Service is running and the service may show as stuck in a starting state after rebooting the system.

                                                                                                                              Update the Red Hat VirtIO Ethernet Adapter drivers to the latest version.

                                                                                                                              WINEP-49503
                                                                                                                              • TBD
                                                                                                                              • Core Agent
                                                                                                                              Web Control file type set to "Warn" for Executables may not display the warning page

                                                                                                                              If “File types” is set to “Warn” for “Executables” in the Web Control policy and “Decrypt HTTPS websites using SSL/TLS” is enabled in the Threat Protection policy, we may not display our warning page for Web Control when a download occurs.

                                                                                                                              When a download occurs we will try to insert/replace the download page with our warning page, which may not work depending on how the download page is built. In the local Sophos Endpoint UI event page, a “Warn” message will be seen.

                                                                                                                              1. Change the setting in Web Control for "Executables" from "Warn" to "Allowed" or "Blocked"
                                                                                                                              2. Create a Website exclusion of the URL in the Threat Protection policy

                                                                                                                              WINEP-51511
                                                                                                                                • Intercept X
                                                                                                                                Ransomware Protection may trigger an alert for an excluded process when restarting the HitmanPro.Alert Service

                                                                                                                                A Ransomware Protection alert for a process that is already excluded from Ransomware Protection (either by process path or DetectionID) may be raised when the HitmanPro.Alert Service is stopped, either during an update of the Intercept X version / HitmanPro.Alert module or when restarting/shutting down the device.

                                                                                                                                This is expected behavior as the exclusion handling is performed by the HitmanPro.Alert Service, which is temporarily unavailable when the service is restarted during an update or when the service is already stopped during a restart/shutdown event but the excluded application is still performing file operations, suspicious to Ransomware Protection.

                                                                                                                                WINEP-41307
                                                                                                                                  • Intercept X
                                                                                                                                  Servers running ConnectWise Automate trigger DynamicShellcode mitigation

                                                                                                                                  ConnectWise Automate / LabTech Agent (LTAgent.exe) triggers Dynamic Shellcode mitigation on Servers running Intercept X with Exploit Mitigation and Dynamic Shellcode protection enabled. The ConnectWise Automate host server is unable to launch Automate Control Center as it relies on LTAgent.exe, which fails to launch.

                                                                                                                                  Check KB-000044124 - Dynamic ShellCode Detection on ConnectWise Automate host server

                                                                                                                                  WINEP-46031
                                                                                                                                    • Core Agent
                                                                                                                                    High CPU usage from SEDService.exe on computers running Sysinternals System Monitor (Sysmon)

                                                                                                                                    On computers with Sysinternals System Monitor (Sysmon) installed and configured with a "FileDelete" rule targeting ".bin" files, Sophos Endpoint Defense Service (SEDService.exe) will constantly run with high CPU.

                                                                                                                                    This is caused by a conflict with Sysmon when SEDService.exe performs compression of Event Journal data and the subsequent deletion of the uncompressed *.bin Event Journal files. When .bin files are covered by a Sysmon FileDelete rule, Sysmon tries to rename/archive the Tamper Protected file and conflicts with Endpoint Defense Service, leaving the uncompressed file in place.

                                                                                                                                    Removing .bin files from the TargetFilenames of the FileDelete rule resolves the issue. For details, please see KB-000044827

                                                                                                                                    WINEP-43484
                                                                                                                                      • Core Agent
                                                                                                                                      Sophos update failing with Check Point VPN version 86.40.

                                                                                                                                      Updates fail when Sophos Central Endpoint is installed alongside Check Point VPN version 86.40

                                                                                                                                      Please see KBA for workaround steps - https://support.sophos.com/support/s/article/KB-000044497

                                                                                                                                      WINEP-42550
                                                                                                                                      • Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)
                                                                                                                                      • Core Agent
                                                                                                                                      Web browsing and download speeds are slower when Web Control and / or Real-time scanning Internet in Threat Protection is enabled

                                                                                                                                      Web browsing and download speeds are slower Web Control and / or Real-time scanning Internet in Threat Protection is enabled

                                                                                                                                      Turn off Web Control policy
                                                                                                                                      Turn off the settings under Real-time scanning Internet in Threat Protection

                                                                                                                                      WINEP-44672
                                                                                                                                        • Intercept X
                                                                                                                                        Systems running CryptoPro CSP trigger APCViolation alerts

                                                                                                                                        Systems running CryptoPro CSP software (http://www.cryptopro.ru) raise APCViolation alerts against random processes on the system (e.g. C:\Program Files (x86)\Sophos\AutoUpdate\Telemetry\SubmitTelem.exe).

                                                                                                                                        Disable "Prevent APC violation" in the Threat Protection policy of the Endpoints that need to run CryptoPro CSP.

                                                                                                                                        WINEP-49518
                                                                                                                                          • Intercept X
                                                                                                                                          Intercept X's "Prevent privilege escalation" feature compatibility with Privileged Access Management (PAM) software

                                                                                                                                          The "Prevent privilege escalation" feature prevents attacks from escalating a low-privilege process to higher privileges to access systems. This may clash with Privileged Access Management (PAM) tools that are installed on the Endpoint to manage the elevation of rights, resulting in "PrivGuard" alerts being reported against the elevated processes.

                                                                                                                                          In these situations, the "Prevent privilege escalation" feature is incompatible with the Privileged Access Management (PAM) software and should be disabled via the Threat Protection policy on impacted Endpoints.

                                                                                                                                          For more details see: https://support.sophos.com/support/s/article/KB-000043114

                                                                                                                                          WINEP-54248
                                                                                                                                            • Core Agent
                                                                                                                                            NETIO.sys BSOD when running Sophos alongside NetSupport/NetSupport DNA

                                                                                                                                            When running Sophos Central Endpoint for Windows alongside NetSupport/NetSupport DNA, a “BSOD DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)” may occur when browsing the internet.

                                                                                                                                            For NetSupport, upgrade to version 15 or above.
                                                                                                                                            For NetSupport DNA, upgrade to version 4.95.0006 or above.

                                                                                                                                            WINEP-56088
                                                                                                                                            • TBD
                                                                                                                                            • Device Encryption
                                                                                                                                            Endpoints may fail to successfully apply a module update when \TEMP is redirected to another drive

                                                                                                                                            Updates to components may fail if the \TEMP and \TMP are redirected to another drive than the drive that hosts the system installation. Reverting the TEMP and TMP environment variable(s) to the default location will resolve the issue.

                                                                                                                                            See KBA for details:
                                                                                                                                            https://support.sophos.com/support/s/article/KB-000046223

                                                                                                                                            WINEP-54960
                                                                                                                                            • No plans to fix
                                                                                                                                            • Core Agent
                                                                                                                                            Windows server 2016 may encounter a BSOD - KERNEL_AUTO_BOOST_LOCK_ACQUISITION_WITH_RAISED_IRQL (192) - if VMWare Introspection Driver (vsepflt.sys) loaded

                                                                                                                                            Description

                                                                                                                                            A BSOD with bug check KERNEL_AUTO_BOOST_LOCK_ACQUISITION_WITH_RAISED_IRQL (192) may occur when VMWare Introspection Driver (vsepflt.sys) loaded on Windows server 2016

                                                                                                                                            Workaround

                                                                                                                                            Modify the VMWare Tools via Programs and Features and disable the Introspection Driver. This driver is no longer used by VMWare.

                                                                                                                                            Component

                                                                                                                                            Sophos Endpoint Defense

                                                                                                                                            WINEP-42286
                                                                                                                                              • Core Agent
                                                                                                                                              Using a WPAD with Firefox, Firefox fails to browse.

                                                                                                                                              If Firefox is configured to use a WPAD for proxy configuration, it fails to browse.

                                                                                                                                              Affects Core Agent 2.20.13 and above.

                                                                                                                                              Use manual proxy configuration for Firefox. All other browsers handle WPAD fine.

                                                                                                                                              WINEP-57239
                                                                                                                                              • No Plans to Fix
                                                                                                                                              • Intercept X
                                                                                                                                              Endpoints with Windows driver verified enabled may crash with bugcheck DRIVER_VERIFIER_DETECTED_VIOLATION (c4) against hmpalert.sys

                                                                                                                                              Endpoints that have the Exploit Mitigation functionality “Prevent credential theft” enabled (default) may bugcheck with stop code DRIVER_VERIFIER_DETECTED_VIOLATION (c4) against hmpalert.sys when enabling Windows driver verifier. The issue is caused by the injection DLL performing a Credential Guard LSASS check in the driver.

                                                                                                                                              The issue impacts the following Operating System platforms: Windows 7, Windows 8.1, Windows 10 32-bit, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows SBS 2011.

                                                                                                                                              Windows Server 2016 (and later) and Windows 10 64-bit (and later) are not impacted by this issue.

                                                                                                                                              Temporarily disable “Prevent credential theft” from the Threat Protection policy, for the time that Windows driver verifier needs to be enabled.

                                                                                                                                              WINEP-56550
                                                                                                                                              • TBD
                                                                                                                                              • Core Agent
                                                                                                                                              ZTNA gateway generates disconnection alerts when Modern Standby is enabled

                                                                                                                                              While Windows Operating System is in Connected Standby Mode (Modern Standby), the differentiated throttling applied by the Windows Desktop Activity Moderator (DAM) may allow some processes to generate network traffic even though ZTNA is still inactive.

                                                                                                                                              Disable the Connected Standby function on affected devices.
                                                                                                                                              More information on Connected Standby: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby

                                                                                                                                              WINEP-53287
                                                                                                                                              • no plans to fix
                                                                                                                                              • Intercept X
                                                                                                                                              DLLHijackGuard exploit mitigations get only reported into the local eventlog

                                                                                                                                              An Exploit Mitigation alert of type DLLHijackGuard does not create an event in Sophos Central or on the local Endpoint UI. The alert details are only logged to the local Eventlog of the system under HitmanPro.Alert EventID 911. This is expected behavior.

                                                                                                                                              WINEP-53112
                                                                                                                                                • Intercept X
                                                                                                                                                Error messages are logged into sophoshmpaservice.log during the initial installation of HitmanPro.Alert 3.9.4

                                                                                                                                                During the initial installation of HitmanPro.Alert 3.9.4, the following errors are logged into the C:\ProgramData\HitmanPro.Alert\Logs\sophoshmpaservice.log:

                                                                                                                                                2024-02-26T14:57:56.423Z [ 3180: 4776] E [Settings] Could not open settings key (0)
                                                                                                                                                2024-02-26T14:57:56.608Z [ 3180: 4776] E [Mitigations] Could not open key _profiles (0)_
                                                                                                                                                2024-02-26T14:57:56.659Z [ 3180: 4776] E [Driver] IOCTL_002220FC failed (error 2)
                                                                                                                                                2024-02-26T14:57:56.659Z [ 3180: 4776] E [Driver] IOCTL_002220E0 failed (error 31)
                                                                                                                                                2024-02-26T14:57:56.695Z [ 3180: 4776] E [SgSyncComm] SgGetFileProperty failed; error 0xE001000A
                                                                                                                                                2024-02-26T14:57:56.718Z [ 3180: 5888] E [SgSyncComm] SgGetFileProperty failed; error 0xE001000A2024-02-26T14:57:56.727

                                                                                                                                                These have been verified as benign, relating to startup before the policy is available and can be ignored.

                                                                                                                                                WINEP-52396
                                                                                                                                                • No plans to fix
                                                                                                                                                • Core Agent
                                                                                                                                                Installer versions prior to 1.6 will not install the endpoint correctly

                                                                                                                                                If a version of the installer prior to 1.6 (released late 2019) is used in 2023 or later, it will result in a damaged install (no MCS communication and other problems). Uninstall, then reinstall with a newer installer.

                                                                                                                                                WINEP-42908
                                                                                                                                                • Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)
                                                                                                                                                • Core Agent
                                                                                                                                                Unable to cast when HTTPS scanning is on to Chromecast

                                                                                                                                                With HTTPS/SSL scanning turned on, unable to cast to Chromecast devices.

                                                                                                                                                Add website exclusion for both HTTPS and Threat protection website exclusion for the IP of the Chromecast device

                                                                                                                                                Central Firewall Management

                                                                                                                                                Generated on:
                                                                                                                                                03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                Last modified on:
                                                                                                                                                20 Jun 2024 - 10:37:11 UTC
                                                                                                                                                Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                NR-12950
                                                                                                                                                • CM 2024.18
                                                                                                                                                  • Central Management
                                                                                                                                                  Central Firewall Manager can only have one session per firewall

                                                                                                                                                  Two Central admins cannot manage the same firewall at the same time

                                                                                                                                                  Sophos Central Firewall Manager will only store one session token per firewall. If two users try to access the same firewall at the same time the last user to login will have the valid session token. The first user will be disconnected and when navigating the page will see the error “Unable to load page. Check your network connection”

                                                                                                                                                  This is expected behavior.

                                                                                                                                                  Only one user can access one firewall at a time.

                                                                                                                                                  NR-12256
                                                                                                                                                  • CM 2024.06
                                                                                                                                                    • Full Sync
                                                                                                                                                    While creating config import group if Sophos Central admin add firewall into the group and select Skip Full Sync then in that firewall Full-Sync will not be skipped

                                                                                                                                                    While creating config import group if Sophos Central admin add firewall into the group and select Skip Full Sync then in that firewall Full-Sync will not be skipped

                                                                                                                                                    Once group is created, Full-Sync would be generated, and it is not skipped.

                                                                                                                                                    NR-2287
                                                                                                                                                    • CM 2019.30
                                                                                                                                                      • Dummy
                                                                                                                                                      When user try to upgrade the firmware after accessing XG Firewall from Sophos Central, it get fail in Sophos Firewall device

                                                                                                                                                      If the available bandwidth is limited, Firmware upgrades for Sophos firewall devices might fail if triggered via Sophos Central -> login -> Open XG firewall through RP tunnel -> Backup and Firmware -> Upload Firmware

                                                                                                                                                      NR-6214
                                                                                                                                                      • CM 2.0 EAP1
                                                                                                                                                      • NoRelease
                                                                                                                                                      • Central Management
                                                                                                                                                      Central management could not enable after switching firmware with previous version or after Factory Reset

                                                                                                                                                      From SF v18.5 MR2, when FIPS mode is enabled, the device will reboot with factory reset. 

                                                                                                                                                      If the Firewall is registered and central services are accepted by the Central Admin and Admin Enables FIPS mode, the device will boot with factory reset config.

                                                                                                                                                      On Re-registration and Enable Central Management, Endpoint already known to the Central and Central Management API considers this as a Bad request as Central Services already approved.

                                                                                                                                                      There are two workarounds:

                                                                                                                                                      After factory reset, Remove the firewall from Central
                                                                                                                                                      After factory reset, register the device to Central and de-register it.
                                                                                                                                                      After performing any of the above steps, register the device again and now Admin will be able to Enable Central Services (CM/CR)

                                                                                                                                                      NR-6502
                                                                                                                                                      • CM 2022.03
                                                                                                                                                        • UI (legacy)
                                                                                                                                                        Firewalls managed by central might show a wrong status if IPS is switched on without a valid Network Protection license

                                                                                                                                                        Firewalls managed by Sophos Central without enabled IPS might get a message that enabling IPS worked though there is no valid Network protection license.

                                                                                                                                                        Get a valid Network Protection license

                                                                                                                                                        NR-6220
                                                                                                                                                        • CM 2.1 2020.50
                                                                                                                                                        • NoRelease
                                                                                                                                                        • Import-Export
                                                                                                                                                        "Loading" error on Firewall rules page after importing WAF rule via config import/export

                                                                                                                                                        Steps to recreate:

                                                                                                                                                        • Create WAF rule on base Firewall A from which you would want to import the configuration

                                                                                                                                                        • Create a group(Group 1) in Central with using config import option "Import existing configuration"

                                                                                                                                                        • Import the configuration from Firewall A

                                                                                                                                                        • Import would get successful and full sync would also pass if we add any other Firewall device(Firewall B) to this group

                                                                                                                                                        • Get onto "Manage Policy" page of that created Group 1.

                                                                                                                                                        • You will see "Loading" error on Firewall rules page

                                                                                                                                                        Expected Output:

                                                                                                                                                        "Loading" error should not show on Firewall rules page on Group, after importing WAF rule

                                                                                                                                                        Actual Output:

                                                                                                                                                        "Loading" error is there on Firewall rules page on Group, after importing WAF rule

                                                                                                                                                        NR-4642
                                                                                                                                                        • CM 2.1 2020.35
                                                                                                                                                          • Global Policies
                                                                                                                                                          Unable to reorder the firewall rule in GROUP Level of Central Management using move button

                                                                                                                                                          Firewall rule reordering in Sophos Central Management group policy page is not supported.

                                                                                                                                                           User can reorder the rule in XG Firewall. 

                                                                                                                                                          Central Firewall Reporting

                                                                                                                                                          Generated on:
                                                                                                                                                          03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                          Last modified on:
                                                                                                                                                          27 Apr 2022 - 16:25:47 UTC
                                                                                                                                                          Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                          NCR-2547
                                                                                                                                                          • iView 02.00 MR-2 (02.00.0.776)
                                                                                                                                                            • On Premise Reporting
                                                                                                                                                            Web-surfing reports

                                                                                                                                                            Web surfing Reports as PDF with more than 200 entries is not possible. Creating a web surfing report you can only get an output from the first 200 entries in the iview.

                                                                                                                                                            This is applicable both iview1/iview2.

                                                                                                                                                            Reason: The reason for this would be that PDF generation with all the records will impact the performance of iview.

                                                                                                                                                            The only work around would be to generate the detailed report in Excel format. Excel would support upto 100000 entries.

                                                                                                                                                            Cloud Optix

                                                                                                                                                            Generated on:
                                                                                                                                                            03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                            Last modified on:
                                                                                                                                                            06 Sep 2024 - 07:30:48 UTC
                                                                                                                                                            Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                            PCG-16358
                                                                                                                                                                  Cloud Optix: Discrepancy Between Search Query Results in Cloud Optix and Activity Insight Tabs

                                                                                                                                                                  When using the Search query feature (Discover > Search), the total amount specific to ‘Activity Logs’ displayed will show a higher total compared when viewing the ‘All activity logs’ total within the Activity Insights section (Activity Insights > Logs > Activity Logs > All tab).

                                                                                                                                                                  This discrepancy occurs because the tabs within Activity logs (Network, Storage, Host, Users) do not include items from the Error logs tab.

                                                                                                                                                                  • For example: If Discover Search shows 100 Activity Insight entries. This may show 90 total in Activity Insights > Logs > Activity Logs> All tab. In this scenario, the remaining 10 logs are under the Error tab.

                                                                                                                                                                  To match the count of logs, please ensure you check the tab you have queried for and 'Error' tab under Activity Insights.

                                                                                                                                                                  PCG-16163
                                                                                                                                                                        Cloud Optix: Update of Container registry credentials fails with error - Incorrect credentials

                                                                                                                                                                        There is a known issue where updating Container Registry credentials may result in an "Incorrect credentials" error message. This problem has been identified as originating from the third-party service we use for Container Image Scanning.

                                                                                                                                                                        To resolve this error in the interim, please deboard the registry and then onboard it again. This will ensure it is treated as a new registry and allow you to enter the credentials successfully.

                                                                                                                                                                        PCG-14132
                                                                                                                                                                              Partner Dashboard: Cloud Optix license cannot be changed for Flex licensed customers, and 'Update Failed' message when trying to remove it.

                                                                                                                                                                              It is expected behavior for Flex licensed customer accounts are not able to remove the Cloud Optix license

                                                                                                                                                                              It is unexpected behavior seen when attempting to re-run the Partner Dashboard License wizard and check off the Optix component, you will get a generic ‘Update Failed’ pop-up error.

                                                                                                                                                                              • This will be addressed in a future version of the Partner Dashboard (and remove the UI option to unselect it, as it is not possible).

                                                                                                                                                                              It is not possible to remove the Optix section from a Flex-licensed Central Dashboard. It is only possible to remove usage so that there is no further billing

                                                                                                                                                                              Managed Risk

                                                                                                                                                                              Generated on:
                                                                                                                                                                              03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                              Last modified on:
                                                                                                                                                                              03 Dec 2024 - 08:00:24 UTC
                                                                                                                                                                              No known issues!

                                                                                                                                                                              Phish Threat

                                                                                                                                                                              Generated on:
                                                                                                                                                                              03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                              Last modified on:
                                                                                                                                                                              09 Oct 2024 - 14:05:30 UTC
                                                                                                                                                                              Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                              PHISH-8741
                                                                                                                                                                                    Shared mailboxes are not supported in the Outlook plugin

                                                                                                                                                                                    Shared mailboxes are not supported in the Outlook plugin.

                                                                                                                                                                                    The plugin is shown in OWA, but the functionality is incomplete. It is able to report campaign/non-campaign emails but it's not deleting the emails after submission.

                                                                                                                                                                                    PHISH-9131
                                                                                                                                                                                          Phish Threat Campaign emails quarantined in M365 as High Confidence Phish

                                                                                                                                                                                           In rare instances, customers may report that phishing threat campaign emails are detected as High Confidence Phish in M365 by the Anti-Spam policy and are quarantined.

                                                                                                                                                                                           This is a known behavior with Microsoft (https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide ).

                                                                                                                                                                                          PHISH-8740
                                                                                                                                                                                                Training reminder email sent on Sunday

                                                                                                                                                                                                Phish Threat currently uses the UTC timezone in all of its regions, there is also no logic defining the start of a work day. This means that there is a possibility that a Training reminder email is sent at 00:01 UTC on a Monday, which, depending on the timezone of the end-user, may be received during the day on a Sunday.

                                                                                                                                                                                                PHISH-8633
                                                                                                                                                                                                      First training reminder email not following UI config

                                                                                                                                                                                                      The very first reminder e-mail is sent as quick as possible to make sure users finish their training sooner than later. Every subsequent reminder email will follow the value selected in the frequency drop-down.

                                                                                                                                                                                                      PHISH-7960
                                                                                                                                                                                                            Training template Format is not showing correctly on the smartphone

                                                                                                                                                                                                            Taking Phish Threat Training via Smart Phones is not currently supported due to format supportability issue.

                                                                                                                                                                                                            PHISH-4159
                                                                                                                                                                                                            • 3.0 (2018.40)
                                                                                                                                                                                                              • backend
                                                                                                                                                                                                              Deleted Users repopulate after being removed

                                                                                                                                                                                                              If a user is deleted from the Phish Threat Dashboard but repopulate automatically after sometime, this is expected behaviour if a campaign was sent to the user within the last 30 days.
                                                                                                                                                                                                              Both v1 and v2 report to Central the usage for the last 30 days, which is based on email addresses that were used as part of a campaign. When a reported email does not exist in Central, a user is created which is expected behaviour.

                                                                                                                                                                                                              PHISH-4139
                                                                                                                                                                                                              • 3.0 (2018.40)
                                                                                                                                                                                                                • Campaigns
                                                                                                                                                                                                                Campaigns which don't have a training associated do not work

                                                                                                                                                                                                                Creating and sending a Phish Threat Campaign without associated training material results in a 404 page being displayed when the enrollee clicks the link.

                                                                                                                                                                                                                This allows a dry run of a campaign to be sent so that the admin can gauge how many of his employees are likely to need training. The admin should be able to check how many of the enrollees opened, and clicked on the email attack. But the enrollee should not see anything else, so they won't get suspicious when the new attack is sent.

                                                                                                                                                                                                                PHISH-5317
                                                                                                                                                                                                                • Legacy Support
                                                                                                                                                                                                                • Legacy Support
                                                                                                                                                                                                                • Customer Portal
                                                                                                                                                                                                                Macro Script needs to be adjusted to work properly on Mac OS'

                                                                                                                                                                                                                The powershell script used to generate the macro within attachment attack documents is not working properly on Mac OS.

                                                                                                                                                                                                                PHISH-5879
                                                                                                                                                                                                                • 3.0 (2018.40)
                                                                                                                                                                                                                  • Campaigns
                                                                                                                                                                                                                  Gsuite Categorizing tracking link as suspicious

                                                                                                                                                                                                                  The following warning message might show up when clicking on a link within a Phish Threat campaign for G Suite customers with Central accounts in the East region giving users preemptive warnings:

                                                                                                                                                                                                                  Suspicious link: this link leads to an untrusted site. Are you sure you want to proceed to vk39fk6q.r.eu-west1.awstrack.me?

                                                                                                                                                                                                                   Unfortunately a request cannot be made to delist from google as it requires proof of ownership. As the links are generated using Amazon services, we cannot supply this. A complete rehaul of Phish Threat will need to be made to change URLs for campaigns.

                                                                                                                                                                                                                  PHISH-6820
                                                                                                                                                                                                                  • v2.0
                                                                                                                                                                                                                    • Campaigns
                                                                                                                                                                                                                    Microsoft Defender SmartScreen reporting Phish Threat URL as "unsafe"

                                                                                                                                                                                                                    Microsoft currently provides no effective way for us to monitor and remove domains/URLs from the Microsoft Defender SmartScreen list.

                                                                                                                                                                                                                    This means that the aforementioned feature is not compatible with our Phish Threat product.

                                                                                                                                                                                                                    PHISH-7369
                                                                                                                                                                                                                        • Campaigns
                                                                                                                                                                                                                        • Customer Portal
                                                                                                                                                                                                                        Unable to select-all users in enrollment for users due to large number of available users

                                                                                                                                                                                                                        The "select all" functionality of the users selection fields in the "New Campaign creation - Enroll users" is limited to the first 40-50 users, unless the admin manually scrolls the user selection scroll box down to load the full user list into the browser and re-clicks the 'select all' function for adding/removing users to the campaign. 

                                                                                                                                                                                                                        PHISH-7464
                                                                                                                                                                                                                            • Campaigns
                                                                                                                                                                                                                            Attachment from Campaign does not render some special characters properly

                                                                                                                                                                                                                            The normal workflow for Attachment Campaigns involves the fact that once the attachment has been opened, and the link inside of it activated, the user already failed the campaign - regardless of what's in the document.

                                                                                                                                                                                                                            Everything else about the Attachment Campaign should still work fine.

                                                                                                                                                                                                                            PHISH-7392
                                                                                                                                                                                                                                • Training
                                                                                                                                                                                                                                Unable to load the PhishThreat Awareness training from China users

                                                                                                                                                                                                                                The following URLs are officially blocked in China.

                                                                                                                                                                                                                                https://sophos-phish-threat.go-vip.co/
                                                                                                                                                                                                                                https://staysafe.sophos.com

                                                                                                                                                                                                                                This means that training content will not work properly.

                                                                                                                                                                                                                                The only possible workaround would be for the affected users to use a tunnel-all VPN solution.

                                                                                                                                                                                                                                PHISH-4831
                                                                                                                                                                                                                                    • Campaigns
                                                                                                                                                                                                                                    Phish thread pushing campaigns to groups

                                                                                                                                                                                                                                    When using AD sync with Phish Threat you cannot push out campaigns to sub-groups. The user must be a direct member of the group in order to receive the campaign.

                                                                                                                                                                                                                                    PHISH-4246
                                                                                                                                                                                                                                    • 3.0 (2018.40)
                                                                                                                                                                                                                                      • Campaigns
                                                                                                                                                                                                                                      Central Admin goes super slow when creating campaign with a large number of users at a time

                                                                                                                                                                                                                                      If a campaign is created with large number of users then there are chances of page gets hang and campaign never gets completed.

                                                                                                                                                                                                                                      Currently it is recommended to add less than 500 recipients at a time.
                                                                                                                                                                                                                                      This will be improved in the future.

                                                                                                                                                                                                                                      Sophos Access Points

                                                                                                                                                                                                                                      Generated on:
                                                                                                                                                                                                                                      03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                      Last modified on:
                                                                                                                                                                                                                                      23 May 2023 - 17:51:15 UTC
                                                                                                                                                                                                                                      Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                      NAF-241
                                                                                                                                                                                                                                      • WIFI Firmware 11.0.018
                                                                                                                                                                                                                                        • Firmware
                                                                                                                                                                                                                                        Traffic interruption has been seen between wireless clients that are connected to the same SSID on the same APX and one client starts roaming

                                                                                                                                                                                                                                        Roaming from one APX to another APX can cause 15 seconds of network disconnection for traffic between hosts connected to the same APX.
                                                                                                                                                                                                                                        The issue happens if the source and destination devices are connected to the same APX.

                                                                                                                                                                                                                                        • For example, if there is a VoIP connection being established between Notebook 1 and Notebook 2 at APX 1, traffic flow is normal.

                                                                                                                                                                                                                                        • When Notebook 2 roams away from APX 1 and associates with APX 2, the VoIP connection will be disrupted for about 15 seconds.

                                                                                                                                                                                                                                        • After 15 seconds have passed, the connection will work again.

                                                                                                                                                                                                                                        Internet-bound connections and packets which need a next hop (XGS/XG) do not experience the same disruption in connectivity.

                                                                                                                                                                                                                                        If both wireless clients connect to different Sophos APX access points this issue is not present.

                                                                                                                                                                                                                                        Sophos Connect

                                                                                                                                                                                                                                        Generated on:
                                                                                                                                                                                                                                        03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                        Last modified on:
                                                                                                                                                                                                                                        04 Jul 2024 - 10:07:37 UTC
                                                                                                                                                                                                                                        Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                        NCL-1844
                                                                                                                                                                                                                                        • Sophos Connect 2.3
                                                                                                                                                                                                                                          • Sophos Connect
                                                                                                                                                                                                                                          SCC 2.3 installation fails with OpenVPN service failed to start error

                                                                                                                                                                                                                                          Installation of SCC 2.3 fails where the required VC runtime environment is not present.

                                                                                                                                                                                                                                          Before installing the SCC 2.3, install this VC runtime - https://aka.ms/vs/17/release/vc_redist.x86.exe and try installing the SCC 2.3 again.

                                                                                                                                                                                                                                          NCL-1855
                                                                                                                                                                                                                                          • Sophos Connect 2.3 MR1
                                                                                                                                                                                                                                            • Sophos Connect
                                                                                                                                                                                                                                            BF-CBC algorithm on UTM and SFOS is no longer supported by Sophos connect client 2.3 MR1

                                                                                                                                                                                                                                            If the non-default BF-CBC algorithm option is used for a connection on either an SFOS or a UTM system then this will stop working after the release of Sophos Connect 2.3 MR1.

                                                                                                                                                                                                                                            NCL-1856
                                                                                                                                                                                                                                            • Sophos Connect 2.3 MR1
                                                                                                                                                                                                                                              • Sophos Connect
                                                                                                                                                                                                                                              SCC 2.3 and above supports only UTM 9.7 and above

                                                                                                                                                                                                                                              SCC 2.3 and above supports only UTM 9.7 and above

                                                                                                                                                                                                                                              If customers are using SCC version 2.3 and above they need to move to UTM 9.7 or above. Any below versions of UTM will not be supported with SCC 2.3 and above versions.

                                                                                                                                                                                                                                              NCL-1775
                                                                                                                                                                                                                                              • Sophos Connect 2.2
                                                                                                                                                                                                                                                • Sophos Connect
                                                                                                                                                                                                                                                Sophos Connect: Internet Explorer version earlier than 11 detected on this computer. Upgrade it to version 11 to continue.

                                                                                                                                                                                                                                                Receiving a “Internet Explorer version earlier than 11 detected on this computer. Upgrade it to version 11 to continue.” error when trying to install Sophos Connect.

                                                                                                                                                                                                                                                This can either show up if the OS where Sophos Connect is being installed doesn’t have IE installed, in which case it will not be able to install since Sophos Connect is tightly coupled with IE11 OR

                                                                                                                                                                                                                                                because Sophos Connect was previously installed on the computer, and there are some issues in the registry preventing IE11 from being detected properly - in which case, the only known workaround for now in a complete fresh install of the workstation.

                                                                                                                                                                                                                                                NCL-1377
                                                                                                                                                                                                                                                • Sophos Connect 2.1
                                                                                                                                                                                                                                                  • Sophos Connect
                                                                                                                                                                                                                                                  IPsec connection downloaded via provisioning file, does not automatically update policy when a policy change is made on XG

                                                                                                                                                                                                                                                  There are two cases where the IPSec connection downloaded via the provisioning file might not be updated once a change is made on the XG

                                                                                                                                                                                                                                                  1) The Sophos Connect Client has an active connection

                                                                                                                                                                                                                                                  2) The Sophos Connect client is not connected to XG when the XG policy is modified.

                                                                                                                                                                                                                                                  When the Sophos Connect client will try to connect to XG,  the connection will fail due to a policy mismatch error. The client will not automatically trigger a update policy request. The user has to manually trigger a "Update policy" request from the settings menu.

                                                                                                                                                                                                                                                   This might happen with a greater probability if the allowed networks are changed in the policy. Also this will happen if a policy is changed from tunnel all to split network and the network list is not identical on both ends.

                                                                                                                                                                                                                                                  Trigger a "Update policy" to re-synchronize the policy

                                                                                                                                                                                                                                                  NCL-1618
                                                                                                                                                                                                                                                  • Sophos Connect 2.1
                                                                                                                                                                                                                                                    • Sophos Connect
                                                                                                                                                                                                                                                    "Failed to validate certificate" when importing/connecting with Sophos Connect Client

                                                                                                                                                                                                                                                    This relates to Sophos Connect Client configuration of the SFOS appliance using 3rd party signed certificate.

                                                                                                                                                                                                                                                    When using 3rd party signed certificate on the “remote side” of the configuration, and "ApplianceCertificate" on the local side, the connection will import fine and connect the first time. After reboot of the workstation or restart of the services related to Sophos Connect, an error message will pop up stating "Failed to validate server certificate" when trying to connect again.

                                                                                                                                                                                                                                                    Use a self-signed certificate, signed by the SFOS appliance on the “remote” side.

                                                                                                                                                                                                                                                    Use PSK instead of certificates.

                                                                                                                                                                                                                                                    NCL-837
                                                                                                                                                                                                                                                        • Sophos Connect
                                                                                                                                                                                                                                                        Sophos Connect: Cannot authenticate user with german umlauts

                                                                                                                                                                                                                                                        Sophos Connect for the time being only supports Ascii characters, no umlauts or UTF-8 or UTF-16.

                                                                                                                                                                                                                                                        NCL-834
                                                                                                                                                                                                                                                        • Sophos Connect 1.1
                                                                                                                                                                                                                                                          • Sophos Connect
                                                                                                                                                                                                                                                          Sophos Connect failed to start due to port 60110 used for HTTP server is already in use on the system

                                                                                                                                                                                                                                                          Sophos Connect Client uses Port 60110 on the local host to communicate with the local webserver. If this port is used by some other service before Sophos Connect Client starts, then Sophos Connect Client will fail to start.

                                                                                                                                                                                                                                                          NCL-1378
                                                                                                                                                                                                                                                          • Sophos Connect 2.1
                                                                                                                                                                                                                                                            • Sophos Connect
                                                                                                                                                                                                                                                            If XG has configured both IPsec and SSL VPN policy, Only the SSL VPN policy has the "Update policy" option available in the settings menu

                                                                                                                                                                                                                                                            When both the IPsec and SSL VPN policy is configured on XG, the connect client will connect to the user portal and download both the policies on the end user computer. But ONLY the SSL VPN policy will have the option of "Update policy" in the settings menu. In order to trigger a policy update for IPsec policy, the user will have to trigger the same via the SSL VPN policy.

                                                                                                                                                                                                                                                            NCL-1391
                                                                                                                                                                                                                                                                • Sophos Connect
                                                                                                                                                                                                                                                                After deploying Sophos Connect provisioning file on SC 2.1 the first authentication to vpn always fails when OTP is enabled

                                                                                                                                                                                                                                                                Issue:

                                                                                                                                                                                                                                                                After deploying the Sophos Connect provisioning file on SC 2.1 the first authentication always fails when OTP is enabled.

                                                                                                                                                                                                                                                                 *Behavior:* 

                                                                                                                                                                                                                                                                The Client will use the OTP the first to connect to the User Portal. Then it has to use a new OTP, but the OTP is generated by the Sophos Authenticator and the user has to enter the new OTP after the first one rotates. The client does not wait for that to happen. Instead, it uses the same OTP and that will fail and the user is prompted for authentication again. So the user has to enter the credentials again and they should be connected to VPN. This is a known issue. **

                                                                                                                                                                                                                                                                Enter the credential and OTP again.

                                                                                                                                                                                                                                                                NCL-836
                                                                                                                                                                                                                                                                • Sophos Connect 1.1
                                                                                                                                                                                                                                                                  • Sophos Connect
                                                                                                                                                                                                                                                                  [Mac] Not able to import connection files which has non-ASCII characters in file name

                                                                                                                                                                                                                                                                  Sophos Connect is unable to import files containing UTF-8 / UTF-16 characters e.g.

                                                                                                                                                                                                                                                                  NCL-835
                                                                                                                                                                                                                                                                  • Sophos Connect 1.3 GA (1.3.65)
                                                                                                                                                                                                                                                                    • Sophos Connect
                                                                                                                                                                                                                                                                    Sophos Connect : [Windows] {Intermittent] Getting "Failed to load connection" error after wakeup from sleep

                                                                                                                                                                                                                                                                    This issue is occasionally seen mainly when the computer wakes up from sleep and the connection is set for Auto-connect and user is not on the domain network. The system recovers automatically so user intervention is not necessary.

                                                                                                                                                                                                                                                                    NCL-833
                                                                                                                                                                                                                                                                      • Sophos Connect 3.0
                                                                                                                                                                                                                                                                      • Sophos Connect
                                                                                                                                                                                                                                                                      Unable to unzip Sophos Connect generated TSR zip file on Mac OS 10.12.6

                                                                                                                                                                                                                                                                      -> Go to About page on Sophos Connect UI

                                                                                                                                                                                                                                                                      -> Click Generate TSR buttong

                                                                                                                                                                                                                                                                      tsr.zip file is downloaded to the default download location. Tried to unzip the zip file but not able to unzip on 10.12.6 Mac OS version. Tried it on Mac 10.13, zip opens up. 

                                                                                                                                                                                                                                                                      NCL-839
                                                                                                                                                                                                                                                                      • Sophos Connect 1.0
                                                                                                                                                                                                                                                                        • Sophos Connect
                                                                                                                                                                                                                                                                        DNS server(s) are not updated on the network monitor page of Sophos Connect Client

                                                                                                                                                                                                                                                                        If the DNS servers in the Sophos Connect Client policy on the XG firewall are changed while there is a VPN connection established, then the DNS Servers display on the Network Monitor page are not updated to the changed DNS servers.

                                                                                                                                                                                                                                                                        Disconnect the existing connection and then re-establish it.

                                                                                                                                                                                                                                                                        Sophos DNS Protection

                                                                                                                                                                                                                                                                        Generated on:
                                                                                                                                                                                                                                                                        03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                        Last modified on:
                                                                                                                                                                                                                                                                        23 Oct 2024 - 17:43:31 UTC
                                                                                                                                                                                                                                                                        Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                        NSWAAS-4051
                                                                                                                                                                                                                                                                        • SWG DNS 1.1
                                                                                                                                                                                                                                                                          • UI
                                                                                                                                                                                                                                                                          RBAC: Firewall role is required in addition to DNS Protection role in order to use DNS Protection dashboard and reporting

                                                                                                                                                                                                                                                                          When using custom roles in Sophos Central with DNS Protection, it is necessary to grant an appropriate Firewall role in addition to a DNS Protection role in order for a user to access reporting data. This impacts the Dashboard as well as the Logs & Reports section of DNS Protection.

                                                                                                                                                                                                                                                                          For a user with Firewall access set to ‘None’: no traffic data will be visible on the dashboard or in Logs and Reports.

                                                                                                                                                                                                                                                                          For a user with Firewall access set to ‘Read only’: the dashboard will be fully visible but it is not possible to save templates or schedule reports under Logs and Reports.

                                                                                                                                                                                                                                                                          Customers need to be aware of the issue and configure roles appropriately.

                                                                                                                                                                                                                                                                          NSWAAS-3492
                                                                                                                                                                                                                                                                          • SWG DNS 1.0 EAP (refresh) 2
                                                                                                                                                                                                                                                                              XDR : LiveDiscover queries shows domain_risk=0 for multiple riskscore values

                                                                                                                                                                                                                                                                              When querying DNS log data in LiveDiscover, a value of 0 in the domain_risk column is supposed to indicate that the risk level for the domain could not be determined, or was not determined because the request was not subject to policy assessment. The riskscore column gives a text indication of the risk level assigned to the domain.

                                                                                                                                                                                                                                                                              In some situations, requests with a valid riskscore, especially ‘Likely clean’ or ‘Trusted’ may also be logged with domain_risk=0.

                                                                                                                                                                                                                                                                              This issue only affects data in XDR queries and does not impact the correct application of policy, or in DNS Protection reports. The 'riskscore' column should be treated as correct.

                                                                                                                                                                                                                                                                              NSWAAS-3281
                                                                                                                                                                                                                                                                              • SWG DNS 1.0 EAP (refresh) 3
                                                                                                                                                                                                                                                                                  Reporting: Daily data on dashboard does not match similar views in Logs & Reports

                                                                                                                                                                                                                                                                                  The query counts shown in the tooltips in 30-day history view on the dashboard charts do not always match the same values if a report for the same period is created in Logs & Reports.

                                                                                                                                                                                                                                                                                  The cause of this issue is that the Dashboard view calculates daily totals based on UTC time, whereas the Logs & Reports view uses the user's local time. For users not located in the UTC timezone, the totals for each day will be different.
                                                                                                                                                                                                                                                                                  There is no clear workaround for this issue. Selecting a specific time range in Reports that corresponds to 00:00 UTC may allow creation of a report that confirms the dashboard view.

                                                                                                                                                                                                                                                                                  NSWAAS-3291
                                                                                                                                                                                                                                                                                  • SWG DNS 1.0 EAP (refresh) 2
                                                                                                                                                                                                                                                                                      Reporting: Time range of data included stops before the selected end time

                                                                                                                                                                                                                                                                                      In some situations, the timestamp of data shown in a report stops before the end of the specified time frame filter. This can be seen even when reporting on past periods. For example if you have selected a time range from 7:00PM-8:00PM as a filter, then you might won't see logs with timestamp 7:40PM or higher. You may need to extend “End time” duration in order to see complete data from 7PM-8PM.

                                                                                                                                                                                                                                                                                      The cause of this issue is that the data is selected for the report based on the time it was inserted into the reporting database, not the time of the actual event.

                                                                                                                                                                                                                                                                                      To see more complete data, it may be necessary to select an extended time range.

                                                                                                                                                                                                                                                                                      NSWAAS-3339
                                                                                                                                                                                                                                                                                      • SWG DNS 1.0 EAP (refresh) 2
                                                                                                                                                                                                                                                                                          Reporting: Error exporting PDF when Response column is selected with 4 or more other columns

                                                                                                                                                                                                                                                                                          If “Response” column is selected as one of five or more columns when exporting to PDF, it takes around 15-20 mins to process. When it completes, the downloaded report displays no data.
                                                                                                                                                                                                                                                                                          When “Response” is not selected, then PDF export display all export correct data.

                                                                                                                                                                                                                                                                                          If your data is not exported into PDF, select 5 or fewer columns including "Response" column and export the PDF.

                                                                                                                                                                                                                                                                                          Sophos Email

                                                                                                                                                                                                                                                                                          Generated on:
                                                                                                                                                                                                                                                                                          03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                          Last modified on:
                                                                                                                                                                                                                                                                                          22 Nov 2024 - 09:10:35 UTC
                                                                                                                                                                                                                                                                                          Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                          XGE-27373
                                                                                                                                                                                                                                                                                            • none
                                                                                                                                                                                                                                                                                            • XGE
                                                                                                                                                                                                                                                                                            Public Google groups email rejected by Central

                                                                                                                                                                                                                                                                                            Scenario: An external domain emails a google group. The inbound email will be scanned and delivered to google. When email reaches the google group it will be forward to any external and internal email addresses. For the external email addresses that forward back to central as outbound email they will be block, because the sender of these emails is external.

                                                                                                                                                                                                                                                                                            Sophos Central email only supports the following

                                                                                                                                                                                                                                                                                            • We support: the sender is a customer address, the group contains internal and external recipients. The email is delivered to all group members.

                                                                                                                                                                                                                                                                                            • We don’t support: the sender is an external address, the group contains internal and external recipients. The email is only delivered to internal group members, not external ones.

                                                                                                                                                                                                                                                                                            XGE-12394
                                                                                                                                                                                                                                                                                            • 2017.35
                                                                                                                                                                                                                                                                                              • Postfix
                                                                                                                                                                                                                                                                                              Outbound Google Workspace (formerly G Suite) emails with aliases in different domains aren't sent.

                                                                                                                                                                                                                                                                                              The "envelope from" and "data from" headers in outbound emails sent through Sophos Email Security must be in the same domain.

                                                                                                                                                                                                                                                                                              When using Google Workspace as an email service provider, if an outbound email is sent with an alias from a different domain, it won't be relayed outbound. This is because when sending as an alias in Google Workspace the "envelope from" header is the primary account.

                                                                                                                                                                                                                                                                                              For example domain1.com and domain2.com are both protected domains with valid mailboxes.

                                                                                                                                                                                                                                                                                              If the primary account email address is user@domain1.com and an email is sent from the alias alias@domain2.com, Google Workspace sends the email with the "envelope from" header as "user@domain1.com". But the "data from" header is alias@domain2.com.

                                                                                                                                                                                                                                                                                              This email is rejected as the "envelope from" and "data from" headers don't match.

                                                                                                                                                                                                                                                                                              Contact Google Workspace support to ask for the "envelope from" and "data from" headers to be matched for outbound emails, regardless of the alias used.

                                                                                                                                                                                                                                                                                              XGE-8023
                                                                                                                                                                                                                                                                                              • 2017.35
                                                                                                                                                                                                                                                                                              • 2024.18
                                                                                                                                                                                                                                                                                              • Postfix
                                                                                                                                                                                                                                                                                              We don't send NDRs for accepted inbound emails.

                                                                                                                                                                                                                                                                                              Sophos Email Security doesn't create non-delivery reports (NDR) for emails going to valid mailboxes that it can't deliver to their final internal destination.

                                                                                                                                                                                                                                                                                              XGE-17643
                                                                                                                                                                                                                                                                                              • 2020.32
                                                                                                                                                                                                                                                                                                • Outbound
                                                                                                                                                                                                                                                                                                Outbound emails sent from the eu-central region to Microsoft-hosted domains go to the junk folder.

                                                                                                                                                                                                                                                                                                The junk categorization isn't a result of the emails coming from Sophos Email Security, because other emails are succesfully delivered to inboxes of addresses on Microsoft-hosted domains, for example outlook.com.

                                                                                                                                                                                                                                                                                                Although Microsoft does not publicly share how it classifies email as junk, anecdotal evidence suggests that it learns from the recipient's actions. If customers' emails are repeatedly marked as junk by recipients in Microsoft-hosted email domains, then future customer emails might automatically be marked as junk.

                                                                                                                                                                                                                                                                                                Inform and educate customers sending emails to Microsoft-hosted domains to exercise caution with the type of emails they send, to prevent recipients from reporting emails as junk.

                                                                                                                                                                                                                                                                                                XGE-15756
                                                                                                                                                                                                                                                                                                    • DC
                                                                                                                                                                                                                                                                                                    Files with the .P7B extension blocked when the Certificates category is enabled in a Data control (DLP) policy.

                                                                                                                                                                                                                                                                                                    If a Data control policy has the Certificates category selected, alerts are raised for .p7b files, even though the .p7b extension isn't in the Certificates category.

                                                                                                                                                                                                                                                                                                    This is because Data control blocking uses True File Types and .p7b files share a file type with the .crt exception.

                                                                                                                                                                                                                                                                                                    XGE-27625
                                                                                                                                                                                                                                                                                                        • Policy configuration
                                                                                                                                                                                                                                                                                                        The central daily malware report detected as Malicious URLs

                                                                                                                                                                                                                                                                                                        In situations where customer has setup a Daily malware report to “Attach the report to the email” Sophos Central Email may detect the email as “Malicious URLs” cause the report contains Malicious URLs.

                                                                                                                                                                                                                                                                                                        The work around is to configure the report to “Send a link to the report (secure)” instead of “Attach the report to the email”

                                                                                                                                                                                                                                                                                                        The work around is to configure the report to “Send a link to the report (secure)” instead of “Attach the report to the email”

                                                                                                                                                                                                                                                                                                        XGE-29083
                                                                                                                                                                                                                                                                                                            • Message History
                                                                                                                                                                                                                                                                                                            Wildcard Searches in Message History Advanced Searches

                                                                                                                                                                                                                                                                                                            Searchstrings in Textfields of the advanced search page (From, To, Subject) are treated as wordsearches within the string. Wildcards and Regular Expressions are not supported

                                                                                                                                                                                                                                                                                                            E.g.

                                                                                                                                                                                                                                                                                                            From: Sender@domain.tld

                                                                                                                                                                                                                                                                                                            Possible Searchstrings

                                                                                                                                                                                                                                                                                                            Sender

                                                                                                                                                                                                                                                                                                            domain

                                                                                                                                                                                                                                                                                                            tld

                                                                                                                                                                                                                                                                                                            XGE-28323
                                                                                                                                                                                                                                                                                                              • none
                                                                                                                                                                                                                                                                                                              • smart banner
                                                                                                                                                                                                                                                                                                              Specific emails received in unreadable content if a smart banner on

                                                                                                                                                                                                                                                                                                              Scenario: Emails from the backup-generating system are received in unreadable format if a smart banner is on.

                                                                                                                                                                                                                                                                                                              This issue can be observed if there is an issue with the email content via the sender’s system.

                                                                                                                                                                                                                                                                                                              i) If the content is a UTF-16 HTML document that is base64 encoded. But the ‘charset’ field in the tag is saying ‘UTF-8’.

                                                                                                                                                                                                                                                                                                              ii) As per standard (https://www.w3.org/International/questions/qa-html-encoding-declarations#utf16 ), if using a UTF-16 HTML document, the document should begin with the UTF-16 BOM. If this is missing in the email content, it will create such an issue.

                                                                                                                                                                                                                                                                                                              This needs to be fixed from the originating system.

                                                                                                                                                                                                                                                                                                              XGE-29102
                                                                                                                                                                                                                                                                                                                  • MFR
                                                                                                                                                                                                                                                                                                                  Expected Behaviour with Subdomains and MFR rules

                                                                                                                                                                                                                                                                                                                  When connecting the primary domain in Mail Flow configuration, all the Emails of the Domain, as well as the Subdomains, start to flow through the Central Email due to the MailFlow Rules created by Sophos.

                                                                                                                                                                                                                                                                                                                  Two Workarounds:

                                                                                                                                                                                                                                                                                                                  1) Onboard the Subdomains along with the Primary domain for protection.

                                                                                                                                                                                                                                                                                                                  2) OR add the Subdomains in the Exception list of the MailFlow Rule created by Sophos

                                                                                                                                                                                                                                                                                                                  XGE-25028
                                                                                                                                                                                                                                                                                                                      • SPF_LOGS
                                                                                                                                                                                                                                                                                                                      SPF soft fail

                                                                                                                                                                                                                                                                                                                      Sophos Email Security only generates an SPF-Fail on a hard fail if the SPF-String is terminated with "-all".

                                                                                                                                                                                                                                                                                                                      SPF-Strings terminated with "~all" (note the tilde character) that don't match the senders IP address don't cause an SPF-Fail.

                                                                                                                                                                                                                                                                                                                      XGE-24715
                                                                                                                                                                                                                                                                                                                          • Attachment Filtering
                                                                                                                                                                                                                                                                                                                          Inbound email attachment is removed if it's uuencoded.

                                                                                                                                                                                                                                                                                                                          If an inbound email has attachments that use uuencoding, the attachments are removed. This is because messages with uuencoded attachments, and the attachments, are processed as text messages.

                                                                                                                                                                                                                                                                                                                          XGE-23508
                                                                                                                                                                                                                                                                                                                              • Policy configuration
                                                                                                                                                                                                                                                                                                                              Sophos Email Security doesn't accept addresses with the "!" character.

                                                                                                                                                                                                                                                                                                                              Emails with addresses containing the "!" character (exclamation mark) in the local part of the email address aren't supported, and are rejected.

                                                                                                                                                                                                                                                                                                                              For example: mailhost!username@example.org.

                                                                                                                                                                                                                                                                                                                              Remove the "

                                                                                                                                                                                                                                                                                                                              " character.

                                                                                                                                                                                                                                                                                                                              XGE-10569
                                                                                                                                                                                                                                                                                                                              • 2019.15
                                                                                                                                                                                                                                                                                                                                • Self-Service Portal
                                                                                                                                                                                                                                                                                                                                SSP Quarantine and Emergency Inbox are empty.

                                                                                                                                                                                                                                                                                                                                A user has been given access to the Sophos Email SSP. They have mail in quarantine and the Emergency Inbox is turned on. But when using SSP the Quarantine and Emergency Inbox pages have no items.

                                                                                                                                                                                                                                                                                                                                This might happen when more than one user is assigned the same email address, and at least one of those users has no mailbox.

                                                                                                                                                                                                                                                                                                                                • In Sophos Central go to "People".

                                                                                                                                                                                                                                                                                                                                -Filter users by the email address of the affected user.

                                                                                                                                                                                                                                                                                                                                -Click each user to find the one that doesn't have a mailbox.

                                                                                                                                                                                                                                                                                                                                -Use "Delete User" to delete the user without a mailbox.

                                                                                                                                                                                                                                                                                                                                -Go to "People" and filter by the email address again.

                                                                                                                                                                                                                                                                                                                                -Select the user in question.

                                                                                                                                                                                                                                                                                                                                -Click "Email Setup Link" and select Sophos Central Self Service Welcome.

                                                                                                                                                                                                                                                                                                                                The user can then access the Self Service Portal using the instructions in their inbox.

                                                                                                                                                                                                                                                                                                                                XGE-18900
                                                                                                                                                                                                                                                                                                                                • 2017.35
                                                                                                                                                                                                                                                                                                                                  • Custom URL
                                                                                                                                                                                                                                                                                                                                  Unable to add more than 129 URLs

                                                                                                                                                                                                                                                                                                                                  The Sophos Email Security URL allow list can only contain up to 129 URLs.

                                                                                                                                                                                                                                                                                                                                  XGE-19011
                                                                                                                                                                                                                                                                                                                                      • Quarantine
                                                                                                                                                                                                                                                                                                                                      Language selection for QS email in Sophos Email Security.

                                                                                                                                                                                                                                                                                                                                      All mailboxes use the same language for the QS email. This can't be changed for individual mailboxes.

                                                                                                                                                                                                                                                                                                                                      XGE-18940
                                                                                                                                                                                                                                                                                                                                          • Admin Quarantine
                                                                                                                                                                                                                                                                                                                                          Sophos Self Service Portal has no emails when signing in.

                                                                                                                                                                                                                                                                                                                                          This happens if a user's account has been linked to a user without a mailbox.

                                                                                                                                                                                                                                                                                                                                          Delete both the user account without a mailbox and the one with the mailbox. Then create a new user and mailbox.

                                                                                                                                                                                                                                                                                                                                          If the email address was used under a different Sophos Central account, it should be removed there first. If you can't do this, raise a case with Sophos Support.

                                                                                                                                                                                                                                                                                                                                          Note: Quarantine repositories and emergency inboxes are linked to user accounts via an ID. You can't remove an ID from these repositories and attach a different one.

                                                                                                                                                                                                                                                                                                                                          XGE-8099
                                                                                                                                                                                                                                                                                                                                          • 2017.35
                                                                                                                                                                                                                                                                                                                                            • DKIM
                                                                                                                                                                                                                                                                                                                                            Sophos Email Security application of DKIM checks.

                                                                                                                                                                                                                                                                                                                                            There is no industry standard for deciding if a DKIM (DomainKeys Identified Mail) check passes or fails.

                                                                                                                                                                                                                                                                                                                                            To find out how Sophos applies DKIM checks, see Known Behavior of DKIM (DomainKeys Identified Mail).

                                                                                                                                                                                                                                                                                                                                            Sophos Firewall

                                                                                                                                                                                                                                                                                                                                            Generated on:
                                                                                                                                                                                                                                                                                                                                            03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                            Last modified on:
                                                                                                                                                                                                                                                                                                                                            29 Nov 2024 - 00:55:26 UTC
                                                                                                                                                                                                                                                                                                                                            Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                            NC-120119
                                                                                                                                                                                                                                                                                                                                            • SFOS 19.0.1 MR1-Rebuild-Build365 (19.0.1.365) [Akamaru]
                                                                                                                                                                                                                                                                                                                                            • NoRelease
                                                                                                                                                                                                                                                                                                                                            • SSLVPN
                                                                                                                                                                                                                                                                                                                                            SSLVPN Remote Access:Static IP with UDP, 2nd attempt of tunnel establishment auth_fails as ip address is not released when previous tunnel is disconnected

                                                                                                                                                                                                                                                                                                                                            This issue is seen if the sslvpn ra tunnel type is of UDP only, not applicable to TCP type. Issue is applicable to SFOS running v19.0.MR1 or later. 

                                                                                                                                                                                                                                                                                                                                            Configs on SFOS: 

                                                                                                                                                                                                                                                                                                                                            • SSLVPN Globalsettings is configured with Protocol as UDP and ‘Use static IP addresses’ checkbox enabled. 

                                                                                                                                                                                                                                                                                                                                            • Create a user, assign with SSLVPN static ip from the IPv4 address range set the in SSLVPN global settings.  

                                                                                                                                                                                                                                                                                                                                            • Enable user portal login on Admin->device settings.

                                                                                                                                                                                                                                                                                                                                            • Download SSLVPN configuration from the user portal and use it on remote access client

                                                                                                                                                                                                                                                                                                                                            • Initiate the connection and the connection will be successful.

                                                                                                                                                                                                                                                                                                                                            • Disconnect the tunnel from remote access client and connect again; the tunnel will not be established with the reason AUTH_FAILED (in /log/sslvpn.log) and also UI logviewer says ‘User failed to login to SSLVPN through Local authentication mechanism because of ip lease failed’

                                                                                                                                                                                                                                                                                                                                            • Set the value of 'Disconnect dead peer after' in SSLVPN global settings to minimum amount of time, say 60 seconds; so that after 120 seconds (twice the value set in dead peer ) SSLVPN RA tunnel bring up from remote access client will be successful

                                                                                                                                                                                                                                                                                                                                            • Or use TCP based SSLVPN RA connection.

                                                                                                                                                                                                                                                                                                                                            NC-144608
                                                                                                                                                                                                                                                                                                                                            • SFOS 20.0.2 MR2-Build378 (20.0.2.378) [Apataki]
                                                                                                                                                                                                                                                                                                                                              • SecurityHeartbeat
                                                                                                                                                                                                                                                                                                                                              Heartbeat Authentication issue with Servers

                                                                                                                                                                                                                                                                                                                                              Servers are not showing in the User list (Heartbeat Authentication)

                                                                                                                                                                                                                                                                                                                                              By design, servers are not authenticated with a username or domain name. Here, Endpoint sends a login request to the server with no domain name and the firewall validates and ignores the request as it is empty.

                                                                                                                                                                                                                                                                                                                                              Since the login request has not been sent, it's not added to the live users list.

                                                                                                                                                                                                                                                                                                                                              NC-144491
                                                                                                                                                                                                                                                                                                                                              • SFOS 21.0.0 GA-Build169 (21.0.0.169) [Bitra]
                                                                                                                                                                                                                                                                                                                                                • Interface Management
                                                                                                                                                                                                                                                                                                                                                Physical interfaces or expand logical interfaces in SFOS v21 not visible after upgrading to 21.0.0

                                                                                                                                                                                                                                                                                                                                                The Interface Management page (Network > Interfaces) doesn’t show interfaces with names ending with 10 digits or more. The logical interfaces are either not expanding or visible. There is no functional impact, this is purely a UI issue.

                                                                                                                                                                                                                                                                                                                                                 This problem occurs when an interface name contains more than 10 digits at the end of the name.
                                                                                                                                                                                                                                                                                                                                                For example:

                                                                                                                                                                                                                                                                                                                                                Please refer the KBA - https://support.sophos.com/support/s/article/KBA-000010030

                                                                                                                                                                                                                                                                                                                                                NC-116989
                                                                                                                                                                                                                                                                                                                                                • SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]
                                                                                                                                                                                                                                                                                                                                                • NoRelease
                                                                                                                                                                                                                                                                                                                                                • Clientless Access
                                                                                                                                                                                                                                                                                                                                                The Clientless SSL VPN Policy RDP access shows cursor as Cross instead of Arrow

                                                                                                                                                                                                                                                                                                                                                Starting with version 19, Sophos Firewall includes several security improvements to prevent attackers from accessing sensitive information. One of these changes is an upgrade to the RDP component to the latest version, which helps to improve overall security. However, this new component library does have a minor behavior difference: in versions 19 and later, the cursor is displayed as a cross instead of an arrow.

                                                                                                                                                                                                                                                                                                                                                NC-69633
                                                                                                                                                                                                                                                                                                                                                • SF 17.5 MR9 (17.5.9.577)
                                                                                                                                                                                                                                                                                                                                                  • Email
                                                                                                                                                                                                                                                                                                                                                  Wildcard Exceptions FQDN host are not visible in SMTP exceptions. - Need clear indication

                                                                                                                                                                                                                                                                                                                                                  A user interface issue exists in SFOS, reported in v17.5MR9 but also exists in later versions. 

                                                                                                                                                                                                                                                                                                                                                  If an Admin adds a wildcard SMTP exception for an FQDN host (Email->Policies and exceptions->Exceptions), the FQDN wildcard entry is accepted and is visible in the UI,  Email -> Policies, and exceptions. However, if the Admin attempts to edit this exception the added wildcard entry will not be visible.

                                                                                                                                                                                                                                                                                                                                                  This is confirmed as a UI issue and we are currently investigating. We have no fixed date or version at this time.

                                                                                                                                                                                                                                                                                                                                                  NA

                                                                                                                                                                                                                                                                                                                                                  NC-144703
                                                                                                                                                                                                                                                                                                                                                  • SFOS 20.0.0 EAP1-Build195 (20.0.0.195) [Makemo]
                                                                                                                                                                                                                                                                                                                                                  • SFOS 21.5.0 EAP0-BuildXYZ(21.5.0.xyz) [Mahina]
                                                                                                                                                                                                                                                                                                                                                  • SFOS 20.0.3 MR3-Build427 (20.0.3.427) [Akiaki]
                                                                                                                                                                                                                                                                                                                                                  • SFOS 21.0.1 MR1 -BuildXYZ(21.0.1.xyz) [Amini]
                                                                                                                                                                                                                                                                                                                                                  • Authentication
                                                                                                                                                                                                                                                                                                                                                  MFA tokens are not working for some of the VPN users after firmware upgrade or HA failover after SFOS v20 onwards.

                                                                                                                                                                                                                                                                                                                                                  Situation:

                                                                                                                                                                                                                                                                                                                                                  MFA tokens are not functioning for some VPN (SSLVPN/IPsec) users after a firmware upgrade or HA failover starting from SFOS v20.

                                                                                                                                                                                                                                                                                                                                                  This issue affects users who did not use the initial QR code provided during the MFA onboarding process. After a firmware upgrade or HA failover, the MFA tokens fail due to out of sync between the HA nodes, leading to MFA errors for these users during failover events.

                                                                                                                                                                                                                                                                                                                                                  Workaround -1:

                                                                                                                                                                                                                                                                                                                                                  The safest workaround would be deleting the problematic token and new otp token will be generated automatically when the user login again.

                                                                                                                                                                                                                                                                                                                                                  1. Authentication-> MFA -> Issued tokens -> delete the token
                                                                                                                                                                                                                                                                                                                                                  2. If user login again, new OTP token will be generated

                                                                                                                                                                                                                                                                                                                                                  Note: Possibility of issue occur is only in MFA enabled HA setup, specific users who did not use first QR code offered.

                                                                                                                                                                                                                                                                                                                                                  Workaround -2: Reboot Auxillary device should do Sync with Primary DB.
                                                                                                                                                                                                                                                                                                                                                  Workaround -3: This issue may be observed after HA failover or firmware upgrade. Before this activity, Customer can use the option "Sync Auxiliary Device" will repair the HA Cluster from GUI.

                                                                                                                                                                                                                                                                                                                                                  NC-135094
                                                                                                                                                                                                                                                                                                                                                  • SFOS 20.0.0 - Build281(20.0.0.281) [Taiaro]
                                                                                                                                                                                                                                                                                                                                                  • NoRelease
                                                                                                                                                                                                                                                                                                                                                  • Wireless
                                                                                                                                                                                                                                                                                                                                                  2nd Gen XGS desktop models: Wireless interfaces cannot be used in a physical bridge in second-generation XGS models.

                                                                                                                                                                                                                                                                                                                                                  Wireless interfaces cannot be used in a physical bridge in second-generation XGS models.

                                                                                                                                                                                                                                                                                                                                                  If the customer configures the Bridge subsystem with the Bridge to AP LAN interface on first-generation XGS models and restores the backup on second-generation models, the restore will fail.

                                                                                                                                                                                                                                                                                                                                                  If the customer has configured OSPF, OSPFv3, RIP, SPX Portal Setting, or Quarantine settings with the Bridge to AP LAN interface on first-generation XGS hardware and restores the backup on second-generation models, the restore will succeed; however, the configuration with the Bridge to AP-LAN interface will not work as we do not support this use case.

                                                                                                                                                                                                                                                                                                                                                  N/A

                                                                                                                                                                                                                                                                                                                                                  NC-84171
                                                                                                                                                                                                                                                                                                                                                  • SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]
                                                                                                                                                                                                                                                                                                                                                    • L2TP
                                                                                                                                                                                                                                                                                                                                                    L2TP :multiple clients behind NAT'd device causes traffic issues

                                                                                                                                                                                                                                                                                                                                                    We can not connect multiple L2TP connections behind the same NAT'd device.

                                                                                                                                                                                                                                                                                                                                                    Example:-
                                                                                                                                                                                                                                                                                                                                                    There are 2 Windows clients behind a NAT'ed device over which the clients are connecting to XG using L2TPoIPSec. The tunnels are established fine, but there is an issue with the traffic. Say ping traffic from Windows1 is working for some seconds and then dropped and Windows2 will not see ping response while ping is working from Windows1 and vice-versa.

                                                                                                                                                                                                                                                                                                                                                    NCL-1392
                                                                                                                                                                                                                                                                                                                                                        • STAS
                                                                                                                                                                                                                                                                                                                                                        Do we support Secure LDAP port 636 in STAS for Novell eDirectory configuration ?

                                                                                                                                                                                                                                                                                                                                                        *Question:*  

                                                                                                                                                                                                                                                                                                                                                        Do we support Secure LDAP port 636 in the Novel eDirectory configuration of STAS?

                                                                                                                                                                                                                                                                                                                                                        Answer:

                                                                                                                                                                                                                                                                                                                                                        Secure LDAP port 636 is not supported in the Novel eDirectory configuration of STAS.

                                                                                                                                                                                                                                                                                                                                                        NC-63913
                                                                                                                                                                                                                                                                                                                                                        • SF 17.5 MR9 (17.5.9.577)
                                                                                                                                                                                                                                                                                                                                                          • IPS Policy
                                                                                                                                                                                                                                                                                                                                                          When XG device in FETCH mode in SFM and user change "Advanced Threat" setting with template, though setting was applied correctly in XG Firewall, SFM event log show failure message

                                                                                                                                                                                                                                                                                                                                                          When the XG device is set to  FETCH mode in SFM and user changes the  "Advanced Threat" setting with template, though setting was applied correctly in XG Firewall, SFM event log show failure message

                                                                                                                                                                                                                                                                                                                                                          This is known issue for FETCH mode configured devices in SFM only.

                                                                                                                                                                                                                                                                                                                                                          In PUSH mode config XG Firewall devices, this issue is not observed.  

                                                                                                                                                                                                                                                                                                                                                          NC-136352
                                                                                                                                                                                                                                                                                                                                                              • Documentation
                                                                                                                                                                                                                                                                                                                                                              IPsec - IKEv2 packet size increase in v20.0.MR1 on SFOS may cause tunnel bringup issues while interoperating with some 3rd party devices

                                                                                                                                                                                                                                                                                                                                                              Sophos firewall running on 20.0.MR1 or above, IPsec site-to-site tunnel bring up with default IKEv2 profile may have issues in some conditions, where SFOS keeps re-attempting the connection with the peer IPsec gateway (SFOS or 3rd party device) but the tunnel will not come up.

                                                                                                                                                                                                                                                                                                                                                              Cause:

                                                                                                                                                                                                                                                                                                                                                              This is because SFOS running with 20.0.MR1 or above, with the default IKEv2 profile of IPsec tunnels, increases the IKEv2 packet size beyond 1500 bytes causing fragmentation.

                                                                                                                                                                                                                                                                                                                                                              If such fragmented packets are not handled or dropped in the network due to PMTU issues will result in S2S IPsec tunnel bringup issue.

                                                                                                                                                                                                                                                                                                                                                              In 20.0.MR1, Strongman and OpenVPN versions are upgraded, adds more default fields to the IKEv2 packet and increases the packet size.

                                                                                                                                                                                                                                                                                                                                                              In the IPsec profile, reduce the number of DH groups to minimum of 4 (default IKEv2 has 6) or keep the exact DH group that is being used on the far end IPsec gateway.

                                                                                                                                                                                                                                                                                                                                                              NC-128116
                                                                                                                                                                                                                                                                                                                                                                  • Documentation
                                                                                                                                                                                                                                                                                                                                                                  SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS

                                                                                                                                                                                                                                                                                                                                                                  OpenVPN has been upgraded to 2.6.0 in this version. Firewalls upgraded to 20.0 MR1 won't establish SSL VPN tunnels with the following clients and firewall versions:

                                                                                                                                                                                                                                                                                                                                                                  • SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 or earlier versions and SFOS 20.0 MR1. We recommend that you upgrade both firewalls to 20.0 MR1 at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels. For IPsec tunnels, see Route-based VPN.

                                                                                                                                                                                                                                                                                                                                                                  • Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels. See Remote access SSL VPN with the Sophos Connect client. See Remote access IPsec VPN.

                                                                                                                                                                                                                                                                                                                                                                  • UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 20.0 MR1. We recommend that you migrate these to 20.0 MR1. Alternatively, you can use site-to-site IPsec or RED tunnels. See Site-to-site RED tunnel.

                                                                                                                                                                                                                                                                                                                                                                  NC-140831
                                                                                                                                                                                                                                                                                                                                                                  • SFOS 20.0.1 MR1-Build342 (20.0.1.342) [Amanu]
                                                                                                                                                                                                                                                                                                                                                                  • SFOS 21.0.0 EAP1-Build152 (21.0.0.152) [Agatti]
                                                                                                                                                                                                                                                                                                                                                                  • SFOS 20.0.2 MR2-Build378 (20.0.2.378) [Apataki]
                                                                                                                                                                                                                                                                                                                                                                    • Backup-Restore
                                                                                                                                                                                                                                                                                                                                                                    Issue with restoring backups via S3 in fresh deployments of SFOS on AWS.

                                                                                                                                                                                                                                                                                                                                                                    An issue with restoring backups via S3 in fresh deployments of SFOS on AWS.

                                                                                                                                                                                                                                                                                                                                                                    Impact: This issue affects backups taken from SFOS versions 19.5 MR4 and later, including version 20 GA and onwards. Backups taken from earlier versions are not affected.

                                                                                                                                                                                                                                                                                                                                                                    This issue will be fixed in SFOS v21 MR1.

                                                                                                                                                                                                                                                                                                                                                                    Deploy the AWS instance first, and then restore the backup manually.

                                                                                                                                                                                                                                                                                                                                                                    NC-8891
                                                                                                                                                                                                                                                                                                                                                                    • SF 15.01.0 MR1.1 (15.01.0.407)
                                                                                                                                                                                                                                                                                                                                                                        CHAP or CHAPV2 in L2TP & PPTP VPN with AD Configuration is not working

                                                                                                                                                                                                                                                                                                                                                                        VPN Authentication for IPSec / L2TP / PPTP is not working with AD.

                                                                                                                                                                                                                                                                                                                                                                        Use Authentication method PAP instead

                                                                                                                                                                                                                                                                                                                                                                        NC-137602
                                                                                                                                                                                                                                                                                                                                                                        • SFOS 20.0.1 MR1-Build342 (20.0.1.342) [Amanu]
                                                                                                                                                                                                                                                                                                                                                                        • SFOS 21.0.0 EAP0-Build149 (21.0.0.149) [Tokorua]
                                                                                                                                                                                                                                                                                                                                                                        • SFOS 20.0.2 MR2-Build378 (20.0.2.378) [Apataki]
                                                                                                                                                                                                                                                                                                                                                                        • Certificates
                                                                                                                                                                                                                                                                                                                                                                        Certificate is seen as untrusted if it is signed by a new CA that contains a forward slash(/) or a plus (+) character in the subject line

                                                                                                                                                                                                                                                                                                                                                                        If a new CA is uploaded in v20 MR1; And if that CA contains a forward slash(/) or plus (+) characters in the subject lines, the certificates signed by such new CA is marked as untrusted.

                                                                                                                                                                                                                                                                                                                                                                        Already existing CA and certificate present in the SFOS continue working well on v20 MR1.

                                                                                                                                                                                                                                                                                                                                                                        This issue will be fixed in v20.0 MR2. The customer will need to delete the affected certificate and upload it again after migration to v20 MR2.

                                                                                                                                                                                                                                                                                                                                                                        To fix this in v20 MR1, please contact Sophos support.

                                                                                                                                                                                                                                                                                                                                                                        This issue will be fixed in v20.0 MR2. The customer will need to delete the affected certificate and upload it again after migration to v20 MR2.

                                                                                                                                                                                                                                                                                                                                                                        NC-135792
                                                                                                                                                                                                                                                                                                                                                                        • SFOS 20.0.1 MR1-Build342 (20.0.1.342) [Amanu]
                                                                                                                                                                                                                                                                                                                                                                        • SFOS 21.0.0 EAP0-Build149 (21.0.0.149) [Tokorua]
                                                                                                                                                                                                                                                                                                                                                                        • SFOS 20.0.2 MR2-Build378 (20.0.2.378) [Apataki]
                                                                                                                                                                                                                                                                                                                                                                        • CTR
                                                                                                                                                                                                                                                                                                                                                                        UI log download feature will show an empty dropdown for files to download for devices XG86/XGS87

                                                                                                                                                                                                                                                                                                                                                                        UI log download feature will show an empty dropdown for files to download for devices XG86/XGS87.

                                                                                                                                                                                                                                                                                                                                                                        Steps:
                                                                                                                                                                                                                                                                                                                                                                        1. User has to login to the CLI console.
                                                                                                                                                                                                                                                                                                                                                                        2. press 5 for device management and 3 to get into advance shell
                                                                                                                                                                                                                                                                                                                                                                        3. execute the command "service tomcat:restart -ds nosync"
                                                                                                                                                                                                                                                                                                                                                                        4. check the tomcat service status using "service tomcat:status -ds nosync"
                                                                                                                                                                                                                                                                                                                                                                        5. verify the UI is able to load and login and verify the "logs download" feature in the diagnostics->tools page

                                                                                                                                                                                                                                                                                                                                                                        NC-120615
                                                                                                                                                                                                                                                                                                                                                                        • SFOS 19.0.2 MR2-Build472 (19.0.2.472) [Kamaka]
                                                                                                                                                                                                                                                                                                                                                                          • SSLVPN
                                                                                                                                                                                                                                                                                                                                                                          SSLVPN User still shows in the live user list after disconnection from the client when connection using with UDP

                                                                                                                                                                                                                                                                                                                                                                          Description

                                                                                                                                                                                                                                                                                                                                                                          SSLVPN User still shows in the live user list after disconnection from the client when connecting using UDP 

                                                                                                                                                                                                                                                                                                                                                                          Configs on SFOS: 

                                                                                                                                                                                                                                                                                                                                                                          • SSLVPN Global settings are configured with Protocol as UDP

                                                                                                                                                                                                                                                                                                                                                                          • Create a user, and add it under the SSL VPN profile

                                                                                                                                                                                                                                                                                                                                                                          • Download the SSLVPN configuration from the user portal and use it on remote access client

                                                                                                                                                                                                                                                                                                                                                                          • Initiate the connection and the connection will be successful.

                                                                                                                                                                                                                                                                                                                                                                          • Disconnect the tunnel from the remote access client

                                                                                                                                                                                                                                                                                                                                                                          • The client will disconnect from the connect client application but it will still appear under the Current activities → Live user list

                                                                                                                                                                                                                                                                                                                                                                          Use a TCP-based SSLVPN RA connection, Which will immediately disconnect the user from the live user list

                                                                                                                                                                                                                                                                                                                                                                          NC-135950
                                                                                                                                                                                                                                                                                                                                                                          • SFOS 20.0.0 GA-Build222 (20.0.0.222) [Makemo]
                                                                                                                                                                                                                                                                                                                                                                            • WAF
                                                                                                                                                                                                                                                                                                                                                                            Unable to send email attachments even when WAF file size limit has been increased

                                                                                                                                                                                                                                                                                                                                                                            Users are unable to send email attachments even when the file size limit for WAF has been increased.

                                                                                                                                                                                                                                                                                                                                                                            The Sophos WAF solution does not support MAPI over HTTP protocol which was introduced in Microsoft Exchange 2016.

                                                                                                                                                                                                                                                                                                                                                                            The following workarounds may not work in all scenarios and are not guaranteed to solve the issue with MAPI over HTTP protocol and the Sophos WAF.
                                                                                                                                                                                                                                                                                                                                                                            1. Configure the Microsoft Exchange server to use RPC over HTTP and MAPI over HTTP.
                                                                                                                                                                                                                                                                                                                                                                            2. Disable chunked file transfer support on the Microsoft Exchange server.
                                                                                                                                                                                                                                                                                                                                                                            3. Use a D-NAT policy with firewall rules as an alternative

                                                                                                                                                                                                                                                                                                                                                                            NC-130922
                                                                                                                                                                                                                                                                                                                                                                            • SFOS 20.0.0 GA-Build222 (20.0.0.222) [Makemo]
                                                                                                                                                                                                                                                                                                                                                                            • SFOS 19.5.4 MR4-Build718 (19.5.4.718) [Temoe]
                                                                                                                                                                                                                                                                                                                                                                              • SSLVPN
                                                                                                                                                                                                                                                                                                                                                                              SSLVPN RA: Openvpn Connect v3.4.x on Android with compression OFF on SFOS has data path not working

                                                                                                                                                                                                                                                                                                                                                                              The recent version of OpenVPN has caused an issue in the data path (traffic) for the Android users using latest OpenVPN Connect (v3.4.x) when connected to SFOS using SSLVPN remote access.

                                                                                                                                                                                                                                                                                                                                                                              When compression is ‘disabled’ (or OFF) on SFOS (SSLVPN RA → Global Settings), the tunnel from Android users comes up but the end-o-end traffic will not work, the data packets from Android devices is not processed with the below error:

                                                                                                                                                                                                                                                                                                                                                                              Error: 2024-01-30 10:18:08Z [7565]   user1/xx:35854 Bad compression stub decompression header byte:251

                                                                                                                                                                                                                                                                                                                                                                              Details, workaround is mentioned in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/143651/sophos-firewall-temporary-fix-openvpn-3-4-0-no-compression-android-devices

                                                                                                                                                                                                                                                                                                                                                                              https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/143651/sophos-firewall-temporary-fix-openvpn-3-4-0-no-compression-android-devices

                                                                                                                                                                                                                                                                                                                                                                              NC-130554
                                                                                                                                                                                                                                                                                                                                                                              • SFOS 20.0.1 MR1-Build342 (20.0.1.342) [Amanu]
                                                                                                                                                                                                                                                                                                                                                                                • Documentation
                                                                                                                                                                                                                                                                                                                                                                                .apc file generated on SFOS with Openvpn2.6.0 (Takume) can't be used on UTM9

                                                                                                                                                                                                                                                                                                                                                                                SSL Site to Site VPN tunnel between Sophos SFOS acting as a Server and UTM as client are not supported after the release of 20.0 MR1.

                                                                                                                                                                                                                                                                                                                                                                                NC-131322
                                                                                                                                                                                                                                                                                                                                                                                • SFOS 19.5.3 MR3-Build652 (19.5.3.652) [Katiu]
                                                                                                                                                                                                                                                                                                                                                                                  • HA
                                                                                                                                                                                                                                                                                                                                                                                  In some scenarios, the user cannot register the auxiliary firewall in Sophos Central due to a mismatch of MTU on the outgoing interface and HA dedicated interface.

                                                                                                                                                                                                                                                                                                                                                                                  In some scenarios, the user cannot register the auxiliary firewall in Sophos Central -Webadmin gives the error “ Couldn’t Register the firewall with Sophos Central. Verify your Sophos Central Credentials.” due to a mismatch of MTU on the outgoing interface and HA dedicated interface.

                                                                                                                                                                                                                                                                                                                                                                                  Please set the MTU on both PRIM and AUX devices and then verify the issue's status.

                                                                                                                                                                                                                                                                                                                                                                                  ip link set mtu 1500 dev PortX (dedicated port of HA)

                                                                                                                                                                                                                                                                                                                                                                                  e.g
                                                                                                                                                                                                                                                                                                                                                                                  Outgoing interface MTU-=1500 in this scenario.
                                                                                                                                                                                                                                                                                                                                                                                  PortX= Dedicated interface

                                                                                                                                                                                                                                                                                                                                                                                  NC-132209
                                                                                                                                                                                                                                                                                                                                                                                  • SFOS 19.5.2 MR2-Build624 (19.5.2.624) [Hitra]
                                                                                                                                                                                                                                                                                                                                                                                  • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                  • RED
                                                                                                                                                                                                                                                                                                                                                                                  RED EOL alert will not displayed on control center after restoring backup

                                                                                                                                                                                                                                                                                                                                                                                  The RED End-of-Life (EoL) alert notification does not show up on the control center in case of restoring a backup containing configured Legacy RED EOL models.

                                                                                                                                                                                                                                                                                                                                                                                  If any of the RED EoL models (15/15W/50) is added or already configured in SFOS, it will show the RED EoL banner on the top side of the Network > Interfaces UI page. One Alert message will also be displayed on the Control Center page for Quick notification to the admin. In case of restoring a backup with such RED EOL models configuration to the latest SFOS release build, it will not generate an Alert message on the Control center. Only the RED EOL banner will be displayed on the Network > Interfaces page.

                                                                                                                                                                                                                                                                                                                                                                                  NC-62786
                                                                                                                                                                                                                                                                                                                                                                                  • SF 18.0 MR1-1 (18.0.1.396)
                                                                                                                                                                                                                                                                                                                                                                                    • VFP-Firewall
                                                                                                                                                                                                                                                                                                                                                                                    Enabling/disabling firewall-acceleration will bounce the ports

                                                                                                                                                                                                                                                                                                                                                                                    If the firewall-acceleration is changed on the cli the link state of the affected ports will bounce.

                                                                                                                                                                                                                                                                                                                                                                                    NC-13639
                                                                                                                                                                                                                                                                                                                                                                                        • CaptivePortal
                                                                                                                                                                                                                                                                                                                                                                                        [CaptivePortal] Problems with UTF8 names

                                                                                                                                                                                                                                                                                                                                                                                        Local user with names that contains umlauts (ööööööö) cannot login (if the login is happening via AD / STAS then a login is possible.)
                                                                                                                                                                                                                                                                                                                                                                                        Local user with with special characters ( UTF-8) could not becreated , even existing AD user with those name cannot login.

                                                                                                                                                                                                                                                                                                                                                                                        NC-130931
                                                                                                                                                                                                                                                                                                                                                                                            • Hardware
                                                                                                                                                                                                                                                                                                                                                                                            A PoE issue is observed with the AP6 when powered using an XGS116/w

                                                                                                                                                                                                                                                                                                                                                                                            There is an “Insufficient power” message observed on AP6 420.

                                                                                                                                                                                                                                                                                                                                                                                            Setup :

                                                                                                                                                                                                                                                                                                                                                                                            AP6 with firmware : 3.80(MR-2)

                                                                                                                                                                                                                                                                                                                                                                                            XGS 116 firmware:  19.5.3

                                                                                                                                                                                                                                                                                                                                                                                            The AP6 is directly connected to Port8(PoE) of XGS116.

                                                                                                                                                                                                                                                                                                                                                                                            The PoE controller defaults to 802.3af (15W), and SFOS 19.5.3 MR-3(or later) sets the controller to 802.3at (30W). Please make sure that you are running at least SFOS 19.5.3 release.

                                                                                                                                                                                                                                                                                                                                                                                            However, if a PoE device was connected before a 'cold' power-on or 'power-cycle', the PoE device will negotiate to 802.3af before SFOS overrides the setting to 802.3at.

                                                                                                                                                                                                                                                                                                                                                                                            • After a 'cold' power-on or 'power-cycle', the XGS 116(w) requires a reboot (once only) for the PoE setting to take affect for any attached PoE device.  

                                                                                                                                                                                                                                                                                                                                                                                            • If a reboot is not desired, the PoE device's Ethernet cable can be pulled and inserted again to re-negotiate PoE.

                                                                                                                                                                                                                                                                                                                                                                                            NC-128609
                                                                                                                                                                                                                                                                                                                                                                                                  5G (EM9191 Sierra) - ROGER FW/PRI - network connectivity disconnects for 30 seconds after every 3-4 days

                                                                                                                                                                                                                                                                                                                                                                                                  When using the 5G modem EM9191 with the canadian provider ROGER there might be a disconnect for around seconds every 3-4 days.

                                                                                                                                                                                                                                                                                                                                                                                                  This is known to be happening with Firmware version 03.10.07.00 of this 5 modem.

                                                                                                                                                                                                                                                                                                                                                                                                  There is no workaround.

                                                                                                                                                                                                                                                                                                                                                                                                  NCL-1394
                                                                                                                                                                                                                                                                                                                                                                                                  • Auth Client macOS 2.1.0
                                                                                                                                                                                                                                                                                                                                                                                                    • Authentication Clients
                                                                                                                                                                                                                                                                                                                                                                                                    CAA takes 2-3 minutes to login user on MAC when it comes back from Sleep

                                                                                                                                                                                                                                                                                                                                                                                                    Issue description :

                                                                                                                                                                                                                                                                                                                                                                                                    When MAC books comes up from the Sleep mode its takes 2-3 minutes for the user to be able to browse the internet .

                                                                                                                                                                                                                                                                                                                                                                                                    This happens only incase we have a User based firewall rule . It takes CAA around 2-3 minutes to authenticate the user .

                                                                                                                                                                                                                                                                                                                                                                                                    Workaround :

                                                                                                                                                                                                                                                                                                                                                                                                    The user can disconnect and reconnect the client .

                                                                                                                                                                                                                                                                                                                                                                                                    Disconnect the CAA , Reconnect

                                                                                                                                                                                                                                                                                                                                                                                                    NC-94355
                                                                                                                                                                                                                                                                                                                                                                                                    • SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]
                                                                                                                                                                                                                                                                                                                                                                                                      • Logging Framework
                                                                                                                                                                                                                                                                                                                                                                                                      Device goes into failsafe when upgraded to v19.0.0 GA

                                                                                                                                                                                                                                                                                                                                                                                                      If your device is using a configuration previously restored from a Cyberoam backup, and you have NOT regenerated the appliance certificate on SFOS, upgrading to SFOS v19 will result in operation in fail safe mode.

                                                                                                                                                                                                                                                                                                                                                                                                      The appliance certificate generated in cyberoam devices uses a weak signature algorithm (MD5) that is NOT supported for appliance certificates in SFOS v19.

                                                                                                                                                                                                                                                                                                                                                                                                      How to verify before upgrading:

                                                                                                                                                                                                                                                                                                                                                                                                      Check the Signature Algorithm of the Appliance certificate by running the following command on the advanced shell:

                                                                                                                                                                                                                                                                                                                                                                                                                    “openssl x509 -in /conf/certificate/ApplianceCertificate.pem -text -noout” 

                                                                                                                                                                                                                                                                                                                                                                                                      If the output shows the signature algorithm as "md5WithRSAEncryption", DO NOT upgrade to v19.

                                                                                                                                                                                                                                                                                                                                                                                                      Please refer the KBA: https://support.sophos.com/support/s/article/KB-000044122?language=en_US

                                                                                                                                                                                                                                                                                                                                                                                                      NC-128244
                                                                                                                                                                                                                                                                                                                                                                                                      • SFOS 19.5.1 MR1-Build278 (19.5.1.278) [Hatutu]
                                                                                                                                                                                                                                                                                                                                                                                                        • Netfilter Utils
                                                                                                                                                                                                                                                                                                                                                                                                        Packet Capture in Webadmin reflect a wrong IN interface for a forwarded packet after SD-WAN failover

                                                                                                                                                                                                                                                                                                                                                                                                        Packet Capture in Webadmin reflects a wrong IN interface for a forwarded packet after an SD-WAN failover.

                                                                                                                                                                                                                                                                                                                                                                                                        This is a cosmetical issue, traffic routing is not affected.

                                                                                                                                                                                                                                                                                                                                                                                                        There is no workaround, this is a cosmetical issue.

                                                                                                                                                                                                                                                                                                                                                                                                        NC-127577
                                                                                                                                                                                                                                                                                                                                                                                                            • CaptivePortal
                                                                                                                                                                                                                                                                                                                                                                                                            Captive Portal Redirect does not work for DNAT rules from LAN/DMZ

                                                                                                                                                                                                                                                                                                                                                                                                            Captive portal redirect would not work for the DNAT firewall rule.

                                                                                                                                                                                                                                                                                                                                                                                                            When using DNAT, if a connection’s original destination address is the address of an interface on the firewall, the web proxy process cannot handle it. This means web-based authentication methods such as AD SSO and Captive Portal will not be triggered.

                                                                                                                                                                                                                                                                                                                                                                                                            Access the captive portal manually using LAN/DMZ address on 8090 port.

                                                                                                                                                                                                                                                                                                                                                                                                            NC-16462
                                                                                                                                                                                                                                                                                                                                                                                                            • SF 16.05 GA (16.05.0.117)
                                                                                                                                                                                                                                                                                                                                                                                                              • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                              Only displayed result will be included while exporting data into HTML/ PDF / CSV

                                                                                                                                                                                                                                                                                                                                                                                                              Only displayed result will be included while exporting data into HTML/ PDF / CSV

                                                                                                                                                                                                                                                                                                                                                                                                              We can download current page records which is displayed on page through HTML/ PDF/CSV.

                                                                                                                                                                                                                                                                                                                                                                                                              Example : Web report total pages 20. If current page 3 then we can download page 3 records through HTML /PDF /CSV.

                                                                                                                                                                                                                                                                                                                                                                                                              We can download report which display on current page.

                                                                                                                                                                                                                                                                                                                                                                                                              NC-124124
                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.5 MR7 (17.5.7.511)
                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.5 MR9 (17.5.9.577)
                                                                                                                                                                                                                                                                                                                                                                                                                • Wireless
                                                                                                                                                                                                                                                                                                                                                                                                                APX MESH separate zone WiFi disconnects for mobile devices

                                                                                                                                                                                                                                                                                                                                                                                                                When pushing a separate zone WiFi out to a APX MESH network, mobile devices like Iphones and Androids fail to browse the internet from MESH nodes. The Root AP works correctly.

                                                                                                                                                                                                                                                                                                                                                                                                                The device is able to ping the internet or any other device, but cannot make a connection with http or https sites

                                                                                                                                                                                                                                                                                                                                                                                                                Setting the Separate zone interface to 1450 MTU may work as a workaround.

                                                                                                                                                                                                                                                                                                                                                                                                                NC-99867
                                                                                                                                                                                                                                                                                                                                                                                                                • SF 18.0 MR5-Build586 (18.0.5.586) [Samal]
                                                                                                                                                                                                                                                                                                                                                                                                                  • Email
                                                                                                                                                                                                                                                                                                                                                                                                                  Error received when trying to add entry to blocked senders list when list is large

                                                                                                                                                                                                                                                                                                                                                                                                                  Issue:

                                                                                                                                                                                                                                                                                                                                                                                                                  When the blocked senders list get large it can fail to add new entries. The exact number of entries will very as it depends on the length of each email address. We have seen issues when lists get over 2400.

                                                                                                                                                                                                                                                                                                                                                                                                                  Users will see warning message saying The operation will take time to complete. The status can be viewed from the "Log viewer" page

                                                                                                                                                                                                                                                                                                                                                                                                                  Checking csc.log will show a line like this

                                                                                                                                                                                                                                                                                                                                                                                                                  2021-06-02 11:40:21,411:ERROR:CSC - Exception in getStatusFromResponse() :java.lang.NumberFormatException: For input string: ""java.lang.NumberFormatException: For input string: ""

                                                                                                                                                                                                                                                                                                                                                                                                                  Replace duplicate entries with wild cards to reduce the number on the blocklist where possible. Entries like smith@domain1 and joe@domain1 can be reduced to entries like *@domain1, which will cover a wider range of addresses anyway.

                                                                                                                                                                                                                                                                                                                                                                                                                  NC-106815
                                                                                                                                                                                                                                                                                                                                                                                                                  • SFOS 19.0.1 MR1-Rebuild-Build365 (19.0.1.365) [Akamaru]
                                                                                                                                                                                                                                                                                                                                                                                                                    • Logging Framework
                                                                                                                                                                                                                                                                                                                                                                                                                    /conf is gradually filling up if on box reports of appliance is off.

                                                                                                                                                                                                                                                                                                                                                                                                                    /conf partition on the appliance gradually filling up if On box reports of appliance is disabled/off. While conf partition gets 100% unable to login to GUI.

                                                                                                                                                                                                                                                                                                                                                                                                                    Issue will be resolved in 19.0.2 MR 2 and 19.5 GA

                                                                                                                                                                                                                                                                                                                                                                                                                    If on box reports are off, Need to turn on On-box reporting from console.

                                                                                                                                                                                                                                                                                                                                                                                                                    console> set on-box-reports on

                                                                                                                                                                                                                                                                                                                                                                                                                    NC-120932
                                                                                                                                                                                                                                                                                                                                                                                                                    • SFOS 19.0.1 MR1-Rebuild-Build365 (19.0.1.365) [Akamaru]
                                                                                                                                                                                                                                                                                                                                                                                                                      • SecurityHeartbeat
                                                                                                                                                                                                                                                                                                                                                                                                                      Heartbeat alerts for missing heartbeats from firewall to sophos central

                                                                                                                                                                                                                                                                                                                                                                                                                      Heartbeat alerts are received on Sophos Central from firewall stating that there are “missing heartbeats” when the endpoint systems are in Modern standby mode.

                                                                                                                                                                                                                                                                                                                                                                                                                      Modern Standby is a state wherein the display of device turns off, however the internal components may stay remain on.

                                                                                                                                                                                                                                                                                                                                                                                                                      Since the system is in standby the heartbeat service is not sending information to firewall , hence the firewall is blocking the traffic.

                                                                                                                                                                                                                                                                                                                                                                                                                      Endpoints with Modern standby enabled is not supported in firewall and so missing heartbeat alerts could be caused.

                                                                                                                                                                                                                                                                                                                                                                                                                      Heartbeatd.log gives error like below:

                                                                                                                                                                                                                                                                                                                                                                                                                      [2023-05-30 13:09:07.953Z] TRACE IpsAdapter.cpp[5125]:48 sendData - sessionid not found.

                                                                                                                                                                                                                                                                                                                                                                                                                      [2023-05-30 13:09:07.953Z] TRACE IpsSender.cpp[5125]:30 sendData - sendData failed (errno=2), entry in resend list created.

                                                                                                                                                                                                                                                                                                                                                                                                                      • The issue happens when machine is entering modern standby mode which can be identified from SDU logs under LOGS\ProgramData\Sophos\Sophos Network Threat Protection\Logs\sntpservice.log

                                                                                                                                                                                                                                                                                                                                                                                                                      2023-06-01T09:43:06.681Z [ 5664: 8608] A Inactive Interfaces changed.
                                                                                                                                                                                                                                                                                                                                                                                                                      2023-06-01T11:04:03.513Z [ 5664: 5668] A Received Screen Off notification: Endpoint entering Modern Standby
                                                                                                                                                                                                                                                                                                                                                                                                                      2023-06-01T11:04:04.938Z [ 5664: 5668] A Console Disconnect for: domain\username
                                                                                                                                                                                                                                                                                                                                                                                                                      2023-06-01T12:06:20.781Z [ 5664: 5668] A Received Screen On notification: Endpoint exiting Modern Standby
                                                                                                                                                                                                                                                                                                                                                                                                                      2023-06-01T12:06:26.891Z [ 5664: 5668] A Console Connect for: domain\username

                                                                                                                                                                                                                                                                                                                                                                                                                      • Since the system is in standby the heartbeat service is not sending information to firewall , hence the firewall is blocking the traffic

                                                                                                                                                                                                                                                                                                                                                                                                                      • Endpoints with Modern standby enabled is not supported in firewall and so missing heartbeat alerts could be caused.

                                                                                                                                                                                                                                                                                                                                                                                                                      Disable Modern standby (AKA connected Standby) on the endpoint side:

                                                                                                                                                                                                                                                                                                                                                                                                                      Suggested links :

                                                                                                                                                                                                                                                                                                                                                                                                                      https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby

                                                                                                                                                                                                                                                                                                                                                                                                                      https://binaryfork.com/disable-connected-standby-7953/

                                                                                                                                                                                                                                                                                                                                                                                                                      https://binaryfork.com/disable-connected-standby-7953/#how-to-disable-connected-standby-with-a-registry-key

                                                                                                                                                                                                                                                                                                                                                                                                                      https://learn.microsoft.com/en-us/windows/iot-core/learn-about-hardware/wakeontouch#disabling-modern-standby

                                                                                                                                                                                                                                                                                                                                                                                                                      NC-83527
                                                                                                                                                                                                                                                                                                                                                                                                                      • SFOS 18.5.1 MR1-GA-Build326 (18.5.1.326) [Cuba]
                                                                                                                                                                                                                                                                                                                                                                                                                        • SecurityHeartbeat
                                                                                                                                                                                                                                                                                                                                                                                                                        Unable to register Firewall with Sophos Central account due Amazon certificate not present in /conf/

                                                                                                                                                                                                                                                                                                                                                                                                                        Customers may face an issue related to the Sophos central registration due to an Amazon certificate not being present in /conf/ directory and gets an error similar to this-

                                                                                                                                                                                                                                                                                                                                                                                                                        32021-11-25 17:28:36 WARN API.pm[13476]:119 SFOS::Common::Central::API::send_request - 500 Can't connect to dzr-utm-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com:443 (certificate verify failed)

                                                                                                                                                                                                                                                                                                                                                                                                                        Details here: https://support.sophos.com/support/s/article/KB-000043494?language=en_US

                                                                                                                                                                                                                                                                                                                                                                                                                        Check if an amazon cert is present. Use this command-

                                                                                                                                                                                                                                                                                                                                                                                                                        openssl crl2pkcs7 -nocrl -certfile /conf/certificate/internalcas/cloud-ca.crt | openssl pkcs7 -print_certs -text -noout | grep Issuer
                                                                                                                                                                                                                                                                                                                                                                                                                        If Amazon CA not existing do the following-

                                                                                                                                                                                                                                                                                                                                                                                                                        mount -o rw,remount /
                                                                                                                                                                                                                                                                                                                                                                                                                        cp "/conf/certificate/internalcas/cloud-ca.crt" "/conf/certificate/internalcas/cloud-ca.crt.org"
                                                                                                                                                                                                                                                                                                                                                                                                                        cp "/_conf/certificate/internalcas/cloud-ca.crt" "/conf/certificate/internalcas/cloud-ca.crt"
                                                                                                                                                                                                                                                                                                                                                                                                                        mount -o remount,ro /

                                                                                                                                                                                                                                                                                                                                                                                                                        Note: No downtime is required for any of the above steps.

                                                                                                                                                                                                                                                                                                                                                                                                                        NC-113646
                                                                                                                                                                                                                                                                                                                                                                                                                        • SFOS 19.0.2 MR2-Build472 (19.0.2.472) [Kamaka]
                                                                                                                                                                                                                                                                                                                                                                                                                          • IPsec
                                                                                                                                                                                                                                                                                                                                                                                                                          Traffic fails with v4inv6 tunnel when compression is enabled on all XGS platforms

                                                                                                                                                                                                                                                                                                                                                                                                                          The traffic fails when compression is enabled for v4inv6 IPSec tunnel. The issue is seen on all XGS platforms and is consistently reproducible.

                                                                                                                                                                                                                                                                                                                                                                                                                          With ipsec-acceleration disabled on both the DUTs, traffic runs fine with compression enabled, in v4inv4 IPSec tunnel.

                                                                                                                                                                                                                                                                                                                                                                                                                          STEPS TO REPRODUCE-

                                                                                                                                                                                                                                                                                                                                                                                                                          1. Configure v4inv6 IPSec tunnel between devices - make sure to enable compression.

                                                                                                                                                                                                                                                                                                                                                                                                                          2. Ping from endpointA to endPointB, the traffic fails.

                                                                                                                                                                                                                                                                                                                                                                                                                          Disable ipsec-acceleration, traffic runs fine with compression enabled in v4inv4 IPSec tunnel.

                                                                                                                                                                                                                                                                                                                                                                                                                          NC-103820
                                                                                                                                                                                                                                                                                                                                                                                                                          • SFOS 19.0.0 EAP0-Build190 (19.0.0.190) [Tahiti]
                                                                                                                                                                                                                                                                                                                                                                                                                          • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                          • Clientless Access
                                                                                                                                                                                                                                                                                                                                                                                                                          Clipboard's not working in RDP bookmark

                                                                                                                                                                                                                                                                                                                                                                                                                          In v19 and later, there have been several security improvements in Sophos Firewall to prevent attackers from getting hold of sensitive information. One of the changes we did was upgrading the RDP component to the latest version to improve the overall security posture. The clipboard functionality is not directly compatible with the latest RDP components making it non-supported with versions 19 and later. 

                                                                                                                                                                                                                                                                                                                                                                                                                          NCL-1769
                                                                                                                                                                                                                                                                                                                                                                                                                              • Authentication Clients
                                                                                                                                                                                                                                                                                                                                                                                                                              Unable to download Sophos Network Agent for Android from the Google Play store

                                                                                                                                                                                                                                                                                                                                                                                                                              An issue was found where the existing version of the Sophos Network Agent is using an older version of the Google API’s. This prevents the Sophos Network Agent from being downloadable for devices running the latest version of the Android OS. The Sophos Network Agent will continue to function on devices running the older version of Android OS.

                                                                                                                                                                                                                                                                                                                                                                                                                              NC-47523
                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.5 MR5 (17.5.5.433)
                                                                                                                                                                                                                                                                                                                                                                                                                                • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                Auxiliary unit sending reports about its own scheduled report

                                                                                                                                                                                                                                                                                                                                                                                                                                In an HA configuration pair, with a scheduled report configured, the auxiliary unit will also generate a report containing data about emails being sent from the unit. These emails being sent as per the attached report, from the auxiliary unit is the report itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                There is no workaround.

                                                                                                                                                                                                                                                                                                                                                                                                                                NC-114087
                                                                                                                                                                                                                                                                                                                                                                                                                                • SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Logging Framework
                                                                                                                                                                                                                                                                                                                                                                                                                                  Log Suppression tick mark not remaining applied on UI

                                                                                                                                                                                                                                                                                                                                                                                                                                  Once we tick select “All” option , tick mark will be disappeared and all individual modules / components will be enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                  Current behaviour of “All” button is since inception as short cut to select all the relevant component. The result of actions is transferred to individual buttons and stored in backend as separate status for each component. As it is only UI action button and not the summary of status all button - it is expected behaviour.

                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-115839
                                                                                                                                                                                                                                                                                                                                                                                                                                  • SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                    NAT ID is not getting updated at re-routing

                                                                                                                                                                                                                                                                                                                                                                                                                                    The NAT information for Source NAT gets updated for existing connection (re-route) when the failover occurs on IPsec tunnel.

                                                                                                                                                                                                                                                                                                                                                                                                                                    Currently for re-route of existing connection Source NAT information isn’t updated as NAT occurs only when new connection is initiated. ( Known behaviour ) NAT id and Source NAT information doesn’t change when re-route occurs.

                                                                                                                                                                                                                                                                                                                                                                                                                                    For ICMP traffic, the ongoing traffic should be terminated first then wait for 30 seconds to delete/destroy the ICMP conntrack. New ICMP traffic will be forwarded via updated NAT ID.

                                                                                                                                                                                                                                                                                                                                                                                                                                    NAT ID will not be changed for on-going connection during the re-routing.

                                                                                                                                                                                                                                                                                                                                                                                                                                    For TCP: NAT ID will be applied on new connection
                                                                                                                                                                                                                                                                                                                                                                                                                                    For ICMP: Need to terminate the ongoing requests, wait till 30 seconds and reinitiate the ICMP traffic

                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-85063
                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 18.0 MR1-1 (18.0.1.396)
                                                                                                                                                                                                                                                                                                                                                                                                                                      • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                      WAF does not permit file uploads in OWA greater than 1 MB

                                                                                                                                                                                                                                                                                                                                                                                                                                      If a file is uploaded which is larger then the limit then message similar to this is visible in the log: 

                                                                                                                                                                                                                                                                                                                                                                                                                                      [Fri Aug 14 15:41:22.414802 2020] [security2:error] [pid 14238:tid 140229323249408] [client 109.91.34.26:44831] [client 109.91.34.26] ModSecurity: Request body no files data length is larger than the configured limit (q).. Deny with code (413) ….

                                                                                                                                                                                                                                                                                                                                                                                                                                      For a workaround please contact support.

                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-59800
                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.5 MR9 (17.5.9.577)
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                        Creation of new firewall rules (manually via VPN auto creation) resulting in emails being held on the appliance

                                                                                                                                                                                                                                                                                                                                                                                                                                        When utilizing the XG Email protection module in MTA mode, this creates an automatic firewall rule for the SMTP traffic at the top of the policy list. If additional rules are created above this rule, this can result in the XG accepting SMTP traffic but then being unable to deliver the mail onto the next hop. This can be seen by the mail queuing on the appliance and time out errors in the /log/smtpd_main.log:

                                                                                                                                                                                                                                                                                                                                                                                                                                        2369   == john.doe@example.com R=default_mx_router T=remote_smtp defer (110): Connection timed out
                                                                                                                                                                                                                                                                                                                                                                                                                                        2020-02-07 10:57:39.081 [2369] xPlIal-cb3y0D-DL == john.doe@example.de R=default_mx_router T=remote_smtp defer (110): Connection timed out

                                                                                                                                                                                                                                                                                                                                                                                                                                        This can occur with:

                                                                                                                                                                                                                                                                                                                                                                                                                                        • Manually configured firewall rules that include the SMTP service

                                                                                                                                                                                                                                                                                                                                                                                                                                        • Automatically created firewall rules when configuring a VPN tunnel

                                                                                                                                                                                                                                                                                                                                                                                                                                         We plan to improve on this behaviour in an upcoming software release

                                                                                                                                                                                                                                                                                                                                                                                                                                        Ensure that any manually created firewall rules are created below the automatic MTA rule
                                                                                                                                                                                                                                                                                                                                                                                                                                        Ensure that any subsequent automatically created rules are moved below the automatic MTA rule

                                                                                                                                                                                                                                                                                                                                                                                                                                        In the event that mail has already become queued on the appliance prior to the moving of the above rules, contact support for assistance in utilizing the /scripts/mail/replace_firewall_id.pl script to rectify the issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-112998
                                                                                                                                                                                                                                                                                                                                                                                                                                        • SFOS 19.0.1 MR1-Rebuild-Build365 (19.0.1.365) [Akamaru]
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                          Traffic Quota may be exceeded due to accounting

                                                                                                                                                                                                                                                                                                                                                                                                                                          The accounting of processed traffic is run every three minutes. A user may exceed his quota by using more bandwidth than his quota allows between accounting runs.

                                                                                                                                                                                                                                                                                                                                                                                                                                          There is no workaround

                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-44003
                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 17.5 GA (17.5.0.310)
                                                                                                                                                                                                                                                                                                                                                                                                                                            • SNMP
                                                                                                                                                                                                                                                                                                                                                                                                                                            SNMP query for supportSubStatus and appExpiryDate return unexpected values

                                                                                                                                                                                                                                                                                                                                                                                                                                            SNMP query for supportSubStatus and appExpiryDate return unexpected values. 

                                                                                                                                                                                                                                                                                                                                                                                                                                            MIB indicates that supportsubstatus should be 1 or 2, but 3 is returned.
                                                                                                                                                                                                                                                                                                                                                                                                                                            MIB indicates that  appExpiryDate should be a date but the value returned is invalid

                                                                                                                                                                                                                                                                                                                                                                                                                                              

                                                                                                                                                                                                                                                                                                                                                                                                                                            This will be resolved in the upcoming XG v18 release

                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-53886
                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 17.5 MR8 (17.5.8.539)
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                              40Gbit QSFP+ Flexiport module is not recognized in SG/XG 430/450

                                                                                                                                                                                                                                                                                                                                                                                                                                              Sophos 40Gbit QSFP+ Flexiport module is not recognized at all in SG/XG 430/450 due to power sequence issues. A fix is in progress.

                                                                                                                                                                                                                                                                                                                                                                                                                                              No Workaround

                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-94073
                                                                                                                                                                                                                                                                                                                                                                                                                                              • SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]
                                                                                                                                                                                                                                                                                                                                                                                                                                              • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                              • XGS BSP
                                                                                                                                                                                                                                                                                                                                                                                                                                              XGS 10G interface not working when interface speed is set to Auto-negotiation (Physical or LAG)

                                                                                                                                                                                                                                                                                                                                                                                                                                              Issue: XGS 10G interface is not working when interface speed is set to Auto-negotiation (Physical or LAG)

                                                                                                                                                                                                                                                                                                                                                                                                                                              Affected Product: Only XGS hardware with 10G interface

                                                                                                                                                                                                                                                                                                                                                                                                                                              Set interface speed to Manual 10000 Mbps - Full-Duplex (Applicable for Physical, LAG interfaces).

                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-84517
                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 18.0 MR5-Build586 (18.0.5.586) [Samal]
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                firewall rule is not applied for terminal server traffic from Server Protection SATC

                                                                                                                                                                                                                                                                                                                                                                                                                                                Situation:

                                                                                                                                                                                                                                                                                                                                                                                                                                                The traffic from the terminal Server is not being marked by the User ID as a result that the correct firewall rule is not being applied.

                                                                                                                                                                                                                                                                                                                                                                                                                                                Customer need to join the EAP for New Server Protection Features and confirm the machine is added to the EAP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                Details here: https://support.sophos.com/support/s/article/KB-000038634?language=en_US

                                                                                                                                                                                                                                                                                                                                                                                                                                                Customer need to join the EAP for New Server Protection Features and confirm the machine is add to the EAP

                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-110072
                                                                                                                                                                                                                                                                                                                                                                                                                                                • SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Core Utils
                                                                                                                                                                                                                                                                                                                                                                                                                                                  UTF-8 character in the backup file name causes issue of the user unable to download the backup file.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  UTF-8 character in backup file name causes issue of user unable to download the backup file.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Nothing happens when the user tries to download the backup file with file name contain UTF8 characters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  We do not have any workaround or solution at the moment, Please do not use UTF-8 characters for the backup filename.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-107248
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SFOS 18.5.0 GA-Build264 (18.5.0.264) [Antigua]
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Licensing
                                                                                                                                                                                                                                                                                                                                                                                                                                                  Unable to activate evaluation licenses - Error XG-00351

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Situation:

                                                                                                                                                                                                                                                                                                                                                                                                                                                  •  Partner/customer is unable to activate any evaluation license by initiating it from the XGS unit under “System” → ”Administration” → “Licensing” → “Activate evaluations”

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Activate eval license in "My Sophos" portal

                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-84972
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 17.5 MR16-Build830 (17.5.16.830) [Timor]
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                    /tmp might get full due to 0x1XXXXXX files on XG85 with web content cache enabled

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Issue:
                                                                                                                                                                                                                                                                                                                                                                                                                                                    When using the Web Proxy, there are files that are stored in /tmp as they are virus scanned. If Web Caching is turned on (Webadmin → Web → General settings → Enable web content cache) the /tmp directory might run out of space.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Determining if the system is affected by this issue:
                                                                                                                                                                                                                                                                                                                                                                                                                                                    df -h /tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                    If the availble space is 0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    du -c /tmp/0x1*
                                                                                                                                                                                                                                                                                                                                                                                                                                                    Non-zero length files can take up a significant portion of the partition.
                                                                                                                                                                                                                                                                                                                                                                                                                                                    Note: large numbers of files that are zero length are not an issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Impact:
                                                                                                                                                                                                                                                                                                                                                                                                                                                    When the /tmp partition is full several parts of the system suffer, webadmin is no longer accessible, and the box needs to be rebooted to recover.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Either disable web content caching: Go to Web > General settings > Enable web content. Disable the option. Note that this option is disabled by default.
                                                                                                                                                                                                                                                                                                                                                                                                                                                    or reboot the system

                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-103261
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SFOS 19.0.1 MR1-1-Build384 (19.0.1.384) [Aukena]
                                                                                                                                                                                                                                                                                                                                                                                                                                                        Unable to set DNAT from Central using "Server access assitant (DNAT)"

                                                                                                                                                                                                                                                                                                                                                                                                                                                        To enable NAT or WAF through web admin, you must specify an Original Destination Port (NAT) or Hosted Address (WAF). This is normally set to the IP addressed associated with ‘Port B’ which is the WAN Port.

                                                                                                                                                                                                                                                                                                                                                                                                                                                        For CM managed autoscaling instances, there’s no way to identify the original destination as each firewall will have it’s own IP address for the WAN port. This makes it impossible to setup DNAT for a CM managed instance. Even if someone creates a “Dynamic Interface”, it is not available during the “Public IP Address” step.

                                                                                                                                                                                                                                                                                                                                                                                                                                                        The "Server access assistant (DNAT)" cannot be used to configure DNAT but the manual method of creating a "New NAT rule" can still work. As the WAN Interface isn't available, you can create an IP range that will be translated to the private IP of the private Server. To setup DNAT:

                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. Navigate to "Firewalls" under "Manage Firewalls" in the left sidebar
                                                                                                                                                                                                                                                                                                                                                                                                                                                        2. Select the three dots for the firewall group and click "Manage Policy".
                                                                                                                                                                                                                                                                                                                                                                                                                                                        3. On the left sidebar, select "Rules and Policies" and go to the NAT sub page
                                                                                                                                                                                                                                                                                                                                                                                                                                                        4. Click on the "Add NAT Rule" button and select "New NAT Rule"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        5. Enter appropriate settings for your application. Ensure the "Original Destination" is set to "Any" and "Inbound Interface" to "Any" as well.
                                                                                                                                                                                                                                                                                                                                                                                                                                                        6. For the "Translated Source", set it to MASQ.
                                                                                                                                                                                                                                                                                                                                                                                                                                                        7. Change the "Translated Destination (DNAT)" to the private IPs of private server/load balancer by clicking "Create new" at top of drop down menu and creating appropriate destination.
                                                                                                                                                                                                                                                                                                                                                                                                                                                        8. Click Save.
                                                                                                                                                                                                                                                                                                                                                                                                                                                        9. Wait for configuration to be distributed to all XG's in group. This can be monitored from the "Firewalls" page

                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-46108
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • DHCP
                                                                                                                                                                                                                                                                                                                                                                                                                                                            DHCP relay configured on an interface containing another DHCP server doesn't function

                                                                                                                                                                                                                                                                                                                                                                                                                                                            Configuring multiple DHCP Relays where the 'listening' interface in one corresponds to the interface that the DHCP server is connected to in another of the configured relays will cause one of the relays to cease to function.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            This is not a supported scenario and is expected behaviour. A DHCP Relay should not be setup on an interface that hosts a DHCP server.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-98205
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Wireless
                                                                                                                                                                                                                                                                                                                                                                                                                                                              RadiusSSO roaming not working

                                                                                                                                                                                                                                                                                                                                                                                                                                                              When using RadiusSSO and roaming between APX’s the client has to reauthenticate in order to connect again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is a limitation with the current deployment. RadiusSSO currently cannot handle roaming between access points

                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-89077
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • IPsec
                                                                                                                                                                                                                                                                                                                                                                                                                                                                Unable to connect IPsec with IOS with Local ID defined.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                The issue is happening when Sophos Firewall is configured Sophos IPsec connect with Local ID. This configuration is not supported by IOS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                The IOS profile does not support any parameters with Local ID/Remote ID and which causes a failure to authenticate the connection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Clear the Local ID value/Field and re-download the configuration file.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-79348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SFOS 19.0.0 EAP0-Build190 (19.0.0.190) [Tahiti]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SFOS 19.0.0 EAP1-Build244 (19.0.0.244) [Tahiti]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                awarrensmtp & warren services are getting DEAD after CR backup restore

                                                                                                                                                                                                                                                                                                                                                                                                                                                                If a customer restores a Cyberoam backup which does not have Default CA certificate generated or configured, then after restoring the backup in v19 EAP0 or later, awarrensmtp & warren services will be found DEAD.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                After restoring the cyberoam backup, regenerate the Default CA certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Login to UI and go to System -->Certificates -->Certificate Authorities --> Edit Default CA

                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Reboot the device

                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-29517
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 16.05 MR8 (16.05.8.320)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 17.0 MR1 (17.0.1.98)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Date/Time Zone
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Timezone showing different in GUI and CLI

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  GUI time differs from the CLI time

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The files /conf/TZ and /etc/zoneinfo/ are not in sync.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1. Copied content from /etc/zoneinfo/ to /conf/TZ
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2. Restart the appliance to take change into effect

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-52129
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 17.5 MR5 (17.5.5.433)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Limitation Avira Scan for encrypted and split archives

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      When scanning an encrypted split archive with Avira, there is the following limitation:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1) If an encrypted split file was scanned, only the first part contains all information about the archive (includes also the encrypted flag)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2) That's the reason why SAVAPI returns only by scanning the first part, that the file is encrypted. Because the engine/avpack can "unpack" the file, but a password is needed to extract it. So the archive was valid.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3) If the following parts (except the last one) are scanned, then the encrypted flag is missing, that's the reason why SAVAPI returns clean for that part of multipart file.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4) If the last part of the archive was scanned, then Archive is corrupt for SAVAPI, because the other parts are missing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Additional information: Also a unpacker will not ask for a password when try to extract an encrypted split file not by using the first part of that file. The unpacker will return, its not a archive.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Use Sophos AV

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-43145
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.5 MR3 (17.5.3.372)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        HA pair becomes unstable if shared port used as the dedicated link is on XG106

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When the user configures HA on XG105r3, XG115r3, XG106r1 shared port (Port4), the HA pair becomes unstable. After the enablement of HA service, Auxilary rebooted first as usual. But the Primary appliance goes in the rebooting phase because of the shared port which takes more time to wake up.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Do not to use the shared port (Port 4) as HA dedicated link.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-84054
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SecurityHeartbeat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Configuration Migration Failed due to invalid byte sequence "UTF8"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The backup will not be restored if there is an error with the database tblappstoeps as it may contain invalid byte sequence for encoding "UTF8"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Logs will be seen in Postgres.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          772 2022-01-08 03:01:18.064 GMTERROR:  invalid byte sequence for encoding "UTF8": 0xb1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6772 2022-01-08 03:01:18.064 GMTCONTEXT:  COPY tblappstoeps, line 23612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6772 2022-01-08 03:01:18.064 GMTSTATEMENT:  COPY tblappstoeps (app_id, uuid, app_path, occurrence, last_seen) FROM stdin;

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Please contact Support for a workaround.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-85343
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SFOS 19.0.0 EAP2-Build271 (19.0.0.271) [BoraBora]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Network Utils
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Unable to use "port", "eth" or "ge" when editing interfaces

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • The interface display name starting from “port” or “eth” or “ge“ are not allowed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • The restriction was added for add/edit interface only.  

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This is an intentional change and customers will not be able to edit/change interface names starting with “port”, “eth” and “ge”.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-85313
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • API Framework
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              No Statuscode in API response

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If no , or tag is used after no status will be there in response.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Always use one of these tags after the to get detailed status code messages.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-84550
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  There is a difference between Sophos Firewall local reports and CFR Reports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The LogViewer can’t log values where bytes values are greater than 32 bit. and reporting is unable to store value, due to which there is a drastic difference between SF reports and CFR reports. In case the number of bytes transferred exceeds the limit which can be accommodated in U32, then it shows the truncated value in the log viewer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-81039
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SFOS 18.5.1 MR1-GA-Build326 (18.5.1.326) [Cuba]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Licensing
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SFOS gets stuck after a reboot as hyperthreading enabled on hardware blocked the kernel to boot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Behavior observed:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SFOS gets stuck after a reboot as hyperthreading enabled on hardware blocked the kernel to boot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The issue will only happen when the SFOS RAM/CPUs are lesser than purchased in the license and hyperthreading is enabled on Dell hardware. SFOS was not able to apply RAM and CPU limit on that hardware if hyperthreading is enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This will block the kernel to boot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The issue is observed on SFOS v18.5 MR1 Build 326 installed on Dell R330 hardware.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Disable hyperthreading on the server.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-83108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SFOS 18.5.1 MR1-1-Build365 (18.5.1.365) [Cuba.ODM]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Config Migration Framework
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Upgrade to v18.5MR1 from v18.0MR6 results in factory reset

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      *Reported Issue:*Upgrading from v18MR6 to v18.5MR1 results in factory default configuration being applied to the device.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Workaround: Downgrade back to previous firmware and upgrade to v18.5MR2. Alternatively you can upgrade to v18.5GA and then v18.5MR1.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Downgrade back to previous firmware and upgrade to v18.5MR2. Alternatively you can upgrade to v18.5GA and then v18.5MR1.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-13934
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 15.01.0 MR3 (15.01.0.447)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Auxiliary sends only some of the configured scheduled reports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In Auxiliary appliance if the report don't contain any data then we don't send any report notification to customer. This is intended behavior.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-82331
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SecurityHeartbeat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Missing heartbeat issue in some cases after upgrade to 18.5 MR2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In 18.5 MR2 we have introduced key encryption for the certificate on FW used by endpoints to heartbeat with firewall. During the upgrade to 18.5 MR2 a certificate refresh has to be done as key has to be encrypted. And this certificate need to be made available to endpoints. If endpoints are unable to get the new certificate from Central, then heartbeat will start failing. This might happen when private DNS Servers are being used.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            To avoid this ensure that the endpoints have network connectivity during the upgrade. Also disable the checkbox “Block clients with no heartbeat" in the firewall rule in case endpoints need access to the internal DNS server to get updates (new certificate) from Central.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If the system is showing missing heartbeat after the upgrade:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Ensure endpoints has network connectivity so that endpoints can fetch new certifcate from Central. Also disable the checkbox "Block clients with no heartbeat" in the firewall rule in case internal DNS resolution fails.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-81520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 18.0 MR5-Build586 (18.0.5.586) [Samal]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Hotspot
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Password is not printed on hotspot voucher for bridge to AP LAN and bridge to AP VLAN

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Situation:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              When downloading the voucher from the user portal, then the WLAN password is not printed on hotspot vouchers for the types: bridge to AP LAN and bridge to AP VLAN.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The wireless password is only printed on hotspot vouchers for the interface link of "Separate Zone interface(bridge) of Wireless Protection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              It is known behavior that a hotspot voucher doesn't contain the WLAN password for Bridge to AP LAN and bridge to AP VLAN.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Configure Hotspot voucher for interface link type 21 i.e. "Separate Zone interface(bridge) of Wireless Protection".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-76186
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.5 MR14-1 (17.5.14.714)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 18.0 MR4-KONICA (18.0.4.519) [Palawan]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4X10G FlexiPort Module with new Intel 700 series NVM data and driver not recognized

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Issue :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The 4x10G FlexiPort Modules are not being recognized on Sophos Firewall, the interfaces are being detected as "eth0,eth3"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The 4x10G Flexi modules are not being recognized correctly, the interfaces are being detected as "eth0,eth3".
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The modules cannot be detected correctly and hence making them unusable with the Sophos Firewall.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Only SFOS (Sophos Firewall is affected )

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Affected Sophos Part Number – “XGMOD410PUR”
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Description: 4 ports 10G SFP+ without bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Affected Part S/N Prefix – “M2400XXXXXXXXXX” (with NVM FW 7.20)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Note: Module with same prefix “M2400” with NVM 5.05 doesn’t have this issue.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                To Identify the affected module NVM FW 7.20: Run ethtool -I

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-9124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 15.01.0 MR1.1 (15.01.0.407)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  STAS not working when AD servers are reachable on WAN

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  STAS is not working if the AD server is only reachable over a WAN conneciton.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-73174
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 18.0 EAP3-refresh1 (18.0.0.285)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Logging Framework
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  LogViewer shows twice DDNS events for Success/Failure.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  LogViewer shows twice DDNS events for Success/Failure.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-69491
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 18.0 MR3 (18.0.3.457) [Mindoro]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unable to access GUI after auto reboot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    *Issue:* 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If there is a high number of Radius SSO users logging in at the same time and the firewall reboots then sometimes this may result in web admin is not being reachable after the reboot.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    LAN users can connect and the device is accessible via ssh.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-67790
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 18.0 MR1-1 (18.0.1.396)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • DHCP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      DHCP Not Assigning multiple IP's to same MAC

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Description:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      There is a requirement in certain case's where a multiple IP addresses would need to be assigned for a MAC address from different scopes .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      One of the use case is that or the captive portal to work over the bridged interface with a vlan , the AP creates a virtual interface and needs an IP address from the VLAN .
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      When captive portal , a virtual interface is created on the AP , which asks for an IP over a vlan , since this is a briged to vlan set-up , and the discover request come's with the MAC address of the interface .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If one scope is set to static and other to dynamic , the IP assignment doesn't work .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Solution :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Set both the scopes to dynamic .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Set both the scopes to Static .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-68438
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.5 MR8 (17.5.8.539)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Web policy rule does not support Users with backslash in the name

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Web policy rules do not support users with a backslash in the name.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Example:  in webadmin -> Authentication -> users :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Creating a user with username a\b and saving it will succeed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Using this user in a web policy wont work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Create a username without backslash or single quote

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-71401
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 18.0 MR4 (18.0.4.506) [Palawan]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • CM (Join to Cloud)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Unable to register XG with Central Manager with email address that contains more than 50 characters

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Registering XG with Central Manager for remote management functionality fails with error "Temporary error while accessing Sophos Central, please try again".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Root Cause:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This error could occur due to many reasons, however for this particular issue, the email address being used for registration is longer than 50 characters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Shorten email address and try again. If you have tried more than 5 times in the last 1hr, the account will be blocked for up to 5 hours. Please wait and try again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NCL-1309
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • STAS 2.5.1.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • STAS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            STAS Users are getting disconnected frequently if dead entry timeout configured other than zero.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            STAS Users are getting disconnected frequently if dead entry timeout configured other than zero.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Dead Entry Timeout does not work and it MUST be set to zero. If the value for the dead entry timeout is configured anything other than zero then such behavior encountered and users may get disconnected randomly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Need to set the dead entry timeout to zero to avoid user disconnection due to dead entry timeout. It is recommended to use the WMI mechanism in STAS for log-off detection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-71178
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 17.0 GA (17.0.0.80)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Licensing
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Unable to activate or register the XG firewall device with v17.0 MR-10 EAL4+ certified firmware

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Unable to activate or register the XG Firewall device with v17.0 MR-10 EAL4+ certified firmware 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1. Customer needs to upgrade the XG Firewall firmware to SF v17.5.MR7 or later and activate the appliance.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2. Customer can then switch back to SF v17.0 MR-10 EAL firmware and continue using it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-13946
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 16.01 StagedRelease (16.01.0.190)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 16.01 StagedRelease3 (16.01.1.202)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                STAS users with special characters (' , / ") in their name do not show up on XG

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                STAS users with special characters (' , / ") in their name do not show up on XG. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SFOS doesn't support a username containing special characters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The user needs to remove the special characters in the username to make it work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-69439
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 17.5 GA (17.5.0.310)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 18.0 MR1-1 (18.0.1.396)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Policy tester is incorrect for Internet Scheme Web Policy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The policy tester is just showing Matched firewall rule ID, matched source, and destination zone. It does not return the webfilter id. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-70369
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 18.0 MR3 (18.0.3.457) [Mindoro]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 17.5 MR14-1 (17.5.14.714)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Dynamic Routing (OSPF)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Auto interface cost calculation not working

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Issue description : Auto Cost Calculation does not work for OSPF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This is configurable under advanced settings of OSPF .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Workaround :
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Uncheck the Auto Interface Cost and Manually Configure the Cost .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NCL-1342
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SATC 2.2.0.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SATC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SATC not compatible with Chrome version 84 and newer

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      In July 2020, Google Chrome, the new Microsoft Edge, and other Chromium-based browsers moved to version 84. This version removed support for the ForceNetworkInProcess feature used as a workaround for previous versions as per NCL-1114.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Workaround is described here (public link):

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      https://support.sophos.com/support/s/article/KB-000038634?language=en_US

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Downgrade to version below 84 and apply workaround or move to Firefox.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NCL-1119
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SATC 2.2.0.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SATC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SATC provides wrong source port in UDP port 6060 packets while server has InterceptX installed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SATC installed on a server having Sophos InterceptX, installed reports wrong port information in new session details to the XG. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Impact :
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If an user attempts to open a TCP connection ,SATC will detect that TCP connection and send an UDP packet containing Login Code, Session ID, Source Port, Destination Port, Destination IP and Username before the TCP connect is completed, SFOS will add a expect based on the information received in that UDP packet.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SATC is unable to detect that TCP connect request thereby not sending any packet to SFOS which results in no expect being added at SFOS side and traffic being dropped. 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SATC is not sending any information on port 6060 which is used by Sophos Firewall to create an Expect Contrack .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        https://support.sophos.com/support/s/article/KB-000036880?language=en_US

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-55068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 17.5 MR9 (17.5.9.577)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        XG 115 Rev. 3 HDMI ports do not appear to be enabled unless a monitor is plugged in at boot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        XG 115 rev3 models will show no HDMI output unless a monitor is connected before boot up.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-67688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 18.0 MR3 (18.0.3.457) [Mindoro]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 18.0 MR4 (18.0.4.506) [Palawan]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • HA
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-62850 causes large backup file

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          With 18.0 MR1 there was a case where a backup contained redundant information increasing the size of the backup.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This was fixed with 18.0 MR3 in all cases.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          There was no functional impact for this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If a larger backup was taken and restored then /conf might be larger then expected.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          In such cases please use the described workaround.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Backups after 18.0 MR 3 are not facing this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Run commands:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rm -rf /conf/httpclient/httpclient
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rm -rf /conf/iview_images/iview_images/
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Re-run backup.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-65961
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 18.0 MR3 (18.0.3.457) [Mindoro]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Misleading Firewall and Web filter logs in log viewer

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Log viewer for 'Firewall' & 'Web filter' component shows 'Allowed' in logging for all the port 80/443 traffic, initiated from WAN to WAN/LAN zone. The user (client) who has initiated traffic from the WAN side will be displayed a 'blocked' page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1. If any traffic is initiated from WAN side and destination as XG WAN IP (i.e WAN to WAN zone) and specifically for TCP 80/443 port number, it will be logged as 'Allowed' in 'Log viewer' > Firewall component. The same traffic might show 'Denied' in the Web filter logs. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2. Consider a DNAT configured on XG to allow ANY WAN to LAN traffic towards internal server. Now, even if we have a WAN to LAN firewall rule on TOP with specific source IP/Networks and action as DROP/REJECT, we will see 'Allowed' traffic in Firewall and Web filter logs of log viewer. The only thing to validate is that the 'Allowed' web filter entry have the 'Policy ID' marked for the DROP/REJECT firewall rule configured on TOP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Note: The actual traffic is being blocked and not forwarded by XG.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-19628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 16.01 StagedRelease3 (16.01.1.202)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Not able to browse internet using IE 11 in protective mode if authenticated through SATC

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Using SATC with IE11 in protective mode is not supported.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-65625
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 18.0 MR3 (18.0.3.457) [Mindoro]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SSLVPN
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                OpenVPN CN size limited to 64 characters

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                OpenSSL limits the CN to be 64. OpenVPN limits the size of the CN to 63 + 1 (null character).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                This limits the @ length to 51 characters because 12 characters random string appended to CN.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Only use usernames + domain with max 51 characters

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-63535
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 18.0 MR1-1 (18.0.1.396)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Modsecurity not allowing block email senders list modification

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If the user tries to add any domain or email address on the Page 'Email>> general setting>> block senders', then he'll get the error "Request could not be completed" and the domain or email address would not be added.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   The best possible way to avoid/resolve this is to remove any one of the domain/email address from the block senders list and re-add them again. This resolves the issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-60294
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 17.5 MR7 (17.5.7.511)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    [CA] user not removed from Liveuser table when logging out

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    When using the Sophos Network Agent (iOS or Android) logout could take up to 2h. The APP itself gets disconnected immediately but on the UTM the user is still live which actually means he can still access network resources which should be blocked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Login to appliance with SSH

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • echo 0 > /content/caaios

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • echo 0 > /content/caaand

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • restart access_server

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Workaround is update and reboot safe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-60381
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 18.0 GA-SR3 (18.0.0.354)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 17.5 MR9 (17.5.9.577)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      DHCP Blocked with Heartbeat on SFOS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      **This scenario is observed when the DHCP request comes via a bridge interface and Heartbeat is set to block endpoint communication with RED heartbeat status on the firewall rule with inter-zone communication rule i.e. rule configured for Bridge interface. The MAC address is blocked this would also include the DHCP traffic for affected client machines.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      When packets enter into the bridge interface, we are entering into Netfilter stack from L2 and all the decisions related to packet/connection taken at Layer 2. Now here, what happened is that Packet dropped by Firewall when it enters from the L2 stage. So traffic never submits to L3 (bridge interface) where the DHCP server is listening and DHCP will never get the packet. This issue will only for the client behind the bridge and will not happen for any other interface.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Create a Firewall rule which is positioned on top with Service: DHCP and with no heartbeat settings applied.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-60104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.5 MR10 (17.5.10.620)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Live connection is not shown in Live Connection table for DNAT rule

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Description:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Live connections shown in the live view would not show a connection table entry for DNAT rules. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Reason: While handling the connection table the connection to ZoneID 4 would not be considered in the live connection table. But this would show in Log Viewer and Reporting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The issue was sorted out due to architecture changes in V18. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-60401
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 18.0 GA-SR3 (18.0.0.354)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • CM (Join to Cloud)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Unable to deregister Firewall or enable "Sophos Central Services" v18

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If the Firewall is registered and central services are accepted by the Central Admin and somehow firewall lost its Central Registration information due to Factory-Reset/Firmware Downgrade.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          On Re-registration and Enable Central Management, Endpoint already known to the Central and Central Management API considers this as a Bad request as Central Services already approved.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Work-Around 1:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Deregister the XG Firewall(If on HA Remove both the Firewalls) from the Central if already registered (XG Local UI-> Central Synchronization -> Deregister)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Remove the Firewall from the Central.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Login to central.sophos.com
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Navigate to Firewall Management.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Choose Firewall row and click on "Remove from Central"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Workaround 2:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The following can be run via the advanced shell:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          /bin/central-register --register -u -p -s
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Once registration passes you can proceed to unregister from Sophos Central GUI

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-59839
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 17.5 MR8 (17.5.8.539)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            XG showing incorrect IP in the outbound email logs and CLI conntracks

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When checking email logs for bounced emails in the UI, IP addresses might be shown as source address which are not configured in the UI. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The log entry is generated for connection table entries, not from the actual routing.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            At point of time of conntrack creation SFOS uses any gateway IP as original source address ( example: Port4: 10.24.255.254) When routing is done on L3 , the decision might be to route that connection via Port 2 - but the original source is unchanged.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            That means the original source is not necessarily used for routing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-9106
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 15.01.0 GA (15.01.0.376)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Framework part of Base (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Mail Notification not working with Microsoft Office365

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Sophos XG does only support the following authentication methods. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PLAIN

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Digest MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              CRAM MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              To authenticate agains Microsoft Office 365, one of these authentications methods need to be configured on both ends.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-27452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.0 MR3 (17.0.3.131)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                GES Question : Do we Support method="RDG_IN_DATA" or method="RDG_OUT_DATA" for RD in WAF

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                We don't have protocol support for Microsoft's RDG  protocol suite which they added with Windows Server 2012 (we only support the "old" MSRPC suite). Whenever such a RDG (2012) connection fails the log contains line stating
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                method="RDG_IN_DATA"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                or
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                method="RDG_OUT_DATA"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                it's a strong indication the lack of protocol support is causing the connection to fail. Currently, this cannot be mitigated using the WAF.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                WAF only supports RPC_IN_DATA and RPC_OUT_DATA, these are the only types enabled when Pass Outlook Anywhere is turned on. All other methods are unsupported

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-58684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 18.0 GA-SR3 (18.0.0.354)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Firmware Management
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Upgrade from v17.5.x to v18 Build_354 would take more time (approximately 50 minutes)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  XG would take more time (approximately 50 minutes) to upgrade the firmware from v17.5.x to v18 Build_354. This because v18 Build_354 is doing additional checks for file system correction, which would take more time based on the hard disk size and state.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-13632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 15.01.0 MR3 (15.01.0.447)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • RED
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unable to do offline provisioning of RED 50 device using USB device

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It is not possible to do offline provisioning for RED50 devices using an USB device without doing an online provisioning first. RED50 keeps on rebooting continuously.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Do an online provisioning somewhere central. After first online provisioning is done offline provisioning is possible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-42227
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 17.1 MR1 (17.1.1.175)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Authentication Clients
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Question: Are we not supporting SATC with Edge browser

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      We currently don't support SATC with the Edge browser.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-55423
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 16.05 MR5 (16.05.5.233)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.1 MR1 (17.1.1.175)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Network Services (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • PPPoE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Difference in Data Transfer Traffic usages between WAN Link Manager and WAN Zone report.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        +Behavior:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There will be difference in Data Transfer Traffic usages between WAN Link Manager and WAN Zone report.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        WAN Link Manager: Go to Network > WAN Link Manager and click the Manage icon next to the IPv4 or IPv6 Gateway to view data transfer graphs related to that Gateway.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        *WAN Zone reports:* Generated under Monitor & Analyze - Application & Web - Show:User App risks & Usage.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        **

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Data Transfer usages In WAN Link Manager shows Layer 1/ Physical level stats and can be compared against ISP data transfer. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • WAN Zone is the logical entity that works at Layer 3. Based on the traffic passed from specific firewall rule, the WAN zone graph is generated from the connection. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Below statistics of WAN Link Manager and WAN Zone reports explain reason about different Data Transfer traffic usages.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1) WAN Link Manager statistics:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is the statistics of data transfer at interface level – that is per physical or virtual gateway
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This also includes device traffic – pattern and firmware download, license sync. And unknown traffic/ ping that is handled at that interface by the device
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Device can have multiple interfaces as WAN links and all of them could be in WAN zone. Users can see WAN Link Manager stats per interface, not by zone.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2) WAN Zone Report statistics:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is the statistics of traffic passed through Firewall rules per Zone
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Traffic destined towards WAN zone can take one of the multiple WAN Links as defined by load balancing configuration and WAN Link weights/ active-backup configuration.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The attached logical diagram would also explain difference between WAN Link Manager and WAN Zone reports.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Data Transfer usages In WAN Link Manager shows Layer 1/ Physical level stats and can be compared against ISP data transfer. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ISP Data Transfer traffic usages report can be compared with WAN link manager. WAN Zone data transfer report is not meant for that. 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-33997
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 17.0 MR6 (17.0.6.181)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SSO client install does not appear to work with RDP sessions

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Setup sso client agent following KB 123159

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          log into a machine and it works correctly. When they try and login to the same machine through RDP they get a popup windows that just say default

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Logs will show the following
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\admin1\AppData\Roaming\Sophos\admin1.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          05/08/18 17:23:17 Return Message Code From Server Is -- > 5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          05/08/18 17:24:35 Console has been disconnected. Switch user detected. logging out user 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          05/08/18 17:24:35 Posting End Session....

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Using the SSO client agent with RDP is not supported

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-53986
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 18.0 EAP1 (18.0.0.102)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          For VM deployments, PCnet32 driver shows incorrect negotiation speed (10mbps Half Duplex) on XG UI

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The UI in v18 shows a wrong negotiation speed for virtual machines using the PCnet32 driver. This is only a UI issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-25733
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 17.0 GA (17.0.0.80)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 17.0 MR1 (17.0.1.98)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • IPsec
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Can not see any custom configured IPSec Profiles "that's using PSK and having Aggressive mode enabled" listed after upgrading to V17MR1 although it's being used as a policy in the IPSec Connectiont

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            You can not find/select an IPsec Profile from within an IPsec connection when this IPsec Profile has Aggressive mode enabled and the Connection is using PSK after you upgrade from any version to V17

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            VPN > IPsec connections> select an upgraded vpn connection> Under Encryption > click on Policy, the old custom policy used for this connection is not listed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Reason: Strongswan is not supporting PSK and Aggressive mode for security reason.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Either disable Aggressive mode on the IPsec Profile or Use RSA/Cert for Authentication instead of PSK.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-25749
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 17.0 GA (17.0.0.80)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • IPsec
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              IPSec v16 to v17 update does not set SHA2 truncation on custom Policy's

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              IPSec v16 to v17 update does not set SHA2 truncation on custom policy.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This will mostly affect tunnels between v16.5 and v17 .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Impact
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The customers migrating from v16 to v17 with IPSEC tunnels configured with the Encryption AES256 and Authentication SHA2 256 on custom policy in Phase-1 and Phase-2 will be affected.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The SA will be established however the traffic will not flow through the tunnel.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              *How to Identify the issue *

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The tunnel status could be verified from the GUI , The Status and Connection will be Green .
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This could be verified from the Advanced shell with uptime .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              #ipsec statusall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Output:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.14.22-Aum, x86_64):
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              uptime: 68 minutes, since Nov 20 18:02:23 2017

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The workaround is to enable the SHA2 with 96-bit truncation on v17 policy.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Go to Configure > VPN > IPSec Profiles.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Under General Settings, select SHA2 with 96 bit truncation.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Click Save.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-48871
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.5 MR5 (17.5.5.433)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • L2TP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Username with backslash "\" character are unable to authenticate when logging with domain via L2TP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Username with backslash "\" character are unable to authenticate when logging with domain via L2TP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The character "\" is not supported as part of the username in XG Firewall.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              User can simply check this by creating new user manually having "\" character in username, XG firewall will not allow you to create such user.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              XG Firewall supports authentication with the sAMAccountName username (i.e. asystest) or with the fully qualified username (i.e. asystest@xyz.local)  which works, but not with the NETBIOS format, indifferent of the server.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-42226
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.0 MR6 (17.0.6.181)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SSLVPN
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Self signed certificate support as SSL Server certificate in SSL VPN.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Self Signed certificates are not supported as SSL server certificate in SSL VPN . You cannot issue the certificate for yourself but requires a CA to sign / approve server certificate. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                A certificate signed by local CA i.e.  issued by default certificate authority (CA)is supported i.e. certificate "ApplianceCertificate" shown in below screenshot is supported. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-54667
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 17.5 MR7 (17.5.7.511)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Maximum number of simultaneous CAA users

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  XG firewall supports a maximum of 3042 Corporate Authentication Agent connections at the same time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If the number of users is exceeding this then logs like "Failed to establish connection! Too many open files" will appear in access server log file.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This number is only for users using Corporate Authentication Agent, Live user count for other authentication mechanism are not included in this limit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-33500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 17.0 MR6 (17.0.6.181)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unable to get the file that was scanned by sandstorm

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    When a file is scanned by sandstorm, Admin get a cannot reach page after scanning (throw by Sophos XG captive portal).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This is observed When Any to Any firewall rule is configure as DROP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Create Specific LAN/WAN zone instead of Any zone for DROP firewall rule

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-53094
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 17.5 MR8 (17.5.8.539)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • RED
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      WAN gateway becomes "active" causing RED S2S tunnels to flap

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      When multiple WAN gateways are configured on the XG, any action that causes the backup gateway or the gateway not being used by the RED tunnel to reconnect will cause all RED tunnels to reconnect.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      None

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-47092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.5 GA (17.5.0.310)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SSH Session to a target behind a SFOS Firewall show up in LogViewer with delay

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There might be a delay before an SSH session is shown in the LogViewer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-42570
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 17.1 MR1 (17.1.1.175)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Unable to access WAF server from LAN if browser proxy is configured in LAN systems

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          When LAN users want to use a webserver protected by a WAF in the LAN zone than those requests don't work. Reason is that requests from the LAN zone will reach the webserver(s) directly without passing the XG.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-51322
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 17.1 MR4 (17.1.4.254)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Chinese characters in mail subject not displayed correctly within the quarantine digest mail

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Chinese characters in the subject of quarantined mail are not displayed correctly within the quarantine digest mail. The display in the GUI itself is correct, but appears garbled in the quarantine digest email only.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Changing the encoding used in the end user's mail client to encoding to UTF-8 acts as a workaround for this issue. We also have plans to resolve this in a future software update but no timelines on this currently.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-43721
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Half duplex not working on upper four ports of XG125/135 Rev.3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            XG125/135 Rev.3 does not work with Halfduplex in any setting on Port 1,2,3,4.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Port 5,6,7,8 will work with halfduplex.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-39407
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 16.05 GA (16.05.0.117)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 17.0 GA (17.0.0.80)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 17.1 GA (17.1.0.152)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 17.5 GA (17.5.0.310)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Networking (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Policy Based Routing on Reply/Return Traffic Only Is not Supported

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              We do not support Policy Based Routing (PBR )on return traffic on any version prior to v18

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-43682
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.5 GA2 (17.5.0.321)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Mail queue being delayed/failed after update to v17.5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Any manual change to the disable_offline_relate is lost during a firmware upgrade.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If, prior to an upgrade, the /static/proxy/smtp/scanner.conf file has been changed to set the disable_offline_relate setting to 'no' this will be lost during a firmware update and will need setting again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                We plan to introduce a GUI option to set this option that will persist through a firmware upgrade in a future release

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Once firmware upgrade is complete edit /static/proxy/smtp/scanner.conf and update the disable_offline_relate again

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-42364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 17.5 GA (17.5.0.310)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Networking (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  IPSEC route precedence not applying as expected

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  System route_precedence is configured to give VPN Routes a higher priority than Static Routes however the XG firewall is not sending the expected traffic over the IPSEC tunnel and instead routing it via a matching static route.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This occurs if there is a static or local route that directs this traffic to a non-WAN zone. The route precedence command only applies to traffic that is destined for a WAN zone 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  In this scenario manually creating an IPSEC route for the remote subnet will resolve the issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  E.g
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  console> system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Hitting tab twice after tunnelname will show a list of available tunnels.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-13637
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 16.01 StagedRelease (16.01.0.190)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Routing (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Route Precedence not followed in case of PBR and RED S2S

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Policy based routes for RED interfaces are not working.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-19478
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 15.01.0 MR2 (15.01.0.418)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Clientless Access(HTTP/HTTPS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Access of websites (HTTP/HTTPS) containing UTF-16 chars in the URL by bookmark is not possible

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Clientless Access feature requires rewrites HTML links within the response document, to ensure that links work for users outside the proxy. If website contains URL links with UTF-16 encoded special characters like example below, then site will not open properly using Clientless Access(HTTP/HTTPs) feature

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Example:. http:\u002f\u002fportal.example.com  -> contains character encoded in UTF-16 format

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-35231
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.1 GA (17.1.0.152)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ATP Framework
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Limit on adding Threat Exceptions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Let us know if there is any limit on adding Threat Exceptions under Protect - Advanced Threat - Advanced Threat Protection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        *Web Admin:* _Protect - Advanced Threat - Advanced Threat Protection_

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • There are no limitations to add Threat exceptions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • However there is a limit of 128 characters for the "length" of Threat exception.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-35230
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 17.1 GA (17.1.0.152)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Wireless
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Maximum number of Wireless Networks that can be created

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Limit on adding number of wireless networks.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Web Admin: Protect - Wireless - Wireless Networks

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • There are no limitations on creating Wireless Networks.  

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • However there is a limit of "8 SSIDs/Networks" that can be assigned to a Single Access Point. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-13659
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 16.01 Beta3 (16.01.0.144)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SecurityHeartbeat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Host information on ATP Flipside not updated

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            On ATP flipside, host information for blocked sources is displayed. This information is not updated, the flipside needs to be manually reloaded/re-opened to see changes (e.g. host states green, red, missing)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-19476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 15.01.0 MR1.1 (15.01.0.407)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Clientless Access(HTTP/HTTPS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Unable to access SSL VPN Clientless Access Connection via HTTP(s) bookmark

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Access of HTTTP/s bookmark to web servers which contains JavaScript based dynamically generated URLs is not possible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-32298
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Random slow down of the SG430/SG450 with busy disk and less disk I/O

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a small percentage of SG and XG 430/450 Rev.1 appliances not being accessible  anymore except via serial. This is caused by a SSD software/firmware issue. The serial console output shows the errors:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Reboot and Select proper Boot device

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Insert Boot Media in selected Boot device and press a key

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • I/O error on SDA

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SQUASHFS error

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This issue is based on problems with the Solid State Disk (SSD) firmware. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If you have an SG or XG 430/450 Rev.1 that is experiencing issues like those shown above, please contact Sophos Support for further instructions. If possible go ahead and make a backup with one of the KBA's mentioned below:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-13636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • VPN (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      L2TP connection with PSK to mobile phones not possible

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      No L2TP connection is possible to mobile phone with Android (5.0.1 on Samsung S4) or iOS (10).
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Both negotiated successfully IPsec phase 1 (main mode) but fail negotiating phase2 (quick mode).
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Log excerpt from /log/ipsec.log, valid both for Android and iPhone connection attempts:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: STATE_MAIN_R2: sent MR2, expecting MI3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: Main mode peer ID is ID_IPV4_ADDR: '10.147.34.103'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: I did not send a certificate because I do not have one.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: Dead Peer Detection (RFC 3706): enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tps"[1] 10.147.34.103 #15: ignoring informational payload, type IPSEC_INITIAL_CONTACT
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: received and ignored informational message
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:34 "l2tp"[1] 10.147.34.103 #15: cannot respond to IPsec SA request because no connection is known for 10.8.18.51:17/1701...10.147.34.103:17/%any
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:34 "l2tp"[1] 10.147.34.103 #15: sending encrypted notification INVALID_ID_INFORMATION to 10.147.34.103:500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oct 06 10:46:37 "l2tp"[1] 10.147.34.103 #15: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x635c829e (perhaps this is a duplicated packet)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-18385
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          WAF - redirect to original requested path after form-based auth (SFOS)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          After the successful form-based authentication the user is always redirected to the defined path in the corresponding site path routing profile and not to the original requested path of the user.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-19479
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 16.05 MR1 (16.05.1.139)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Clientless Access(HTTP/HTTPS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Some websites could not be accessed through clientless access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Website which strictly require the destination domain in the URL host part could not be accessed through Clientless Access.  An example for this is CNN.com

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-13618
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 15.01.0 MR1.1 (15.01.0.407)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Clientless Access(HTTP/HTTPS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Unable to take GUI access of local appliance via clientless http(s) bookmark

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Webadmin access through an clientless access VPN bookmark on the same appliance is not possible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-9641
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 15.01.0 MR2 (15.01.0.418)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                RPC not working when Common threat filter is enabled

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Outlook Anywhere is not working when CTF (Common Threat Filter) is enabled in Business Application Rule.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Disable CTF (Common Threat Filter) in *Web App Protection Policies

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-9132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 15.01.0 MR1.1 (15.01.0.407)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Websockets not supported for WAF

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  WebSockets is an advanced technology that makes it possible to open an interactive communication session between the user's browser and a server. Sophos XG Firewall only supports WebSocket passthrough starting from version 17.0, in earlier versions this functionality of Webserver Protection is not availableos XG.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-9102
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 15.01.0 MR1 (15.01.0.398)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Hotspot
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Custom Logo is not displayed in Hotspot login page if Hotspot name contains whitespace

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    A Custom logo is not displayed if the Hotspot name is including a whitespace.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Dont use whitespaces in Hotspotnames

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-9063
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 15.01.0 GA (15.01.0.376)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Error message while creating Hotspot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Its not possible to create a Hotspot with an HTML file name through SFM which contains a space.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      -------------------------------------------------------------------------------------------------------------------------------------

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Dont use spaces in file names.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-8888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 15.01.0 GA (15.01.0.376)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • VPN (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        IPSec site to site between SFOS and SonicWall is not working in Aggressive mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        IPSec Site-to-Site VPN with SonicWall is not supported with Aggressive mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Use Main Mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-13598
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SF 15.01.0 MR3 (15.01.0.447)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10G SFP+ Network cards on Software Appliance are not recognized

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          – After installation of SFOS v15 MR3 on Super Micro X10SDV-TP8F, the Dual 10G SFP+ Network cards from D-1500 SoC are not recognized anymore.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          – Issue is also reproducible in SFOS v16

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          More about device specifications can be found here :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          https://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-TP8F.cfm

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          – Output of Dmesg related to Ethernet is shown below
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          – Output of lspci is needed by developers to analyse further

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.505941] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.512798] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.523049] e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-k
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.538388] i40e: Intel(R) Ethernet Connection XL710 Network Driver - version 1.1.23
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.547374] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.0.5-k
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.587508] igb 0000:07:00.0: Intel(R) Gigabit Ethernet Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.634442] igb 0000:08:00.0: Intel(R) Gigabit Ethernet Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    6.819952] igb 0000:0b:00.0: Intel(R) Gigabit Ethernet Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.002801] igb 0000:0b:00.1: Intel(R) Gigabit Ethernet Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.190630] igb 0000:0b:00.2: Intel(R) Gigabit Ethernet Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.378468] igb 0000:0b:00.3: Intel(R) Gigabit Ethernet Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.380785] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.0.2-k
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.386529] ixgb: Intel(R) PRO/10GbE Network Driver - version 1.0.135-k2-NAPI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.397845] Intel(R) 10 Gigabit PCI Express Network Driver - version 3.17.3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.399517] ixgbevf: Intel(R) 10 Gigabit PCI Express Virtual Function Network Driver - version 2.12.1-k
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.481665] QLogic/NetXen Network Driver v4.0.82
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [    7.586272] tehuti: Tehuti Networks(R) Network Driver, 7.29.3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          No workaround available

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NC-17457
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF 16.05 MR1 (16.05.1.139)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Networking (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            username for PPPOE interfaces is limited to 50 characters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The username field for PPPOE interface configuration is limited to 50 characters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If the username is more than 50 characters for eg: john.doe0123456789012345678901234567890123456789@example.com

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Use the workaround described below

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Insert any dummy username in the GUI PPPOE interface config where username is less than 50 characters

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Goto the advanced shell and enter:=> psql -U nobody -d corporate (Go to corporate DB)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            => corporate=>update tblpppoeconf set "user"='john.doe@example.com';

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            After applying the above command do disconnect the pppoe connection and reconnect again to bring the changes into effect.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NC-17808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SF 16.05 GA (16.05.0.117)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Wrong decoding if a policy with 'Change prefix Subject' is configured with Umlauts.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • In Legacy Mode, Configure a policy with Action : Prefix Subject with Umlaut (Ü,Ä,Ö) in the prefix. The email prefix subject is incorrectly decoded.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-22206
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 16.05 MR5 (16.05.5.233)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Clientless Access(HTTP/HTTPS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Bookmark of websites that require NTLM authentication don't work in clientless authentication

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Bookmark of websites  that requires NTLM  authentication in clientless access will not work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-22372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 16.05 MR7 (16.05.7.305)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Missing Prefix Subject with IMAP and several Mail Clients

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  When using IMAP, prefix subject (Spam) is not visible in many e-mail clients unless specifically selecting the message.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Some of the Mail Clients download only root header's from Server before downloading full Mail. SFOS IMAP proxy doesn't scan headers for spam checking as headers are not enough information to detect spam. IMAP proxy scan Mail for spam when mail client download full Mail.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NC-22697
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SF 16.05 MR6 (16.05.6.266)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Citrix Base web application (www.bimco.org) is not working with Allow ALL Web Policy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Issue: Citrix Base Web Application (www.bimco.org) is not working with Allow ALL Web Policy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    In transparent mode, Citrix clients are not aware of the fact that there is an http/https proxy in between, thus it starts talking a proprietary protocol (not http/https) using http/https ports which is not understood by the proxy, which in turn results in a kind of stalemate (proxy is waiting for client request, while Citrix client is expecting something from server first).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Due to the above behavior, launching an .ica file with any Citrix web or application based will fail.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    For workaround, user must have a hole punched in firewall to the bimco.org ip address(es) to launch the ica file..

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1: Allow none web policy in LAN-WAN for destination addresses associated with www.bimco.org and launching the ica file.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2: Allow all web policy in LAN-> WAN

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NC-27906
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF 17.0 MR3 (17.0.3.131)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Legacy mode doesn't support retry of E-Mail

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If greylisting is enabled on server side all subsequent mails are getting rejected. This is because Legacy Mode doesn't support retry of E-Mail. If E-Mail fails to send, Legacy Mode Proxy generates Notification and inform Sender. So, as per greylisting, failed E-Mail should retried but this is rejected with Log entry "451 Temporary local problem, please try again!"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      https://community.sophos.com/kb/en-us/131686

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-29363
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 16.01 MR1 (16.01.2.222)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 16.05 RC1 (16.05.0.098)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Unable to boot XG's in HA when using 4x10GE SFP+ flexi module

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Issue : The device doesnt boot up after HA takeover when the unit is equipped with 4x10GE SFP+ flexi modules

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      How to identify :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • After a HA takeover the following BIOS error appears 'PXE-E01: PCI Vendor and Device IDs do not match' 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • This is resolved after removing 4x10GE SFP+ flexi modules everything works fine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • This could be noticed only sporadically after 4-5 reboots

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Root cause and Fix :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      This is caused due to old BIOS versions. The latest BIOS version of XG devices is R1.02, this is not affected by this issue. This can be verified during the startup or by interrupting the startup by pressing TAB or DEL. For older devices we have the steps to upgrade BIOS manually. Please contact Sophos support.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NC-30324
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF 17.0 MR3 (17.0.3.131)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Internal hosts cannot ping remote access SSL VPN

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SSL VPN user can ping to LAN but LAN can not ping to SSL VPN.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If both SSL VPN and Policyrouting is configured for a destination network then by default policyrouting is enabled That is because routing precende by default is doing policyrouting first. To change this routing precendence needs to be changed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This could be done via console:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        console> system route_precedence set static policyroute vpn

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         To reach the destination through SSL VPN the static route precendence has to be the firste entry in the routing precendence table.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Checking the actual status could be done via console :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        console> system route_precedence show

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Routing Precedence:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. Static routes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2. Policy routes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3. VPN routes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NC-26865
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Link/Act LED glowing on Port3 & Port4 even ports are disabed in XG85/w, XG125/135/w

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              For XG85/w and 125/135/w Port 3 and Port4 Link/Act LEDs are glowing without the port being enabled and configured.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NC-29938
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SF 17.0 MR3 (17.0.3.131)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Networking (deprecated)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Issue with Static Route.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                A static route cannot apply to the system for the connected network i.e. any static route cannot be configured for connected networks. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Ex:-

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Any interface configured with IP 192.168.115.115/24 then system kernel will not add the route for static route
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                '192.168.115.0/24 via 10.250.41.21'.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NC-30996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 17.0 MR6 (17.0.6.181)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SF 17.1 Beta3 (17.1.0.147)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • VirtualAppliance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Random NIC order with more than 3 NICs on VMware vSphere

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Due to a VMware Issue on vSphere a random network interface mapping occurs with more than 3 network interfaces on SFOS. This happens only on vmxnet3 and e1000e NIC driver.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Use e1000 or flexible (pcnet32) NIC driver

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Sophos Firewall Manager

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                02 Jan 2023 - 09:36:53 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NCCC-3576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SFM 15.01.0 MR-1 (15.01.0.425)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Base System
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  HA is not supported in Virtual SFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • HA is only supported for Hardware SFM devices

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • HA is not supported in Virtual SFM

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  No Workaround

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NCCC-10142
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SFOS Compatibility in SFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SF Compatibility
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SFv17.5Compatibility: Device is un-sync after adding/updating IPS rule

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Device is shown as unsynced for upto 5 minutes after changing/adding an IPS rule in SFM at device level.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Note: Device comes in sync after few minutes and configuration is applied.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NCCC-10121
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SFM 17.1 MR2 (17.1.2.300)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SFM 17.1 MR3 (17.1.3.200)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SFM-SCFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SFM and SCFM do not support upgrade to v18 firmware

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You are unable to upload v18 firmware to SFM devices to deploy to XGs running v17.5.x devices.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Trying to upload the file gets to 97% and then nothing happens.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      This is a known issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Load firmware manually to XG

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NCCC-10092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • CFM 17.1 MR3 (17.1.3.xxx)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SCFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Red Configuration is not pushed at group level

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When applying RED configuration from CFM group level in the System services module the configuration will fail with the error message: _Data is invalid and cannot be synchronized on the device._ 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This issue is observed for SF 17.5.MR11 onwards because of UI for SF 17.5.MR11 onwards for RED configurations has been changed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Use single device management by selecting device from Select devices and then applying configuration for RED

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NCCC-9355
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SFOS Compatibility in SFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SF Compatibility
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          XG signature compatibility issue with SFM

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SFM has default IPS signature set and XG appliance supports signature set based on RAM size.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If Admin pushes signatures from SFM then signature will be displayed on XG based on RAM size and other signatures wouldn't be display even Admin see the success message on SFM UI. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NCCC-10100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • CCC-10.6.5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • CCC-CCMS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            User unable to download and upgrade Cyberoam firmware from CCC

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            User unable to download and upgrade Cyberoam firmware from CCC

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            User can upgrade the Cyberoam firmware from Cyberoam UI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NCCC-10088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • CFM 17.1 GA (17.1.0.132)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SCFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              CCL logs are not being populated with changes applied to a CCL enabled device in SCFM

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              CCL not being populated with changes applied to CCL enabled device in SCFM

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Example

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              XG has CCL enabled on it,

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Created a test object called "asdf3_delete" with IP "7.7.7.7" on SCFM and pushed it to the device.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • The XG received the object and created it successfully.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • But no CCL log has been generated in SCFM.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NCCC-8757
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • CROS Compatibility in CCC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SCFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                CCC Template import is not working with 10.6.6 MR-5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                CCC Import Template is not working with 10.6.6 MR-5. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Template is imported successfully but it is imported without any configuration Data.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NCCC-9498
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • CFM 17.1 GA (17.1.0.132)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SCFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  CFM is not communicating at all with all XGs on syslog

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SCFM connection tracking gets full which results in XGs working with syslog port/protocol from being able to sync fully or templates to be pushed.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  There are no plans to fix this issue and as such we recommend using HTTPs instead.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Use https instead of syslog

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NCCC-9147
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • CFM 17.0 GA (17.0.0.101)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SCFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SCFM doesn't push the template to XG

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    In some cases it seems like SCFM can't push the template to the device. In fact it just takes a very long time to do this ( could be a few hours).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NCCC-8270
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • VFM 17.0 VarioSecure GA (17.0.0.111)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SFOS Compatibility in SFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SF Compatibility
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Compatibility 17.5: Web Proxy Configuration General setting is not supported for SFOS v17.5 in SFM/CFM template import functionality.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      In SFM/CFM import template support for Web Proxy Configuration General setting is not supported for SFOS v17.5.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       Web Proxy Configuration import template does not support for Web - General Settings - HTTPS Decryption and Scanning and Web-General Settings for SFOS v17.5.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NCCC-5288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SFM 16.05 GA (16.05.0.157)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SFM-SCFM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        No option to 'Create Network' in SFM , VPN

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There's no option to 'Create' a network for Local or Remote S2S VPN, only choosing from the one manually created before, same behavior also in the Firewall rule.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Intercept X for Mobile

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        26 Nov 2024 - 10:06:18 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Key Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4561
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Issues with sending log and trace files with Gmail

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        For some Android versions and devices, Gmail doesn’t attach log and trace files to the email you send to Sophos support.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Send log and trace files with a different email app than Gmail.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4563
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Web Filtering only supports specific browsers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Web Filtering supports the following browsers:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Google Chrome

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Mozilla Firefox

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Microsoft Edge

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • The native Android browser (preinstalled on older devices)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4562
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Issue with Android Backup Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On some devices, Android doesn’t restore Sophos Intercept X for Mobile app settings when you reinstall the app or install it on another device using the same Google account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This issue is caused by the Android Backup Service.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4569
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        App Protection limitations

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Because of Android limitations, App Protection can only prevent user interaction with a password-protected app via the app’s user interface. Users can still interact with the app via other apps like Google Assistant or Android system functionality.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Also, App Protection can’t prevent interaction with an app that runs in a multi-window mode, such as split-screen, floating windows, or tiny windows.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        For details, see Sophos Mobile - Access to protected / controlled apps still possible by 3rd party apps.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Accessibility Service turned off on some devices during an update

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On some devices (such as the Asus Zenpad 10), Android turns off the Sophos Accessibility Service, which Web Filtering requires, when Sophos Intercept X for Mobile is updated.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Either turn on the service in the Android settings or restart the device.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4567
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Accessibility Service turned off on some devices

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On some devices, Android turns off the Sophos Accessibility Service, which Web Filtering requires. Sophos Intercept X for Mobile detects this and asks the user to turn on the service again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4566
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        App Protection doesn’t work with Samsung pop-up view

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        App Protection can’t protect apps running in Samsung pop-up view.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Pop-up view is a feature of some Samsung devices, such as the Samsung Galaxy S7 and S8.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4565
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        QR Code Scanner limitations with changing the Wi-Fi password

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On Android 6.0 and later, an app isn’t allowed to change a Wi-Fi configuration added by another app or by the user. Therefore, QR Code Scanner can only change the Wi-Fi password of networks added by Sophos Intercept X for Mobile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        “Monitor SD card” limitations

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On Android 6.0 and later, Sophos Intercept X for Mobile can’t monitor copying files to the device at all times. This is a known issue of the Android functionality we use for monitoring SD card access.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        For example, the app can’t detect copying files from a computer connected via USB.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This limitation doesn’t affect copy operations initiated by the user on the device, such as downloading files from the internet to the SD card.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4571
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Chrome OS limitations

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        You can install Intercept X for Mobile from Google Play on Chrome OS devices supporting Android apps, such as all Chromebooks launched after 2019.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When Intercept X for Mobile runs on Chrome OS, the following limitations apply:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Device Security can’t check the Screen lock and Require PIN to start settings.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Web Filtering only works for Android browser apps. For the Chrome browser included in Chrome OS, use the Web Filtering feature of the Sophos Chrome Security extension.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • App Protection doesn’t work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Link Checker only works if there’s an Android browser app installed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4570
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Wi-Fi Security can’t detect ARP Spoofing on Android 10 or later

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Wi-Fi Security can’t detect ARP Spoofing on devices running Android 10 or later.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is an Android limitation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4635
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Security & Antivirus guard app cannot be installed on devices running Android 10 or higher

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The “Security & Antivirus Guard” app is not available anymore on devices running Android 10 or higher.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After recent changes made by Google apps that haven’t been updated for a while cannot be installed anymore.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There have been several changes to the Android operating system and the Intercept X app, reducing the need for the Security & Antivirus Guard app.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The app will remain unavailable for devices running Android 10 or later. It will be completely removed in the near future.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECIOS-1983
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • iOS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Intercept X for Mobile iOS receives push notifications from Sophos Mobile backend

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Intercept X for Mobile sometimes receives a push-notifications from the Sophos Central Mobile backend indicating that a message is available. Tapping on the notification, the app opens but no message is there.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is caused by the "Maximum interval between Intercept X for Mobile synchronizations" trying to trigger the Sophos Intercept X for Mobile app to perform a synchronization.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This behavior will be adjusted in a future version.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMSECAND-4560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Android
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        App Protection does not work correctly on Xiaomi devices

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The App Protection feature on Xiaomi devices only works if the client was once opened and if the Display pop-up windows while running in the background permission in App info > Other permission is turned on.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Please find details on how to enable the "Display pop-up windows while running in the background" permissions in this KB:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        https://support.sophos.com/support/s/article/KB-000044671?language=en_US

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos MDR

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        21 Nov 2024 - 11:40:23 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Reference Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        XDR-3985 Central Dashboard: The Total Cases widget may not display in the Threat Analysis Center (TAC) dashboard

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There is a known issue where the new Threat Cases widget may not be displayed in the Threat Analysis Center dashboard. https://cloud.sophos.com/manage/threat-analysis-center/dashboard

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The cases can be see within the Cases section. https://cloud.sophos.com/manage/threat-analysis-center/cases

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If this issue is seen, the cases can be see by going to the Cases section to the TAC - https://cloud.sophos.com/manage/threat-analysis-center/cases

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        XDR-989 The new Threat Analysis Center dashboard does not contain any data for Intercept X Advanced customers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The Threat Analysis Center Dashboard will not contain any information/data if a customer only has an Intercept X Advanced or Server Intercept X advanced only license.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The default Threat Analysis Center (TAC) Dashboard (New dashboard) contains widgets and details about XDR and MDR level detections only. For non-XDR/MDR customers this dashboard will show zero detections or other data.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The Intercept X Advanced licenses include the ability to see the ‘Threat Graphs’ details. This data can be seen within the TAC area, by either selecting the submenu section ‘Threat Graphs’ or switching the toggle on the TAC dashboard to view the ‘Original dashboard’. The Original dashboard will show a widget showing the 5 most recent threat graphs created.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Currently this is expected behavior and the only data Intercept X Advanced only customers will have access to, is the 'Threat Graphs' data within the Threat Analysis Center' section

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Mobile

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        26 Nov 2024 - 10:07:53 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Key Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13893
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "Send message" task in enrollment task bundle might fail

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When a “Send message” task is included in the enrollment task bundle, it might fail with an error message indicating that APNS or FCM information is missing.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This can be caused if the device requires too long to send the required information to the Sophos Mobile backend.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There is currently no workaround available. A fix might be included in a future update of the Sophos Central Mobile backend.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13801
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Detecting deactivated Defender on Windows 10 computers doesn’t work in some cases

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In some cases, Windows 10 computers might be reported as compliant even if Windows Defender is turned off. This is because the Defender activated compliance rule can only check if the Defender service is running. It doesn’t check if real-time protection is turned on.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Task bundle tasks for profile removal don’t list the current profile names in some cases

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When you rename profiles, removal tasks might show the old profile name.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13799
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Pages layout corrupted after Sophos Mobile update

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Some pages of Sophos Mobile Admin might look corrupted after an update of Sophos Mobile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Clear your browser cache and reload the page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13802
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Removing duplicated Android profiles using a task bundle doesn’t work

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        An Android profile that has been created by using the Duplicate command in an older version of Sophos Mobile can't be removed from devices using a task bundle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13805
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Not possible to save HTML-formatted text

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In some cases, you get a Text contains forbidden HTML elements error when you try to save enrollment texts for the Sophos Central Self Service Portal that contain HTML formatting, although the text you've entered is valid.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This issue is caused by an error in the HTML parser library.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Change the font size of underlined text and delete any styling attributes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Number of users invited to Apple VPP at the same time is limited

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When you invite too many users to the Apple Volume Purchase Program (VPP) at once, Apple might reject further requests for a few minutes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        We will fix this issue in a future version of Sophos Mobile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Reduce the number of users included in the invitation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13803
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Some Windows 10 devices don’t register correctly for push notifications

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Some Windows 10 computers don’t register correctly for the Windows Notification Service (WNS). There’s a time-out of their push registration after 30 days, and the devices fail to renew the registration automatically.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Although the Sophos Mobile server enforces the renewal, some devices send the old, invalid push registration information to the Sophos Mobile server when they re-register. As a result, the Sophos Mobile server can't send push notifications to these devices to synchronize the built-in MDM agent.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is a known issue in Windows 10.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "401 Unauthorized" errors when connecting to a third-party service with Chrome

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In rare cases, binding Sophos Mobile with a third-party service such as Microsoft Intune Mobile Threat Defense fails with a 401 Unauthorized HTTP error. We've only seen this with Google Chrome, not with other internet browsers. Apparently, Google Chrome sometimes doesn't attach a required authorization token to the request.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Open Sophos Central in a different internet browser than Google Chrome.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-13849
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Checkboxes are cleared when opening an email policy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When opening an email policy after navigating through the Sophos Central Mobile user interface the checkboxes for the enabled services are sometimes cleared.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2995
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Client certificate secured WiFi connection lost on WiFi only devices after updating policy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If WiFi-only devices are used and a certificate-secured WiFi connection is distributed via Sophos Mobile, the connection will be lost after the assigned policy is changed.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is caused by the way how policies are distributed via Sophos Mobile. If there is no alternative network connection available, devices have to be reset to get them connected again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2927
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On Sony devices, it’s not possible to protect or control small apps

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        “Small apps” are Sony-specific apps on Sony devices that overlay existing apps. You can’t control or protect these apps with the Sophos Mobile Control app or App Protection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2926
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Preventing additional device administrators on Samsung Knox devices

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The device ignores the Knox premium restriction Prevent installation of another administrator app on a device if there’s already another device administrator activated.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Make sure Sophos Mobile Control is the only device administrator before you assign the restriction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2925
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Some Samsung Knox devices require a restart to turn on Kiosk Mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        You must restart Samsung devices with Knox Standard (formerly called SAFE) SDK version earlier than 5.4 after installing a Kiosk Mode profile. If you don’t, users can stop all running apps in the task manager and switch to the default launcher home screen.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2930
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        No compliance violation “Installation from unknown sources” on Android 8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Starting with Android 8, the installation of apps from unknown sources isn’t a device setting. It’s a permission setting for apps that can install other apps. For example, a file manager app.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Mobile can’t check if any third-party app has this permission. Devices with Android 8 ignore the Apps from unknown sources compliance rule.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2929
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Removing mail accounts from the Android work profile

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When you transfer an Exchange mail account to an Android work profile, the account remains configured in the profile when you remove the policy. You can assign a policy with a different Email configuration to the device. The device always uses the latest Email configuration. However, you can’t remove the configuration from the work profile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        To remove the configured account, remove the whole Android work profile from the device.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCIOS-895
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (iOS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Automatic synchronization of the Sophos Mobile Control app against the server doesn’t work reliably

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In some cases, the silent trigger sent by Sophos Mobile doesn’t result in automatic background synchronization.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Let your users synchronize the app manually.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCIOS-894
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (iOS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When Safari is restricted via a profile, recommended and required apps can’t be installed via an iTunes link

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Installing a recommended or required app via an iTunes link on an iOS device requires the Safari web browser. When you restrict Safari, users can’t install recommended and required apps via an iTunes link.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2933
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        App Protection and App Control can only control direct interaction through the user interface

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Due to technical limitations of the Android platform, the App Protection and App Control features can only prevent direct interaction with an app through its user interface. Users can still interact with a protected app via other apps like Google Assistant or via Android system functionality.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Also, note that App Protection can’t stop interaction with an app that runs in multi-window mode, for example, split-screen, floating windows, or tiny windows.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        For details, see support article 135017.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Can’t turn on Factory Reset Protection (FRP) on some Android Enterprise devices

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On some devices capable of Factory Reset Protection (FRP), we’ve noticed an FRP is not supported error when you turn on FRP via Sophos Mobile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This issue isn’t caused by Sophos Mobile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-2931
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Android Enterprise: Chrome app enabled in work profiles by default

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There’s a known Android issue related to the work profile. Starting with Android 8, the Android internal WebView app is disabled by default. As a result, apps in the work profile that rely on the WebView app might stop working.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Google resolved this issue by enabling the Chrome app, which enables the internal WebView app. However, you might not want to allow a browser app in the work profile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        For more information regarding this issue, see the Google article https://support.google.com/work/android/answer/7506908.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        To disable Chrome in the work profile, use the App Control configuration of your Sophos Mobile Android Enterprise policy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCIOS-897
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (iOS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Restricting app removal doesn’t work reliably

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On some devices, users can uninstall apps even if you turn off the Allow app removal restriction in the iOS device policy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is an issue in iOS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCIOS-896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (iOS)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Single App Mode profile changes don’t affect the device

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Updating an iOS Single App Mode profile doesn’t update all contained settings. The Disable… options are updated correctly. All other options only work on the first installation of the profile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is an issue in iOS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        To change the settings, remove and reinstall the profile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-3170
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "Password policy - Device" not working on devices running Android 12 or higher

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On devices running Android 12 or higher enrolled with the “Work Profile” management method the “Password policy - Device” policy is not working.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The user is not asked to configure a device password even though none is configured yet.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is caused by a change within the Android operating system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        With the Sophos Central Mobile release 2024.24 a new policy was introduced to configure this setting for Android 12 devices.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        https://docs.sophos.com/central/Mobile/help/en-us/AdminHelp/Policies/AndroidEnterpriseWorkProfile/PasswordPoliciesDevice/index.html#android-12
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On the Android devices the Sophos Mobile Control version 9.7.10339 has to be installed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-14303
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Adding EAP/PEAP WiFi does not work on devices running Android 13 or higher

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After installation of the May 2023 security update on Android 13 devices adding an EAP/PEAP WiFi is not possible anymore.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The WiFi is not added at all.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Due to a change introduced in the Android operating system, additional information needs to be provided within the applied WiFi configuration. Details how to solve this can be found in the following article: https://support.sophos.com/support/s/article/KB-000045862?language=en_US

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-3159
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Devices shortly become non-compliant and compliant again

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If the compliance rule “Mandatory apps” is used for Android devices, a device might become non-compliant and compliant again within a short time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This behavior can occur, if several app updates are done in parallel on the device while the Sophos Mobile Control app is trying to perform a synchronization with the Sophos Central Mobile backend.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is more likely to happen on older devices.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        No workaround required as the devices become compliant again automatically.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos development is working on a new Sophos Mobile Control client that improves the behavior.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-3157
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Android network logging requires reboot to be synchronized on Samsung devices

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        On Samsung devices running Android 14 the Android network logging is not synchronized with the Sophos Central backend until the device is rebooted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This only affects devices enrolled with the Work Profile enrollment method.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Restarting the device resolves the issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-14421
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Self Service Portal login does not work in Android Client even though user is added to exceptions in "Sophos Sign-In" settings

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When using the QR code enrollment method the login within the Sophos Mobile Control app does not work with the provided user credentials. This behavior can occur if the Sophos Sign-In settings are set to “Federated Authentication” and the user is added to the Exception list.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The login within the Sophos Mobile Control client will not work in this scenario.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Within the Sophos sign-In settings change the sign-in method to "Sophos Central Admin or Federated credentials".
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After saving the settings change, login in the Sophos Mobile Control client will work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCSRV-14838
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Central Mobile
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Actions "Show", "Edit" or "Delete" might disappear for device entry after switching device pages

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After switching the pages within the Devices view, and pressing the blue triangle button next to a device entry afterward one or two actions instead of three (Show, Edit, Delete) are shown. It could be that only the options “Edit” or “Show” have disappeared.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Switching back to the first page, the same behavior occurs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Refreshing the Devices page makes the actions reappear.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This issue is caused by the settings defined in the "Columns" section available in the lower right corner of the "Devices" page.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Enabling the fields "Description", "Model" and "Operating system" brings back all three actions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-3175
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Mobile Control client not synchronizing after device restart

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When performing a device restart which is secured with a passcode the Sophos Mobile Control client is not able to synchronize with the mobile backend anymore.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If the passcode is unknown the device cannot be accessed anymore.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In this case, the device is not recoverable as the password reset action will not work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This might be fixed in a future version of the Sophos Mobile Control client.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SMCAND-3174
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sophos Mobile Control (Android)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Work Profile enrollment fails for Managed Google Domain bound customers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When enrolling an Android 14 device using the “Work Profile” method the enrollment fails with the error message “Can’t setup device - Contact your IT admin for help”.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This only occurs if a “Managed Domain” Android Enterprise integration is used.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After the enrollment failed, a notification with the subject "Account action required" will appear.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Tapping on this notification, the enrollment is re-started and completed correctly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Switch

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13 Mar 2024 - 16:56:08 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NSW-5276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • 2024.06.Alfaromeo.MR4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Switch-Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Switch-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Admin authentication fallback via TACACS+/RADIUS might fail intermittently

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          TACACS+/RADIUS admin authentication fallback could be inconsistent. Whenever the RADIUS/TACACS+ server is down or not reachable, the fallback to the local authentication might fail intermittently.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Whenever the RADIUS/TACACS+ server is down or not reachable, and the fallback to the local credentials fails, we can use the CLI to change the login authentication to the local server with the following procedure:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1. Login to the Switch CLI via SSH/TELNET or Serial Console.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2. Once we get the CLI prompt, run the command "configure terminal" to get into switch configuration mode.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3. Now set the login authentication mode to Local by running the command "no login authentication"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4. After running the above command, the login method should be back to the local authentication mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NSW-2178
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • EAP1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Switch-Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Any configurations on the switch local UI are not synched with Central

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            VLANs created in the switch local UI are not synched with Central.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Central to switch config sync is allowed, but the reverse sync is not available currently.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            User common observation:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I have three VLANs in my switch, but Central does not show them correctly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NSW-3684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Switch-Agent
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                High latency when pinging switch management interface

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Problem Statement:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                High latency when pinging switch management interface. This latency is isolated to only management plane.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Note : This does not impact the user plane traffic where the user traffic is managed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NSW-3711
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • EAP1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Switch-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Switch mgmt traffic latency is higher compared to XG or XGS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The ping response time from the Sophos switch shows a higher latency compared to XG/XGS. This latency is seen even when we try to ping switch management IP from any directly client connected to switch.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  There is no issue with the data plane traffic i.e. When we ping one host from another host both connected via same or different switch.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NSW-3712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • EAP1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Switch-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Uplink tick is randomly being lost though internet gateway is reachable

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The uplink identification intermittently goes away in the local GUI even though the gateway and Internet are reachable from the switch.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NSW-2179
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • EAP1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Switch-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Port management: Central UI uplink port identification is not being updated when the local UI uplink tick is lost or updated with delay

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      [ Intermittent issue ] When moving an uplink cable from one port to another, sometimes it might take more time for the uplink tick to come, even in the local UI. Under these circumstances, the port status event is sent, but the uplink status moves to 0; after a few seconds, the uplink status changes in the local UI, but, at that time, no events are sent to the Central UI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The faulty status won’t change until the user will update something or a port refresh event will trigger the uplink state refresh on Central UI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NSW-2436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • 2022.36.Central
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Cloud-Backend
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Switch Firmware (01.2.1091) does not synch LAG into Central

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Switch Firmware (01.2.1091) will not synch locally created LAG into Sophos Central configuration.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Any locally created LAG interface needs to be de-activated locally and re-created in the Central UI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NSW-2177
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Cloud UI - Switch alert counter doesn’t go beyond 100 from switch list page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The Switch alert counter doesn’t show beyond 100 from switch list page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Whenever there unread alert count number increases beyond 100 then UI doesn’t get increment. However alerts continue to generate and get updated in Central alert page. This is just alert counter increment issue but functionality will continue to work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Switch alerts in summary page is limited to a count of max 50.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When there is the 51st alert for a switch, the admin doesn't get notified from the Switch inventory page/Switch details page. The count remains 50. However new alerts ( 51th ) will be displayed on the Central alerts/Dashboard page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If admin acknowledges the previously received alerts then the count will reduce ( New alert no. = 50 - no. of alerts acked ) and new alerts count will increase thereafter. If admin doesn't Ack the alerts and just reads from the dashboard, the alert count on the inventory page will reach the max of 50 and will never show additional alerts. Those alerts are still visible on the Central Dashboard page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Whenever unread alert counter reaches to 100, switch list page doesn't show further incoming alert count. In this case admin can view the latest alert from Central dashboard - Alert section and view the latest/all the unread alerts. This section will list alerts beyond hundred count.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NSW-1788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Switch Registration screen regarding SSL/TLS Decryption

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Sophos Switch must be able to reach the following FQDN domains in order to successfully register the switch:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  sophos.jfrog.io
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Using SSL/TLS Description will cause the connection to fail due to certificate chain handling, as a result, the decryption must be disabled on appliances between the switch and the internet or the domains added to exclusions on those appliances.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Note: Refer additional info added in comment section

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Sophos UTM Manager

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  26 Aug 2021 - 14:58:12 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NSU-357
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SUM 4.309
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Basesystem
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unable to schedule SUM update past 31/dec/2019

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unable to schedule SUM updates from the Management > Up2date section past 31/dec/2019.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Inspect the year select element in your browser and change any year to 2021 in the source. Select that year and click save.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NSU-344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SUM 4.309
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Accd
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SUM only accepting weak ciphers on ACCD port 4433 which fails the PCI compliance check
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SUM's ACCD service port 4433 only accepts weak ciphers that fail the PCI compliance check.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SUM offers all the ciphers which don't support 'Forward Secrecy(FS)' and are considered to be weak ciphers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • We don't have any plans to fix this issue. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • For security hardening and as a workaround, UTM's should be accessing the SUM locally or through a VPN only. The SUM access from the direct external network should be blocked. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      For security hardening, UTM's should be accessing the SUM locally or through a VPN only. The SUM access from the direct external network should be blocked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NSU-343
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SUM 4.309
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • WebAdmin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filter action pushed with 1000+ URLs is not working

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Pushing URL filter list with 1000+ URLs may not work in all cases.  On the UTM side they will appear all gibberish and will not apply to web traffic. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         Note this may not affect every web filter policy over 1000+ URLs. It is possible to have some that are over 1000+ and not have the issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Patch is available through support

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NSU-325
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SUM 4.309
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Basesystem
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Importing web exception with 'Refer to Sandstorm' enabled generates error

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          When importing a web exception from UTM into SUM that has the "Refer to Sandstorm" options ticked a "Syntactic object verification" error is displayed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Temporarily disabling the "Refer to Sandstorm" from the exception should allow the exception to be imported

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NSU-292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SUM 4.308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • WebAdmin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          IPv4/IPv6 Icons missing for objects deployed by SUM

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          After activation of IPv6 (on UTM), SUM deployed IPv4/IPv6 Network Objects will have a placeholder icon on Webadmin.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NSU-212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SUM 4.302
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Accd
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            object import fails because the system encountered an internal error

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In some cases the object import from a gateway via the Gateway manager fails.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If this happens you see one of the following messages:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "The system encountered an internal error. Please contact your administrator if the issue persists".
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "syntactic object verification failed"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Those messages appear if a not fully qualified hostname is used, like e.g. Testsystem10.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            use a fully qualified domainname as hostname

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sophos Wireless - AP6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            02 Dec 2024 - 10:53:03 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Key Affected versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7295
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.09.W6.UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            We have seen AP6 420 access points intermittently go offline.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            After updating the AP6 420 access point to firmware version v1.3.1629. We have had reports from the field where administrators noticed the AP6 420 goes offline randomly, and it may be offline for several hours. In certain cases, the AP6 420 will reconnect to Sophos Central with no administrator interaction, but the access point may require a physical power cycle to reconnect with Sophos Central.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            manuall reboot AP6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.44.Leo.MR5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-Backend
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When the access points are configured in a Mesh Network, we’ve observed synchronization issues with SSIDs configured with Guest Network NAT Mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            During the synchronization of SSIDs with Guest Network NAT mode enabled between the Root Node and the Mesh Nodes we have seen synchronization failures where the nodes are not configured with those SSIDs. When there are no other SSIDs configured (non-NAT guest) on the mesh network.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            At least one SSID is required in the mesh network that is not using Guest NAT mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7297
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.Eridanus.MR4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-Backend
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            We have seen intermittent issues with the Syslog settings not being available in Sophos Central

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            On Sophos Central, the administrator may be unable to enable the Syslog settings for AP6 Series access points. This issue seems to be intermittent and may affect only a few access points.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7299
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.Eridanus.MR4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            We have seen post-session timeouts and random disconnects with Enterprise/Radius Authentication used with Intel AX201 wireless cards.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When the AP6 Series access points are configured using Enterprise/Radius Authentication we have seen random disconnects and post-session timeouts when wireless clients are using an Intel AX201 wireless card.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.Eridanus.MR4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When performing a neighbor scan SSIDs are categorized incorrectly

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The neighbor scan categorizes neighbor SSIDs and the BSSIDs as impersonate while they should be classified as unsafe.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It’s possible to manually reclassify the SSIDs and BSSIDs that have been classified incorrectly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7302
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.Eridanus.MR4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-Backend
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If an SSID name is configured using special characters, we have seen voucher creation failure from Sophos Central

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If an SSID name includes (OWE!@ or BS!@#$%^&*()_-={}[]|'";:,<>.?/,) we have seen voucher creation fail from Sophos Central.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Do not use special characters in the SSID name if you have a requirement to use voucher authentication with Captive Portal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7303
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.Eridanus.MR4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When configured from the local GUI we have seen email failures for password schedule and Syslog.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When configured using the local GUI on the AP6 Series access points we have seen email failures where the password schedule and syslog emails do not send from the access point.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • 2024.44.Leo.MR5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If Guest Network NAT mode is enabled and the local IP subnet on the LAN of the access point is set to 10.X.X.X/8 the wireless network will get an incorrect network assigned.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In the following example, we’ve configured the local LAN as 10.10.10.2/8 on the AP6 access point.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1. Configure the IP address as 10.10.10.2/8 to the AP6.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2. Configure the SSID with Guest Network NAT mode enabled and save the SSID.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3. The DHCP IP range is automatically set from 10.100.1.2 to 10.100.254.254 for wireless users attaching to the SSID with Guest Network NAT mode enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Since the IP is configured as 10.10.10.15/8 for the AP6 LAN, the range of IP addresses on the LAN would be 10.0.0.1 to 10.255.255.254. Therefore, the Guest Network NAT range falls under the LAN IP range. This may cause problems with certain deployments.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Configure the AP6s LAN interface to be in a network that does not use the 10.X.X.X/8 subnet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-7305
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • GA
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            During an SNMP get/walk the default gateway and DNS addresses will display as 0.0.0.0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The AP6 Series access points default gateway IP address and DNS address information will display as 0.0.0.0 when you do an SNMP get/walk.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-5388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • MR-3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-Backend
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Captive Portal: Clients need to re-authenticate when it roams between Accesspoints for all auth modes except voucher
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Client Roaming is not applicable for the following captive portal authentication types -

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • None

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Password Schedule

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Social login

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Backend Authentication

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It is expected that an authenticated captive portal client is asked to re-authenticate when it roams between two AP6s that are broadcasting same captive portal SSID with the above authentication methods.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-5387
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • MR-3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            AP6 - Firmware upgrade option is not shown in some cases

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In some cases the firmware upgrade icon is not displayed in the AP list page. It is possible to select the firmware upgrade from the “Firmware upgrade“ button.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Firmware upgrade is possible from the firmware upgrade button shown in the snapshot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-3270
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • GA
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-Backend
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud-UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Band steering and MAC filtering cannot be enabled at the same time for AP6.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If you try and apply an AP6 SSID policy from Central Wireless with Band steering and MAC filtering enabled, the MAC filtering will not apply to the AP6. In Central, the MAC filtering will show as None.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Disable band steering if you have a requirement to enforce MAC filtering on the AP6 access points. From Central Wireless go to the SSID<

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-4675
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • MR-2 (1.2.1584)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-SDK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Captive portal redirection may fail if captive portal + VLAN SSID is assigned after the WIFI backhaul is established.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sometimes Mesh Node AP does not receive IP for the VLAN interface when a captive portal with VLAN SSID is applied to an already established wifi mesh backhaul. This may lead to captive portal clients connected to the mesh node not getting the captive portal login page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The issue is resolved when the Mesh Node is rebooted

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-4667
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Mesh Central EAP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            [Mesh-Central] - AP's are retaining the previous MESH settings when replaced with new Mesh SSID

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            After removing the old MESH config and before applying the new MESH config, the Root and the Node APs should be rebooted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-4669
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • MR-2 (1.2.1584)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2-Hop mesh does not work (mesh does not get formed)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Creating a Mesh network with more than 1 Node does not work in a "daisy chain" topology but in a Star topology (i.e., all Nodes should be only one hop away from the Root).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The Mesh Nodes can be placed closer to the Root AP so all Nodes can reach the root directly in 1 hop.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-4671
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Mesh Central EAP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            [Mesh-Local] There should be a clear warning message when editing mesh SSID and password

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Changing Mesh Backhaul settings (SSID Name or Password) on Root after Mesh formation will break the Mesh communications with Nodes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Backhaul settings should be updated on Nodes before the settings are changed on the Root.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WIFIX-3325
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • EAP-2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP-Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Radius server, re-authentication is not working after the wireless user session times out for AP6.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When the AP6 is configured to use an external Radius server. The Radius re-authentication does not appear to be working if the wireless user’s session times out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sophos Wireless - APX

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            12 Nov 2024 - 16:50:05 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Key Affected versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            CWIFI-12119
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Cloud Platform
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Users trying to access the captive portal page to authenticate using Social Media credentials receive an error

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The connection of the captive portal page delivered by the access point is secured by a self-signed certificate.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Most browsers will deliver a warning message about this.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Some browsers allow the user to override this warning message and proceed with the connection to the captive portal page.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Other browsers do not allow this, making it impossible for the user to access the captive portal page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You may try with another browser which would provide you an option to proceed further.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              CWIFI-13232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Captive Portal timeout after accepting terms and conditions

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                When VLAN tagging, Guest Network and captive portal is configured on the SSID, after clicking accept to the Terms and Conditions, clients redirect to a time out page with no internet access. They must disconnect and connect back to the same SSID to get internet working.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1.) Disable Captive Portal. (Enable: VLAN Tag, Guest Network, Bridge IP assignment)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                OR
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2.) Disable VLAN tagging with NAT mode (Enable: Guest Network and Captive Portal)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                CWIFI-13212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • 2.3.4-5 ( CWIFI MR Release )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Fast roaming does not work properly when Radius/dynamic VLAN is enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                When Fast Roaming and dynamic vlan is configured on the SSID, clients randomly lose their IP addresses while roaming from one AP to another. The have to disconnect and connect back to the same SSID to get the IP Address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Disable fast roaming so that RADIUS authentication triggers again during roaming and new AP gets the VLAN information and packets from clients are tagged properly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                CWIFI-13128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • 2.3.4-5 ( CWIFI MR Release )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Manual Access Point Restart for Firmware Upgrade

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Due to concurrent instance changes for Central, there could be a requirement that the access points will require a manual restart for a successful firmware upgrade if the instance change and upgrade have happened at the same time. Please note that during this time, do not interrupt the upgrade process. Kindly wait for 30-40 minutes before attempting a manual restart, and avoid interrupting the upgrade process. After the specified duration has passed, one can proceed with a manual reboot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Restart the Access point manually after waiting for 30-40 minutes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                CWIFI-13041
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Wireless Product Tab not available on the central admin

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If the central account is hosted in new regions, the Central Wireless Product is unavailable, and there are no plans to make it available in the new regions. When customers create an account in central, in a new region, they will face a message describing which products are available. A warning message describing a wireless product does not yet have a plan or date for when new regions will be supported.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  CWIFI-13082
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • 2.3.4-4 ( CWIFI MR Release )
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Social login is not working with AP100Series Model

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Due to an SSL error, the user can not log in to the network with social login credentials. We found that TLS1.2 is not available in the AP100 device.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  CWIFI-13058
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UI Design
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Sophos Central Wireless supports only the English language on the hotspot Captive Portal page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Sophos Central Wireless Captive Portal page supports only the English language. Some elements will remain in English after the language is changed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    CWIFI-12586
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Leibniz 2.3.2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Only the first 50 entries of the device page will be exported into the CSV file

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Currently there is a limitation which leads to the issue that only the first 50 entries will be exported to CSV irrespective of the number of clients.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Development threads this as a feature request and will address it in future releases. But there is no ETA yet for this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    N/A

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    CWIFI-12204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Leibniz 2.3.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • AP Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Legacy AP's will brick when Interrupted during Firmware upgrade.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Following AP models might brick when a firmware update is interrupted due to a power loss: AP 15,15C,55,55C,100,100C and 100X.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.Making sure that there will be no power outage during the upgrade process.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2.If a power outage were to happen and AP's get bricked, The recovery process is very simple, by using the below URL the recovery tool can be downloaded and the process is also explained on the same page - https://support.sophos.com/support/s/article/KB-000039314?language=en_US
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    P.S: After recovery, the previous config will be retained so the AP can be used straight away.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    CWIFI-11442
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Leibniz 2.2.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Data limit Set on Voucher doesn't restrict new download/connection after quota expire

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Wireless client connected on Sophos AP/APX managed by Sophos Central Wireless might able to access more data then define on voucher.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Sophos AP/APX sends period update of data usage on voucher to Sophos Central at every 4.5 minutes. In worst case user may get free access to internet for maximum 4.5 minute over mentioned 'Access time/Data Limit' on voucher.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    CWIFI-10529
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Leibniz 2.2.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Legacy issue: Devices fail to disconnect from AP when Connected SSID is removed from AP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Devices fail to disconnect from the AP when the Connected SSID is removed from the AP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Clients like Macbook Air, Android Phone, Dell laptop with Linux are still showing as connected to the AP when connected SSID is removed from AP page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    On the clients WiFi page, it still shows the device as connected and with an connected IP address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Disconnect the client.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    CWIFI-9933
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Leibniz 1.16.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Cloud_2018.22
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Client Vendor filter not working as expected

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Attempting to filter connected clients by Vendor only works for the first 8 characters entered. If more than this are entered into the filter then 0 results are returned.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Significant improvements are planned for the filtering in Central Wifi later in 2019 at which point we expect this behaviour to be resolved

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    CWIFI-9048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Leibniz 2.0.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Cloud_2018.28
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Dynamic Vlan with sync security is not supported but is user configureable

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      There is no work around for this at the moment. Dynamic and Sync security should not be enabled on the same SSID.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      CWIFI-9244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Cloud_2018.28
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      User is able to enable Sync security on an SSID which is assigned to AP platforms(AP100,AP55,AP15) though the functionality is only supported in APX

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Sync security feature is not supported for AP platforms but user can edit the SSID assigned to the AP platforms and can enable the sync security feature.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      This can create a issue in mixed platform environment where the SSID is part of both APX and AP platforms in a network. There would be different behavior when the AP roams from APX to AP platforms.  

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      There is no work around for this. User should not enable the Sync security on a SSID which is assigned to AP platforms.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      CWIFI-9526
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SSIDs are not getting broadcasted when mesh is established between APX and legacy AP platform.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SSIDs are not getting broadcasted on 5GHz when mesh is established between APX and legacy AP platform.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Steps:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. Establish the Mesh using APX320 and AP100.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2. Configure the SSID on 2.4 and 5 GHz and associate the same on both the Access points.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3. Reboot any one of the access points.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4. Once the AP comes up it is observed that SSID is not getting broadcasted on 5 GHz

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is a known limitation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        CWIFI-9527
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Usage graphs are only updated every 20 minutes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Usage graphs are only updated every 20 minutes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Steps:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1. Configure a SSID and connect a client to the the same.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2. Browse the data for some time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3. Go the Accesspoint-> Clients-> Click on the client.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          lient details including Usage graphs are shown and updated every 20 minutes..

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          CWIFI-9101
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Leibniz 2.0.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SSID information sometimes not updated immediately under clients page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Sometimes Current Network(SSID) under Accesspoint->Clients-> is displayed wrongly. Current Network info does not get updated immediately in Cloud UI , so there could be entry of previously connected SSID instead of current one. It takes around 4 to 5 minutes for the proper information to be updated under clients page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          There is no workaround for this.User has to wait for around 5 minutes from the time clients gets connected to the SSID for the proper UI update under Accesspoint->Clients->.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          CWIFI-8657
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Leibniz 2.0.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Discrepancy between APX320 and APX530/740 in LED behavior during hard reset.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          No workaround for this. In all the APX platform if reset button is pressed for about 8 to 10sec APX goes for reboot and if the reset button pressed for more than 15 sec it goes for config wipe out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          CWIFI-9098
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If the MacOS has both Mobile SMC and Endpoint, the status keep toggling if one of them has RED status

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This in case where MacOS has both Mobile SMC and Endpoint, If Mobile Says "Red" and the Endpoint says "Green", the Status keeps on toggling so is the change in clients functionality.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            There is no workaround for this. MacOS should have either Mobile SMC or Endpoint software not the both.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            CWIFI-9245
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Leibniz 2.0.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Blocked page will be rendered first time for clients in "Red" state when trying to access Sophos friendly white listed URLs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Refreshing the page again will allow the access of Sophos friendly white listed URLs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            CWIFI-7237
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Leibniz 1.15.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In a roaming scenario client MAC entries will be present in old AP as well as in new roamed AP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When a client roams from one AP to another, clients MAC entry will be present in old AP as well as in the new roamed AP in UI ( under Accesspoint->Client page). Ideally the client MAC entry should be present only in new roamed AP and entry in older AP should be removed when it roams to new AP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            There is no workaround for this. Client MAC entry in older AP will be removed after 5 minutes and there will not be any effect on AP functionality. This is only a UI issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            CWIFI-8420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud_2018.03
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Cloud Platform
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Search by Mac address shows duplicate results in client page when first 2 bytes of MAC is used for search.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Under clients page when we search for client using first 2 bytes Mac address , duplicate entries of the same client can be seen.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Use 3 bytes or more of the clients Mac address in search option under clinets page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            CWIFI-4201
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Background automatic channel selection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Currently, background automatic channel selection is not working. This means that an AP will not switch a channel even if it becomes too crowded or has too much interference.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                CWIFI-4310
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MESH interoperability when manually selecting channels and channel bandwidth

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    To make sure that MESH works between APs, you need to ensure that the APs which should be part of the MESH network are broadcasting on the same channel and use the same channel bandwidth. Manual channel selection is highly recommended.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    CWIFI-4261
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Recommendation: schedule firmware updates to be applied daily or weekly

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        As we'll be shipping frequent updates, we would recommend to schedule firmware updates to happen daily or weekly. If you set it to monthly you might be missing out for a long time!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        CWIFI-4496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Manual interaction required when upgrading a Mesh network to version 1.3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            See https://community.sophos.com/sophoswireless/b/sophos_wireless_blog/archive/2016/08/10/manual-action-required-for-mesh-networks-in-upcoming-ap-firmware-release-1-3 for details.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This is a one-time effort and is not needed for future releases. There won't be a fix for this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • connect the repeater AP to an ethernet connection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • reboot/power cycle the AP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • wait for the AP to have the correct firmware applied

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • disconnect the repeater AP from ethernet

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • power cycle the AP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            CWIFI-4202
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                UTM wireless firmwares used for flashing have a chance of bricking the AP

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The AP firmware that is on UTM <= 9.404 has firmware that does not have the reliability improvements that we've added to the firmware update process in later firmware releases.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                This means that the firmware update has a higher chance of failing and rendering the APs non-functional.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Please make sure to not unplug an AP after it has been registered by the Cloud until it is shown as online in the Cloud.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                CWIFI-4254
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • AP Software
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Cloud Platform
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UI
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  UI: trying to register multiple APs in parallel sometimes fails

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Due to an UI issue, whenever you try to register more than one AP in the Wizard, the UI might show an error even though the registration works. Unfortunately, this affects a common workflow: a new customer wants to set up multiple APs in one go.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  UTM

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  04 Oct 2024 - 02:15:18 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NCL-1392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • STAS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Do we support Secure LDAP port 636 in STAS for Novell eDirectory configuration ?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      *Question:*  

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Do we support Secure LDAP port 636 in the Novel eDirectory configuration of STAS?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Answer:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Secure LDAP port 636 is not supported in the Novel eDirectory configuration of STAS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-14732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.7 MR19 (9.719)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Executive report does not match other reports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Executive report does not match other reports. When pulling other reports like SSL VPN information and comparing it to the executive report the data may not match up. This is due to the fact that the executive report is only for the last 30 days. If the Month has 31 days then the 1st day is cut off.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NCL-1394
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Auth Client macOS 2.1.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Authentication Clients
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          CAA takes 2-3 minutes to login user on MAC when it comes back from Sleep

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Issue description :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          When MAC books comes up from the Sleep mode its takes 2-3 minutes for the user to be able to browse the internet .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This happens only incase we have a User based firewall rule . It takes CAA around 2-3 minutes to authenticate the user .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Workaround :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The user can disconnect and reconnect the client .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Disconnect the CAA , Reconnect

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-13534
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.7 MR7 (9.707)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Throughput when doing speed tests while using web proxy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            When using services that test network speed for individual devices, results may indicate lower than expected bandwidth when web filtering is enabled. This is generally due to the way that traffic is received, scanned, and forwarded by the UTM’s web proxy and the need to ensure that resources consumed by a single connection does not impact resources available for other traffic on the network. It does not represent an overall limit on the bandwidth that can be handled by the firewall – under normal use conditions, the UTM handles multiple parallel connections from different endpoint devices which allows parallelization of processing and allows the full bandwidth of the network connection to be used.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NCL-1769
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Authentication Clients
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Unable to download Sophos Network Agent for Android from the Google Play store

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                An issue was found where the existing version of the Sophos Network Agent is using an older version of the Google API’s. This prevents the Sophos Network Agent from being downloadable for devices running the latest version of the Android OS. The Sophos Network Agent will continue to function on devices running the older version of Android OS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-13616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.7 MR11 (9.711)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Wireless
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Roaming between APX and AP models is not supported

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Roaming between APX and AP models is not supported

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Legacy AP to APX and vice versa roaming won’t work as its not supported due to different driver constraint.  

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-5222
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.4 MR2 (9.404)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    missing account link/binding in pop3 database

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The pop3 mailaccount bindings will not store correctly to the database if no prefetch server is configured.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    As a side effect, a user will not be able to release items from the quarantine if no prefect server is specified.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-4996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.4 MR2 (9.404)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Webpages with Encoded Slashes Not Allowed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Non-standard Webpages Not loading With WAF .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If there any encoded slashes in the URL responsible for Loading the Web pages those URL would not load and are replied with 404 by WAF although the resource exists on the backend server .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       The signs for identifying such an URI is it contains slashes in encoded format (%2F)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The Apache directive AllowEncodedSlashes is set to No by default for security reasons. This means Apache will reply with a 404 to every request containing encoded slashes. Setting the parameter to NoDecode is not an option since that setting is not compatible with mod_proxy since it would result in double encoding .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The reason why the endcoded slashes are not allowed is that you can access locations that were otherwise restricted. E.g. if you have a location configured for /something on example.com and you access example.com/something%2F..%2Fadmin, you can reach a location that might have no site path configured in WAF. This is for setting AllowEncodedSlashes to yes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      More information would be at

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      https://httpd.apache.org/docs/2.4/mod/core.html#allowencodedslashes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-5043
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.35 MR2 (9.353)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Recipient verification not working with Microsoft Global Catalog (LDAP over SSL using port 3269).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Recipient Verification is set to verify recipients in Active Directory and messages to non-existant recipients are not rejected as expected.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After you confirm that recipient callout works with port 3268 and without SSL you could try the following:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In WebAdmin create a "New network definition" in Definitions & Users >> Network Definitions >> Network Definitions tab. Set its type to "DNS Host" and enter the DNS hostname for the Active Directory server. After we click on the Save button we can use this definition with the Authentication Server in Definitions & Users >> Authentication Services >> Server tab.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-6650
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.4 MR6 (9.409)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SQL_INJECTION Critical warned instead of blocked

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Webserver protection is only warning on SQL injection instead of blocking.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reverseproxy logs will show ModSecurity: Warning message and does not block the connection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This was caused because the following where added to the skip filer rules list
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          981203, 981176, 981204

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          These rules are need to decide if the SQL inject should be blocked, because they are not done the SQL inject is not blocked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-8000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.35 SR3 (9.355)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Failed node's quarantined e-mails can't be released

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            On UTM quarantine directories are sycned across all nodes. Any e-mail quarantined on a node is synced to the node directory across all nodes - this is valid also for "RESERVED" nodes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Directory structure:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            spool/quarantine//

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Spool directory:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /var/chroot-smtp/spool

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            E-mails on HA systems are by design not automatically syned if there is a failover. To retrieve e-mails of a failed node the administrator has to copy the e-mails manually.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Copy e-mails from the failed to the current node (ID):
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            spool/quarantine// to spool/quarantine/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            After this restart the SMTP:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /var/mdw/scripts/smtp restart

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-8001
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.4 MR8 (9.411)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SMTP 'cannot parse spamd' error allowing spam

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The logs show the following error message
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2017:03:03-18:59:57 example-utm exim-in[8500]: 2017-03-03 18:59:57 1cjx77-0002D6-0E spam acl condition: cannot parse spamd output

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This issue is being cause because the spam lookup module is failing to connect to the lookup servers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-9276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.5 SR1 (9.504)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                E-Mail Quarantine behaviour

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Is it expected behaviour that the retry time includes the time a mail was in quarantine

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If a mail was moved to quarantine and was released later the mail server rejects the mail with a temp error 421.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Instead of a retry the UTM logs "retry timeout exceeded" and sends a bounce message to the sender.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-9457
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.5 SR2 (9.505)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SPX attachments with # in file name

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  When an email is sent with an attachment and that attachment has space then # sign the SPF truncates the name of the attachment in the encrypted pdf. The attachment cannot be opened

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  example file name
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "Test #1.pdf"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  In the pdf it will say 'Test' you cannot open or save the attachment from the pdf when this happens

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PDF meta XML parsing of "#" character after space is not supported by pdf utility used for SPX

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-9453
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.5 MR3 (9.503)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Non-ASCII Character : Bypass valid SPF Record

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Domain which have a valid SPF Record could bypass the SPF checking if you send a non-ascii character in the HELO string.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Example : If there is a domain test.com with SPF Record

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    v=spf1 mx a ip4:X.X.X.X -all

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    when you try to telnet into the server and try sending a non-ascii character in the helo string the SPF check fails .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    system-1:/var/log # telnet test.com 25
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Trying X.X.X.X ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Connected to test.com
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Escape character is '^]'.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    220 mail.lochem.nl ESMTP ready.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    HELO test♥.nl
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    500 non-US-ASCII characters are not allowed in SMTP commands
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    mail from: test@abc.in
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    250 OK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    RCPT TO:XYZ@example.com
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    250 Accepted
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ^]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    telnet> quit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Connection closed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Reason : When EHLO/HELO is missing or rejected by exim, the spf check will fail due to missing EHLO/HELO.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    We already have behavior that rcpt will be accepted in such case of spf fail.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Workaround : Enable Reject invalid HELO/ missing RDNS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-10388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.5 MR7 (9.509)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • WAF
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    What is Max_processes Max

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Question: What is the max_processes max setting  for the WAF service ?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    There is no max value for this setting. The limiting factor will be how much memory is available, which then depends on how many features are being used on the UTM.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Suggestion is to increase the max_processes value slowly, making sure there's enough memory on the SG to handle it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-11151
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.6 MR1 (9.601)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      UTM not decrypting S/MIME messages from Gmail

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      UTM is expecting an encrypted signed message. It reverts it by decrypting the message first then verifies the signature.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Google Gsuit signs, encrypts and signs the encrypted mail again. The UTM does not know how to process/verify these emails.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-12608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.7 MR5 (9.705)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Email
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Supported S/MIME versions

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Which S/MIME versions do we support in UTM?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos UTM supports the following S/MIME versions:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Using the command line, you can define which S/MIME version Sophos UTM uses:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The confd option "encryption_utility" can have these values:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        smime: Sophos UTM handles S/MIME version 2 (default)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cms: Sophos UTM handles S/MIME up to version 3.1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-13328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.7 MR7 (9.707)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          VLAN limitations based on chipsets on network modules

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The number of VLANs supported per interface is dictated by the Ethernet Controller used by the NIC.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          82599ES based ethernet controllers support up to 64 VLANs.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          XL710 based ethernet controllers support up to 256 VLANs, but share forwarding/routing tables with other features and this number is smaller in practice. It ranges between 100 and 180 depending on features in use.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The aforementioned Ethernet Controllers are used by the following NICs:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Other modules may support more or less VLANs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          An indication that the threshold is being crossed is the existence of the following log in dmesg (or kernel.log on UTM):

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          i40e 0000:04:00.0: Error I40E_AQ_RC_ENOSPC, forcing overflow promiscuous on PF

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If the log above is being seen, lower the amount of VLANs per interface and spread them across multiple interfaces until the logs are no longer generated – this should improve performance.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NCL-1309
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • STAS 2.5.1.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • STAS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            STAS Users are getting disconnected frequently if dead entry timeout configured other than zero.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            STAS Users are getting disconnected frequently if dead entry timeout configured other than zero.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Dead Entry Timeout does not work and it MUST be set to zero. If the value for the dead entry timeout is configured anything other than zero then such behavior encountered and users may get disconnected randomly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Need to set the dead entry timeout to zero to avoid user disconnection due to dead entry timeout. It is recommended to use the WMI mechanism in STAS for log-off detection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-12689
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.7 MR5 (9.705)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              RDweb Apps via HTML5 VPN portal not working

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The HTML5VPN portal offers RDP connections and HTTP / HTTPS connections.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              HTTP / HTTPS connections are for accessing a web server.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              RDWEB is accessing an RDP server via HTTPS to use apps/clients via RDP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Acessing RDP systems via an HTML5VPN HTTPS connections is not supported and there is no plan to support this in the future.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              To use RDP use an  RDP connection from the HTML5VPN portal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              None

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-12630
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.7 MR5 (9.705)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                IPv6 link local address disappear

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                In IPv6, the local link address is created and assigned to an interface by Linux system when the interface is brought up. The interface will lose its link local address if it is brought down

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                This issue will occur in the following scenario:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                i) There is ethX (IPv6 global address and link local address) and ethX.VLAN and both of these are up
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ii) A new global IPv6 address is assigned to ethX
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                iii) After assigning newer IPv6 address, then ethX losses its link local IPv6 address

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Work-around for this issue

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1. Move vlan off from ethX if possible
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Pros: Simple
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Cons: Not always possible

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2. Adding the local link address to the "Additional Address" for the interface
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Pros: Simple
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Cons: Additional address is added and it is NOP since it is already there

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3. Disable and Re-enable IPv6 after making changes to IPv6 address on the interface
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Pros: Simple and should be available since customer is made to be aware of the vlan setup with IPv6 combo and the time they do assign newer IPv6 address
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Cons: Can be disruptive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-12469
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.7 MR3 (9.703)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                HTML 5 VPN Black box over cursor with Windows 10

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                When using the HTML5 VPN portal to RDP into a Windows 10 machines the cursor some times shows as a black box.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Attempted to change the cursor on the RDP machine same issues (but different box shape)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                N/A

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-12432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.4 MR8 (9.411)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Not possible to use 2 IPsec Remote Profiles with PSK and XAUTH

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It is not possible to use 2 or more IPsec Remote Profiles with PSK and XAUTH enabled at the same time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Use only one profile with PSK and the other profiles with certificates

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-12187
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.7 GA (9.700)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  [HTML5 VPN] HTTPS connection type doesn't work

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The HTTPS part of the HTML 5 portal only support TLS 1.0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It is recommended to use WAF instead of HTML5 VPN as it has better support and a more granular control.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-11856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Connect: Cannot authenticate user with german umlauts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sophos Connect for the time being only supports Ascii characters, no umlauts or UTF-8 or UTF-16.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-11670
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Allow arp broadcasts option

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Allow ARP broadcasts explained

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ARP is a broadcast protocol which means every machine in the broadcast range needs to receive the ARP in order to communicate which each other. This option does not apply to all ARP requests as it does not apply to the Ethernet targeted MAC address. All ARP requests will have Ethernet target MAC address as broadcast address. This option only applies to certain ARP requests, which have the ARP target address set to broadcast address. This is not the same as the Ethernet target MAC address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Here is an example of the Frame this applies too. Bold is what the UTM will check.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Ethernet II, Src: Sophos_10:0e:00 (00:1a:8c:10:0e:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Destination: Broadcast (ff:ff:ff:ff:ff:ff)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Address: Broadcast (ff:ff:ff:ff:ff:ff)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Source: Sophos_10:0e:00 (00:1a:8c:10:0e:00)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Address: Sophos_10:0e:00 (00:1a:8c:10:0e:00)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Type: ARP (0x0806)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Address Resolution Protocol (request)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Hardware type: Ethernet (1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Protocol type: IPv4 (0x0800)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Hardware size: 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Protocol size: 4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Opcode: request (1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sender MAC address: Sophos_10:0e:00 (00:1a:8c:10:0e:00)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sender IP address: 192.20.250.2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Target IP address: 192.20.250.1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-11638
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.7 MR1 (9.701)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • RED_Firmware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Possible RED 50 issue after 9.605

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              An issue has been identified which affects RED 50 devices in UTM 9.600 onwards.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The UTM 9.600 onwards introduced an issue which, in some cases, might cause RED 50 devices to disconnect and NOT connect back. This has resulted in the devices becoming unusable or ‘bricking’. There is a possible issue with bad block handling and the flash developing a more significant amount of bad blocks that is causing the issue . 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If you are affected by this please open a support ticket.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-11285
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM Auto Scaling on AWS R14 (9.60x)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • AWS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              GES Question : Queen interface Alias IP to Workers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              UTM on AWS the Queen interface syncs Alias IP to Workers .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Currently, adding or deleting Alias IP objects on Queen would reflect on the Workers as Queen as the controller node,

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Updates on Alias IP objects would not be reflected on Workers due to the filter mechanism designed .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Workaround :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If the customer wants to use alias ips on their worker nodes, they can do the following for each alias ip:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1. Create alias ip object and select which interface it's aliasing to.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2. After the alias ip has appeared on each Worker's node, change its attributes through Worker's UI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3. Verify that the changes to alias ip should stay at Worker all the time until the Queen decides to delete it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Also, use Queen to toggle on/off the alias ip's status.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-11315
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.6 MR5 (9.605)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Duplicate DHCP Static IP entries allowed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                UTM will allow multiple host objects to have the same IP address. This means multiple MAC addresses can be assigned to the same IP and there will be no error or warning message that his has been done.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The DHCP service will only give the IP out to the first machine to grab the IP address. All other machines will get an APIPA address (169.254.0.0/16)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-11045
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.6 MR1 (9.601)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • HA/Cluster
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  GES Question: conntrackd synchronization

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  After a firmware update or an ha-takeover from an Active-Passive HA System, it can happen that the conntrack synchronization is interrupted.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This will cause the re-establishing of connections.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-11359
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.5 MR6 (9.508)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Routing table for LAG is getting removed after disable the HA active-passive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Routing table for LAG interface is removed if HA is disabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This happens if HA is being disabled and there are VLAN interfaces on top of the LAG interface.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Reboot the system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-9722
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.4 MR6 (9.409)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Kernel
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SG430 / SG 450 with interface issues in a specific combination

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Affected models:-
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SG430, SG450, XG430 and XG450 using 8x1G Copper Module in Slot A with 4x10G Fiber Module in Slot C combination.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Issue condition:-
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Error can be seen only during reboot/power cycle (more than 4-5 reboot/power cycle).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      None of the Ethernet Interfaces could be visible in ifconfig

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Error Message:- PCI Vendor and Device IDs do not match!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Technical Root Cause:- 8x1 Coppler Module PCI-E root from CPU has detected and configured LAN chip of i350AM4 but failed to be configured with upstream/downstream PCI-E port.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Issues will happen only using 8x1G copper module in Slot A with 4x10G Fiber module in Slot C:-
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1. 8x1G copper module doesn’t detected during multiple reboot.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2. Appliance doesn’t boot after post with error ”PCI Vendor ID and Device ID doesn’t match”
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3. Appliance stuck after post, no boot at all.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Note: Issue can be seen only in case of mutiple reboot/power cycle (more than 4-5 reboot/power cycle).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Temporary Solution:- Just reboot the device will detect the interface again and working normal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Permanent Solution:- SG afftected models must be upgraded to latest official BIOS version.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Affected Bios Version

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SG 430 - R1.04 (11092015) or any lower version

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      SG 450 - R1.03 (11092015) or any lower version

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-4405
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.4 MR1 (9.402)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UI Framework
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Webadmin not reachable with IE11 when md5 signed certificate is used since change from NUTM-3311

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        TLS 1.0 had been disabled in 9.402.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        TLS 1.0 enables downgrade attacks, this tremendously weakens the overall security of connections. As a consequence MD5 signed certificates are no longer working for Webadmin and User Portal with Internet Explorer 11.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The issue can be avoided by using a certificate signed with SHA256. A appropriate certificate can be created using the Webadmin:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Management > WebAdmin Settings > HTTPS Certificate > Re-generate WebAdmin Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If the Webadmin CA also uses MD5 the CA needs to be re-generated too.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        For this please follow the steps provided in "4. Regenerate Certificates and regarding CAs - For WebAdmin:"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        in the following KBA:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        https://www.sophos.com/en-us/support/knowledgebase/120851.aspx

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-10897
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.6 MR1 (9.601)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Temporary network interruptions with certain network settings

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There can be a temporary disruption of network connectivity under one of the following conditions:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. dns_group is configured with a specific interface instead of "Any"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2. Monitoring host is a DNS host

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Work-Around
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. Don't use a specific interface in the dns_group
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2.Use Static IP address for monitoring host

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-11082
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.6 MR2 (9.602)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          GUI live log limitation in regards of NAT rules

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The UI shows an "alert" in the live log for NAT rules when the NAT rule is above 1000.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The code that writes the packetfilter log assumes that NAT rule IDs are in between 62000 and 63000 (within 1000 range). By default they start with 62001 and keep incrementing. If the code sees a rule with an ID above 63000 it labels it with "IPTables" and the word "alert".
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          But the system works as expected, NAT rules work fine and all the logs are properly logged.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-11117
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.6 MR3 (9.603)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          OSPF continuously restarts when IPv6 enabled

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          OSPF restarted continuously when the IPv6 is enabled .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          *Root Cause Analysis
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          *This issue is caused in the following conditions:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          OSPF interface has an IPv6 address
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Remote Access VPN by SSL is enabled and
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Settings/Virtual IP Pool/Pool network has only IPv4 address
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Note: There is no IPv6 address for this "Pool network"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          IPv6 enable
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          User login to UTM using SSL-VPN
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          After user login using SSL-VPN, the mdw will write an IPv6 address from the Pool network which does not have a IPv6 network. Hence the IPv6 address is
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          empty which is written into the ospf6d.conf. This empty address causes ospf daemon keeping to start over

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Workaround :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Add an IPv6 range to the Pool network in the Remote Access/SSL/Virtual IP Pool

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-5348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.35 MR2 (9.353)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            WAN interface stops forwarding traffic on VM appliance

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Engineering does not recommend customers to use the e1000 driver, which has not been maintained for a number of years. In general, our recommendation is for customers the use the VMX driver instead.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If customers have to use the e1000 driver, they should make sure it's updated to the latest version.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-10685
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.5 MR8 (9.510)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.6 GA (9.600)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Up2Date
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Available pattern updates appear to not be updating

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If UTM is only using some of the features then the lastest availible pattern version and the actual pattern version might differ. This can happen when the newer pattern is including changes for an unused feature.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Also this might happen when the pattern check frequency was changed down from the default 15 minutes.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              To change the frequency of the pattern checks navigate to
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Management > Up2Date > Configuration > Pattern Download/installation Interval: Manual
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Current pattern version: 156727
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Latest available pattern version: 157024

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • If you switch back to an auto check interval - it will show as:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Your patterns are up to date.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • It is expected that pattern versions will not match up as it is dependant on what features are used (ie IPS u2d or app control etc.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is by design and cannot be changed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-10647
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.4 MR6 (9.409)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SG550/650 refresh, SG750: 4x10G module port numbering reversed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SG 550 / 650 have the port numbers reversed when using the 4x10G module - compared to what is printed on the module. There is no issue with other modules.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-10320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.5 MR7 (9.509)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • AWS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Time is appearing wrong in UTM hosted

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Time is appearing wrong in logs. Issue is observed when admin changes the timezone on UTM Web GUI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This issue is caused by each running process is spawned off with the current TimeZone (TZ) and this TZ is used for setting the time in the log message. Changing the TZ on UTM Web GUI does not force this TZ change in all current processes in the system. Hence all the logging from current running system will have old time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Reboot the system

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-10586
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.5 MR8 (9.510)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kernel
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Webadmin access through IPsec Tunnel with NAT does not work

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It is not possible to use NAT on top of SSL on top of IPsec tunnel on the same UTM.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e.g. connect to an UTM Webadmin through IPsec Tunnel with NAT in place
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Please use the described workaround.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Configure an additional address to access Webadmin

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Add this IP address to the IPsec Tunnel

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Configure Firewall Rule

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-10544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.5 MR7 (9.509)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • AWS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      AWS UTM experiencing connectivity issues after restoring a backup from a different AWS instance type

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      When restoring a backup from a UTM in AWS utilizing one instance type (e.g c3.large) to another AWS UTM utilizing a different instance type (e.g c4.large) the resultant UTM may be inaccessible or have limited network connectivity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1) Ensure that the new UTM instance has at least two NICs added.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2) Rename the first interface to something else instead of "Internal", there is no need to configure the second interface.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3) Restore the backup.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4) A reboot may also be required

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-10387
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Basesystem
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Support USB modems Verizon USB 760 Verizon Pantech Verizon Mifi7730L

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Are the following modems supported:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Verizon USB 760

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Verizon Pantech

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Verizon Mifi7730L

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1. From the /etc/udev/40-usb_modeswitch.rules:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            # Novatel MC760 3G 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTR{idVendor}=="1410", ATTR{idProduct}=="5031", RUN+="usb_modeswitch '%b/%k'"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            # Pantech / UTStarcom UMW190 (Verizon)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTR{idVendor}=="106c", ATTR{idProduct}=="3b05", RUN+="usb_modeswitch '%b/%k'"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            # Pantech UML290
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTR{idVendor}=="106c", ATTR{idProduct}=="3b11", RUN+="usb_modeswitch '%b/%k'"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            # Option Beemo / Pantech P4200 LTE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTR{idVendor}=="106c", ATTR{idProduct}=="3b14", RUN+="usb_modeswitch '%b/%k'"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            # Pantech LTE Modem
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTR{idVendor}=="10a9", ATTR{idProduct}=="6080", RUN+="usb_modeswitch '%b/%k'"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            # Novatel Generic MiFi 2352 / Vodafone MiFi 2352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTR{idVendor}=="1410", ATTR{idProduct}=="5041", RUN+="usb_modeswitch '%b/%k'"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            # Novatel Generic MiFi 2372 / Vodafone MiFi 2372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATTR{idVendor}=="1410", ATTR{idProduct}=="7001", RUN+="usb_modeswitch '%b/%k'"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1. UTM has some support for Verizon USB 760 which is essentially the same as Novatel MC760 3G

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2. UTM has some support for Pantech as well. However it is unclear what model  "Verizon Pantech" refers to

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3. UTM cannot support the MIFI7730L since the latest is MiFi 2372

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-10386
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.5 MR8 (9.510)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            STAS on UTM questions

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Common questions regarding STAS on Sophos UTM 9.510

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1. Does the UTM make queries to STAS when it see traffic that is not authenticated?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            UTM does not make queries for unauthenticated traffic, this is only available in SFOS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2. With logoff detection disabled will STAS record the log off events from the Windows event logs and update the UTM?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            STAS only handles the login events from the Windows event system and updates the UTM, logoff detection is the only way users are removed from the liveuser list

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3. How do users get removed from the collector database in stas?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Users can only be removed by manually deleting them, logoff detection, or login event for the same IP arrives will replace the old IP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-10488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Key Reuse Vulnerability - not affected

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Sophos UTM is not affected by IPSec IKE Key Reuse vulnerability

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-10487
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.5 MR8 (9.510)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SFP Modules in 10 Gbit SFP+ Flexiport

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  With 10 Gbit SFP+ Flexiport Modules only the 2x10 Port module  supports 1 Gbit SFP Modules

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-10292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.5 MR7 (9.509)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Connection issues caused by ARP flux

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ARP flux is sometimes an issue when there is a bridge interface in UTM.  ARP flux can be identified when followings are present:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1. Bridge interface(s) exist

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2. ARP broadcast from one bridge is showing up in all bridges

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3. Multiple ARP entries for the same IP address in the ARP cache

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Solution to this is to change the default arp_filter from 0 to 1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Following is the work around procedure to address the ARP flux issue when bridges are involved

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1. Add this line to the file /etc/sysctl.conf
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      net.ipv4.conf.all.arp_filter = 1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2. sysctl -p /etc/sysctl.conf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3. sysctl -a | grep arp_filter | grep all

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Notes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    i) This procedure must be applied to all nodes which are affected by this ARP flux issues, i.e. all nodes in HA pair/cluster
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ii) Adding this setting to the file /etc/sysctl.conf will make it permanent, i.e. it will remain across reboot and update
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    iii) Step 2 will perform the setting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    iv) Step 3 checks to make sure the setting is correct

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-12003
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.193 (beta92_rc1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • VPN - SSL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Pinging the SSL client gateway IP address from the server side fails.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      In a SSL site-to-site setup ping packets from the server site to the remote network gateway address don't work. If you try the same thing from the client side, everything works without any problem.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Ping will work if you use the command with source ip address: ping -I "source ip address" "destination ip address"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-10007
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Random slow down of the SG430/SG450 with busy disk and less disk I/O

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a small percentage of SG and XG 430/450 Rev.1 appliances not being accessible  anymore except via serial. This is caused by a SSD software/firmware issue. The serial console output shows the errors:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Reboot and Select proper Boot device

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Insert Boot Media in selected Boot device and press a key

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • I/O error on SDA

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SQUASHFS error

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This issue is based on problems with the Solid State Disk (SSD) firmware. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If you have an SG or XG 430/450 Rev.1 that is experiencing issues like those shown above, please contact Sophos Support for further instructions. If possible go ahead and make a backup with one of the KBA's mentioned below:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-4903
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.315
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Route sometimes missing after UTM migration within a XEN server pool

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In rare cases some static routes don't get set after a UTM gets migrated from one XEN host to an other.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            To restore the routes you need to disable and re-enable the link used by the route or the missing route itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-5138
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.4 MR3 (9.405)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Authentication exceptions don't work when matching by category

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Web Protection exceptions that skip Authentication do not work correctly if they match by category. If matching by URL they work as expected.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The system first checks for exceptions based on source and destination IP, and then if applicable, it authenticates the request. Only authenticated requests will be checked for tags or for categories.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Create Authentication exceptions that match by URL, domain, source or destination instead of by category.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-5593
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.4 MR4 (9.407)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Policy tester shows incorrect result in special case

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The Web Protection policy tester displays an incorrect result in the following case:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The policy tester will show the URL is allowed, but if a client actually tries to browse directly to it, they will be blocked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The client is blocked because when browsing to that URL, the browser first tries to open up a SSL CONNECT tunnel to www.youtube.com, which is blocked. The client doesn't actually get the chance to request the actual URL. This occurs regardless of whether Decrypt & Scan is enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-5829
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.4 MR4 (9.407)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Use of strict policy in combination with respond only mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  When a connection attempt comes in pluto tries to find a connection for it with the information that is available at the time. Usually that is the remote gateway's IP address. In the respond only case (and also for remote access) that IP address is not configured, so there's little chance that pluto picks the right connection to start with. It is only the correct connection if it is the first one that matches in the linked list of connections. The order of the list changes as pluto moves entries that are used to the front, so lookups are faster for active connections. So, there's no way to guarantee one particular connection is preferred over another one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Pluto picks a "random" connection and proceeds the negotiation. If it picks one with a strict policy and the remote peer is not matching that policy, then the connection is declined because of strict. Later in the negotiation, when the certificates and thus the identity of the remote peer is known, pluto would switch to the correct connection. But the strict policy prevents that, stopping the negotiation before the identity is revealed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-6919
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.4 MR6 (9.409)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Web Proxy signs certificate with search domain appended to subject if server not found

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If a Search domain is configured (Web Protection > Filtering Options > Misc > Search domain) and an end-user attempts to browse to a non-existent domain over HTTPS (e.g. https://this-does-not-exist.com), the following will happen:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • The Web Proxy sends DNS lookup for original domain (this-does-not-exist.com).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • The DNS server replies with NXDOMAIN (non-existent domain).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • The Web Proxy appends the configured search domain to original domain, and sends DNS lookup for new domain (e.g. this-does-not-exist.com.foo.bar).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • The DNS server again replies with NXDOMAIN.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • The Web Proxy will generate a certificate (signed by the proxy CA) for the new (non-existent) domain (this-does-not-exist.com.foo.bar) and attempt return a block page over HTTPS with the newly-generated certificate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This will result in a browser warning, since the browser was trying to access this-does-not-exist.com and the certificate created for this-does-not-exist.com.foo.bar.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If the same search domain is already provided to clients (via DHCP), it's usually not necessary to configure it on the Web Proxy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If this is the case, you can remove the search domain from Web Protection > Filtering Options > Misc > Search Domain.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-7669
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Unable to connect SSH for 8 minutes after changing IP address on SSB5 v9.312

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      After changing IP addresss it takes a few mins until the system is accessible through SSH. This is because IPS needs to reload and blocks access to the system while its reloading. This only happens on low-end appliances.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      There are 3 different methods for reloading IPS, which can be changed through condfd key, ips -> reload_method. It accepts the following three values: 'reload','restart','takeover'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Default value is 'reload' or 'takeover' which both are memory intensive.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      On systems with low memory this could be changed to 'restart' for faster turnoever. the downside of using this method is that there is a short window where the daemon is not running on the system.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The trade off is faster access time, versus a short windows where IPS doesn't run on the system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-7782
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.4 MR8 (9.411)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        UTM gets unresponsive while pattern updates were running

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The UTM automatically downloads and applies pattern updates to ensure protection at all times. After downloading the updates, the scan engine is reinitialized with new detection data. Sometimes the engine component itself is updated with a new version. While the update is happening, downloaded content or other requests that requires scanning can be delayed while the reload completes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-8837
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.5 MR1 (9.501)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Changes in static route configuration or the enabling/disabling the interfaces will cause all routes to be configured again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          As per UTM design, changes in static route configuration or the enabling/disabling the interfaces will cause all routes to be deleted, in the backend, and then add back all the routes again that are not disabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This issue can be verify through the confd, confd-debug, mdw-debug logs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          In such cases,if OSPF is enabled and the static routes are redistributed, there could be fluctuation in the route topologies. LSA updates(specifically LSA type 5)will cause the neighbour to log the topology related changes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          For the other dynamic routing protocol, we may see similar behaviour as well but it depends on how other dynamic routing protocol advertises the routes to the neighbours.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          No Workaround

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-9352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              UTM reboots when polycom video conference is in use

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Using the application Polycom RealPresence Desktop 3.4.0.54718 for the Video Conferencing over UTM could result in spontaneous reboot of the UTM.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The reboot occurs when you triy to perform video with a remote Site.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Please use Polycom RealPresence Desktop 3.7 or higher.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-4452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.35 SR3 (9.355)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Clinet machines not able to update the SOPHOS CLOUD ANTI VIRUS while using Https scanning .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Endpoints cannot connect to the MCS server if https scanning is enabled for the decrypt and scan .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The http log would give an error like this one

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2016:05:18-10:52:11 utm httpproxy[5630]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="192.168.1.241" dstip="54.148.0.26" user="admin" ad_domain="" statuscode="502" cached="0" profile="REF_vTSCHPtQsV (LAN)" filteraction="REF_qVYuykYAYD (administrator filter)" size="3742" request="0x18426800" url="https://54.148.0.26/" referer="" error="Failed to verify server certificate" authtime="6" dnstime="1" cattime="0" avscantime="0" fullreqtime="860528" device="0" auth="4" ua="" exceptions=""

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                For this cases the "Sophos LiveConnect" DNS Group should be used in the transparent skip list by source address. If this doesn't exist, create it using the DNS hostname "all.broker.sophos.com".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-4461
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.35 MR2 (9.353)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  afcd[xxxxx]: _afc_conn_get_age(): The timestamp of connection 0x019AE6CF is in the future; correcting ...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  UTM is logging all the day (about 15-20 a day, everyday) the below messages:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-00:09:30 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x0196662A is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-00:09:30 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x0196662C is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-00:09:30 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x01966629 is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-00:14:50 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x0196725E is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-00:17:30 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x01967872 is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-00:22:50 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x0196841A is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-00:32:10 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x01969802 is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-07:50:51 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x019A6FA7 is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-07:56:11 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x019A7EF7 is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-08:33:31 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x019AE6CA is in the future; correcting ...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2016:06:07-08:33:31 firewall-1 afcd[5586]: _afc_conn_get_age(): The timestamp of connection 0x019AE6CF is in the future; correcting ...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  There is no workaround. This error message is merely warning and does not have any impact on the system. It is safe to ignore this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-8004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.4 SR2 (9.406)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Incorrect IPtables rules if working with object groups and interfaces

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    IPtables rules are not created correctly if host objects are bound to interface groups. Depending on which of the interfaces is on top of the interface group the IPtables rules will be written. Everytime you change the order, the rules will change.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    utm:/root # iptables-save | grep 9100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    -A USR_FORWARD -i eth0 -p tcp -m policy --dir in --pol none -m set --match-set k5VA9LzHISEdJUBR6rRRpw src -m tcp --sport 1:65535 --dport 9100 -j DROP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    -A USR_FORWARD -i eth1 -p tcp -m policy --dir in --pol none -m set --match-set k5VA9LzHISEdJUBR6rRRpw src -m tcp --sport 1:65535 --dport 9100 -j DROP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    utm:/root # iptables-save | grep 9100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    -A USR_FORWARD -s 8.8.8.8/32 -i eth1 -p tcp -m policy --dir in --pol none -m tcp --sport 1:65535 --dport 9100 -j DROP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    -A USR_FORWARD -s 8.8.8.8/32 -i eth0 -p tcp -m policy --dir in --pol none -m tcp --sport 1:65535 --dport 9100 -j DROP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    -A USR_FORWARD -s 192.168.1.1/32 -i eth0 -p tcp -m policy --dir in --pol none -m tcp --sport 1:65535 --dport 9100 -j DROP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-9418
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.5 SR2 (9.505)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Website "simulatore.publiservizi.net" cannot be opened properly with web proxy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Issue : Website simulatore.publiservizi.net is rendered incorrectly if HTTP Proxy is in use.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The issue seems to caused due to the web server returns Pragma header with a 0D0D0A which the UTM parser takes it as end of Headers and treats rest as body.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The workaround will be adding the site to Transparent Mode Skiplist so that the site will be by passed from proxy.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1. Create the exceptions list for URL simulatore.publiservizi.net in web protection -> filtering options -> Exceptions

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-9452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.4 MR6 (9.409)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ERROR: netlink response for Increase seq numbers HA SYSTEM included errno 3: No such process

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Problem: This issue can happen when PMTU discovery does not work as expected on HA link. There is no side effect other than the occasional error message from Pluto.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Solution: Ensure there is no PMTU black hole in HA link path.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-9755
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            HTML5 VPN Portal Connections do not support additional or non-standard ports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            HTML5 VPN Portal Connections do not support accessing additional resources on additional or non-standard ports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-7667
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.4 MR8 (9.411)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Basesystem
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              UTM reports target host's IP as its own hop address during traceroute

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Running traceroute to a host behind an ipsec tunnel, the remote UTM reports the target IP address as hop. This is instead of its own address. As result of this the target address is shown twice in traceroute. There is no impact on this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              No Workaround

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-8805
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.35 SR4 (9.356)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.4 MR6 (9.409)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.4 MR11 (9.414)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.5 MR2 (9.502)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Static Routes for same destination network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It is not possible to add two or more static routes for the same destination network (even with different metric and gateways).
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Error Message: The network 'xxx.xxx.xxx.xxx' is already in use by the destination network attribute of the static route object 'xxxxxx'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                For failover purpose please follow the KBA.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                https://community.sophos.com/kb/en-us/120239

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-10132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.5 MR7 (9.509)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Access & Identity
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Access to other Webadmin through HTML5VPN not possible

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It is not possible to connect to another UTM Webadmin within the Network through HTML5VPN Portal.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This doesn't work because Firefox is very old and only supports TLS v1. WebAdmin requires at least TLS v1.1 by default.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Use the WAF to access WebAdmin

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-8198
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.5 GA (9.500)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Configuration Management
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Certificate expiry notification received for unlicensed feature

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Customer receiving certificate expiry notification for the Web Proxy CA. However as they aren't licensed for web filtering they are unable to regenerate this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I dont think we should be sending notifications for certificate used in features that are unlicensed? Or at least have a way of regenerating these from the GUI without the license.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Fallback log showing the relevant cert object:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2017:05:10-09:17:01 SOPHOS_UTM [daemon:info] notify_expiring_certs.pl: INFO - certificate REF_CaMetCukLswinOvygo2 will expire
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2017:05:10-09:17:01 SOPHOS_UTM [daemon:info] notify_expiring_certs.pl: INFO - notified about 1 certificates, which will expire

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Object in cc:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    127.0.0.1 OBJS > REF_CaMetCukLswinOvygo2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Logged into object 'REF_CaMetCukLswinOvygo2'. Use 'w' to write eventual changes.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    {
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'comment' => '',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'enddate' => 'May 16 00:00:00 2017 GMT',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'fingerprint' => '8A:C2:68:3C:F0:E8:88:68:DB:6E:7C:DA:A0:75:39:44:12:51:11:31',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'issuer' => 'C=uk, L=Abingdon, O=Sophos, CN=Sophos Proxy CA, emailAddress=sophos@sophos.co.uk',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'issuer_hash' => '255c8b73',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'name' => 'C=uk, L=Abingdon, O=Sophos, CN=Sophos Proxy CA, emailAddress=sophos@sophos.co.uk',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'public_key_algorithm' => 'rsaEncryption',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'serial' => '91B2C5B6F9E8C4EB',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'startdate' => 'Mar 3 17:38:24 2014 GMT',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'subject' => 'C=uk, L=Abingdon, O=Sophos, CN=Sophos Proxy CA, emailAddress=david.bullimore@vygon.co.uk',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'subject_alt_names' => [
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'IP Address:127.0.0.1'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     ],
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'subject_hash' => '255c8b73',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'vpn_id' => '127.0.0.1',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     'vpn_id_type' => 'ipv4_address'
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    }

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Support cases raised relating to the Cert Expiry notifications are falling into the following categories:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1)Certificate notifications being received for certificates that are not in use (e.g CAs that have been replaced, or are disabled)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2)Certificate notifications being received for certificates that are only used in unlicensed features
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3)Customer being unable to identify which certificate the notification relates to. (e,g the certificate name in the notification is 'pZPCUwGWou')
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4)Customer not being given any indication as to how to resolve the issue

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTM-4310
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM 9.35 SR3 (9.355)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Wrong count of ssh logins in summary in executive reports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      At some point an Accu file could get broken and all reporting data of the last 30 days gets lost. Every 5 minutes the Reporter is updating the Accu file. If the file is not readable (because of being missing or corrupt) a new one is created and reporting starts from beginning.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-4971
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.4 MR1 (9.402)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        High amount of country blocking changes are not available in the last webadmin changes view

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In case you change 30 or more country's in the country blocking configuration it could be that you will not see the changes in the "Last Webadmin Changes" Tab.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The log line from the confd-client includes the complete array before and after the node change. Depending on how many members are in these arrays the logline buffer can be exceeded.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The maximum length of a logline are 1024 bytes minus 100 bytes for additional information. So there are 924 bytes left for the message.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In case you have to change a huge amount of country's in the country blocking configuration, please do it in more then one step. Change some settings and apply the changes before you repeat the steps above to change the remaining country's.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-10002
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.5 MR7 (9.509)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SG/XG devices may become inaccessible due to SSD firmware

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Problem
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Certain Sophos SG/XG appliances may become inaccessible except via serial console. In some cases a decrease in performance could be experienced (high disk usage/high load).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Symptom
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The serial console output shows the errors:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Reboot and Select proper Boot device

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Insert Boot Media in selected Boot device and press a key

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • I/O error on SDA

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SQUASHFS error

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The following appliances are affected by this issue. The issue is SSD firmware related so the UTM software does not change the issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Sophos XG Firewall, UTM, AP, RED: How to find the revision number

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Resolution
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If you have an SG or XG appliance that is experiencing issues like those shown above, please contact Sophos Support for further instructions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If possible go ahead and make a backup with one of the below KBA's:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-9807
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.5 MR4 (9.506)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Virtualization
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Interface order may change after reboot for virtual UTMs on Hyper-V

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Following a reboot, the order of the interfaces on a virtual UTM on Hyper-V may change, breaking High Availability. This is a known issue due to the manner in which Microsoft manages interface naming in Hyper-V and UTM default behavior.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The solution for this issue is to export the Hyper-V assigned interface addressing to the internal UTM rules file. This sets the interface order as static on the UTM side to stay consistent with the Hyper-V side interface config.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Follow steps to resolve in KB132109: https://community.sophos.com/kb/en-us/132109

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-7783
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.4 MR8 (9.411)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              httpproxy does not support non-HTTP traffic on port 80

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              UTM httpproxy will not handle non-HTTP traffic on port 80. Bypassing the IP address(s) by entering into the appropriate skip list is the recommended solution.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Adding the source IP of the host into the transparent skip list allows video streaming to work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-11942
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.004 (pileus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Antivirus Engines
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Playing mp4 files on Safari browser is not possible while using AV scan

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Playing mp4 files on Safari browser is not possible while using AV scan.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Add an exception for sites / URLs which serve streaming media

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-11953
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.005 (radiatus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • VPN - IPsec
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  IP displayed instead of username when using NCP client with more than one remote networks

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  In case you configure a remote access IPsec connection with more than one local networks, you will find in the ipsec.log file that "username" is filled with the IP address instead of the real name of the user. This will also cause, that the IP of the User Network Object will not be set.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-11955
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.005 (radiatus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Reports exported to CSV files are incorrect with german localization

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If you open reports exported to CSV files with Microsoft Excel (German localization) some percentages are displayed as dates. The problem here is that German Excel prefers to interpret 2.6 as 2nd of July since in Germany that number would have been written 2,6.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Import the file via the "Daten" menue and manually switch the type of those columns to "Text" instead of "Standard".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-11966
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.101 (floccus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Base System
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Huawei E392 LTE Stick not working properly
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-11975
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.104 (fractus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Network - Interfaces
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        VDSL reconnect results in RED 50 looping reconnects with Zyxel VMG1312-B30A Modem

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After a VDSL reconnect the Zyxel Modem doesn't forward the UDP packets on port 3410 to the RED.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This will result in a RED 50 reconnect loop.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It could be that a new modem firmware solves the problem.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-71990825/Geraete-und-Zubehoer/theme-2000178/DSL-Geraete/theme-535504220/Zyxel/theme-535505129/Zyxel-VMG-1312-B30A;jsessionid=FC2E4ACCF7242DAE3B72276DD4F2D0C2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Unfortunately we don't have feedback yet if this firmware solves the problem or not.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Another workaround is to disable and enable the PPPoE interface in the webadmin

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-11988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 9.185 (partner_beta92_1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Authentication fails with users in AD Nested Groups
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • The authentication services that support backend membership for groups, do not support nested groups

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • For Active Directory, LDAP and eDirectory the groups that are set in "Limit to backend group(s) membership" or have to contain the users directly

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • The UTM checks group membership directly by retrieving values of group membership attributes of a user object from the backend

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-12033
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM-V9 9.205 (of_mice_and_men_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Appliance Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Power on issues on SG310 appliance

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            We are using ATX Power Supplies in our appliances, which have a power switch to turn it on or off.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In case you do a shut-down using the LCD-Panel, WebAdmin or on the console, the system goes down and halts.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The Power Supply Unit still gets power, and provides low power to different components on the main board. This means that the system doesn�t completely power off.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            On a standard desktop computer for example, this is used to turn it on using the push button from the front panel.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            To turn the appliance on again, you have to switch off the power supply unit and wait roughly 10 seconds before you can power it on again.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This is to protect components like capacitors or inductors, which have to discharge from delivering low voltage to the Motherboard.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-12034
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 9.206 (arcus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • WebSecurity - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Broken quarantine report in OWA 2010 non light version

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If OWA is used for reading the quarantine report the email's in the preview window is broken because of the OWA's unique way of overriding CSS attributes. Workaround is to open the message (by double clicking).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              http://community.office365.com/en-us/f/158/t/74246.aspx

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-12039
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.208 (american_gods_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Transparent AD SSO user profile still matches if user is switched on workstation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                In transparent mode, when a new user logs in immediately after another user has logged out, authentication caching may cause the UTM to recognize the new user as the previous user. The new user may be granted the same browsing policy, and may be logged as if they are the previous user. This can occur for up to five minutes, until the UTM refreshes its cache.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If this delay in authentication is unacceptable in your environment, use standard mode rather than transparent mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-11998
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.192 (partner_beta92_4)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Antivirus Engines
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  AV scanning and ActiveSync

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Antivirus scanning does not work on Microsoft ActiveSync. The scanning fails because ActiveSync encodes the transferred data in formats which the Anti-virus engine does not understand.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-12100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.351 (quaternary_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web Protection - HTTP/S Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    removing cache, too many local copies

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    After an update the web proxy stops working. The proxy log '/var/log/http.log' shows the message "removing cache, too many local copies" and '/var/storage/cores' potentially contains one or more core dumps per minute.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This points to a problem with the proxy startup and needs manual intervention.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Please contact support.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-12097
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.314 (thrud_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Transparent AD SSO - b_auth_failed_but_accepted_as_user_any

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      HTTP-Proxy only sends a 407 (authentication request) for requests which could be authenticated. This means, if the request matches any of the following criterias it will not be authenticated:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • HTTPS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Non-browser Request

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Request that contains a query.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      In these cases the proxy looks up in its cache for last authenticated user from that IP address. If no cache record found it uses the "default" profile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Send a simple HTTP request through browser to authenticate user. Any subsequent request from that IP address will use the authenticated user.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12095
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.315 (hermod_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • High Availability - Cluster
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • High Availability - HA
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Network - Interfaces
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It is not possible to deactivate HA Link Monitoring for LAG Interface

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It is not possible to deactivate HA Link Monitoring for LAG Interface in WebAdmin.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Please contact support. It is possible to deactivate via the console.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-12094
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 9.315 (hermod_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Application Control
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Application control block for "Teamviewer" didn't work anymore

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Application control block for "Teamviewer" doesn't work when HTTP Proxy is enabled but Full SSL scanning is not enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Enable Full SSL Scanning in the HTTP Proxy settings

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-12093
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM-V9 9.314 (thrud_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Endpoint Protection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Web Protection - HTTP/S Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Endpoint client matches wrong HTTP proxy filter action

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In transparent mode, the UTM web proxy cannot challenge HTTPS requests for authentication. As endpoint web control filters HTTP requests, it is possible that a user will not be in the authentication cache and policy will fall back to policy based on the IP address. This can, for instance, block a site that the user is approved to visit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            To work around this issue, use agent or browser authentication or bypass the specific HTTPS site on the UTM.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-12092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 9.313 (nanna_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Email Protection - Encryption
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Attachments in SPX mails results in a winmail.dat file

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              After SPX encrypting messages coming from an MS Exchange server original mail attachments are packed into a winmail.dat file which then appears as an attachment of the encrypted PDF.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is a known issue with MS Exchange and their MS Rich-Text-Format depending on configuration.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              As a workaround the Exchange admin needs to disable RTF as follows:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1) Login in to the exchange server
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2) Open Exchange Management Console
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3) Go to Orginization Configuration -> Hub Transport
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4) Select "Remote Domain" tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5) Go to the properties of the Default Domain
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6) Select "Message Format" tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7) Now you can see the problem is "Determine by individual user setting"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8) Change "Exchange rich-text-format to "Never use"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9) Click Apply then OK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10) Restart Microsoft Exchange Transport Server on every Hub transport server

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-12091
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.313 (nanna_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • WebSecurity - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Problems with opening word documents from sharepoint via WAF in different browsers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If SharePoint is published through WAF with form-based reverse authentication enabled, opening Office documents doesn't work. Instead of the Office document the reverse authentication form template is shown.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Either disable SharePoint integration in the browser (then download the Office document, edit and re-upload it) or disable reverse authentication.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-12089
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.310 (fulla_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Email Protection - Encryption
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SPX reply portal removes original filename from attachments

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SPX: Uploading files to SPX reply portal while using IE10 or higher can cause that the filenames are overwritten by the complete local path.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Example: CUsersUsernameDesktopFilname.docx

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  You can disable this behavior in IE:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  IE -> Internet Options -> Security -> Internet -> Custom level
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Disable: "Include local directory path when uploading files to a server"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-12088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.310 (fulla_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    aua fails to handle passwords with umlaut for http proxy authentication

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Passwords containing non-ascii characters do not work in IE and FireFox when authenticating through the http proxy. Chrome works properly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-12086
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.308 (gefjon_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Application Control
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Ultrasurf not being blocked by Application Control

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Application control block for "Ultrasurf" doesn't work when HTTP Proxy is enabled but Full SSL scanning is not enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Enable Full SSL Scanning in the HTTP Proxy settings.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12085
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.113 (spissatus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Email Protection - SMTP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        False error handling in smtp proxy while using callout recipient verification

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If a recipient validation callout fails (eg. resulting in error: "552 Requested mail action aborted: exceeded storage allocation") Exim only reports back "550 address unknown".
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This is a design limitation of Exim.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NA

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-12081
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 9.308 (gefjon_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Web Protection - FTP Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Upload through ftp proxy don't work directly if the file is bigger then 150 MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          When using FTP to upload large files through the proxy, the client may not receive a 226 response code before it times out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If this occurs, it can be prevented by increasing the setting to a large timeout value for your FTP client.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-12079
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM-V9 9.308 (gefjon_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • [Backend/Devel] Basesystem
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Cannot query NTP peers from remote host

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Query UTM ntp service for peer info from remote host fails after update to 9.308.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NTP vulnerabilities, CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 introduced a configuration change in ntp.conf which prevents external peer lookup.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NA

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-12078
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 9.309 (gunnlod_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Webserver Protection - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Official Microsoft Android RDP application didn't work with WAF

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The official Microsoft Android and iOS remote desktop (RDP) apps don't work with WAF. The apps fail with the following error message when trying to connect to a remote computer through WAF:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              We couldn't connect to the gateway because of an error. If this keeps happening, ask your admin or tech support for help.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Error code: 0x3000008

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              No workaround possible other than configuring a DNAT rule to skip WAF completely.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-12077
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.305 (eir_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • WebSecurity - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Upload of Eicar virus is possible with OWA Full when Silverlight is enabled

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Upload of Eicar virus is possible with OWA Full when Silverlight is enabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                OWA light + enabled silverlight -> it's not possible to upload a virus like eicar

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                OWA light + disabled silverlight -> it's not possible to upload a virus like eicar

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                OWA Full + disabled silverlight -> it's not possible to upload a virus like eicar

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                OWA Full + enabled silverlight -> it IS possible to upload a virus like eicar

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Don't use the combination of OWA Full + enabled silverlight on clients which have OWA access. In this combination it is not possible to scan for viruses because we can't scan for viruses in SOAP requests.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-12074
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.306 (freyr_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Web Protection - HTTP/S Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  https enduser message not shown in AD SSO mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Periodically an Internet Explorer user may not see an UTM generated block page when getting blocked from accessing https site. The user instead would see a generic IE error page. This is due to an issue within IE.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Hit Refresh in the browser to see the proper UTM block page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-12070
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.208 (american_gods_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • WebAdmin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Script error issue with large Network Group objects

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It is not possible to use large network group objects with over 200 items. Everything which exceeds 200 items in a group might be subject to script timeouts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-12067
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.209 (virga_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Webserver Protection - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Complete download from a webserver behind the WAF is not possible

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      It is not possible to download big files through the WAF. Neither mod_proxy nor the UTM-WAF modules were designed to handle a high amount of parallel large file uploads or downloads.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Please contact support.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12066
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.210 (capillatus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • High Availability - Cluster
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • High Availability - HA
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Slave node in RESERVED mode with 9.304, although this mode never activated

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Sometimes during the upgrade from 9.2x to 9.3 it can happen on HA/cluster system that the slave node is going in RESERVED mode (although this feature isn't enabled in webadmin).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Output from "hs" on command line looks like this:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Current mode: HA MASTER with id 1 in state ACTIVE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        – Nodes ----------------------------------------------------------------------- MASTER: 1 Node1 198.19.250.1 9.210020 ACTIVE since Mon Dec 15 12:16:22 2014
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SLAVE: 2 Node2 198.19.250.2 9.304009 RESERVED since Mon Dec 15 13:36:03 2014
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        – Load -----------------------------------------------------------------------

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        To fix that issue, please reboot the master node. If that will not solve the problem, contact the support.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-12060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 9.209 (virga_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • [Backend/Devel] WebAdmin
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • VPN - L2TP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Problem with display of "connected clients" in webadmin when using L2TP with Radius auth

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Connected L2TP VPN clients are not counted as 'connected clients' in the dashboard when using RADIUS/DHCP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          But they are listed in the Remote Access reporting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-12058
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SSO login on UTM devices not working if useraccount contains a '@'

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              In case the user name to login to the gatway manager contains a '@' sign (e.g. admin@sophos) the SSO login from the gateway manager to the UTMs will not work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Don't use account containing a '@' sign in the username.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-12056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.209 (virga_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • [Frontend/GUI] User Portal
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Userportal - adding multiple addresses to whitelist/blacklist does not work

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It is not possible to add multiple entries to the sender whitelist/blacklist in User Portal (SMTP) in one step.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                When a user accesses the User Portal, adds multiple entries to the sender whitelist/blacklist,
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                then leaves this page, only the first entered entry is saved. Others entered during the same
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                session are not saved and have to be re-entered.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Workaround:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Add one entry per session, browse to another tab, then come back to the whitelis/blackist tab,
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                enter another address and safe it again. Repeat this steps if needed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Steps to reproduce:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1. Login to User Portal
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2. Select Whitelist or Blacklist
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3. Add multiple entries and click green check box to save each entry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4. Change to a different tab (doesn't matter which)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5. Browse back to whitelist/blacklist tab
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6. Issue occurs (only the first entered address appears, the rest are lost)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-12049
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.208 (american_gods_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Antivirus Engines
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Sophos Scanner runs in timeout

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If scanning a mail takes longer than 2 minutes, cssd will time out and the mail will subsequently be quarantined with reason="unscannable" extra="AV Scanner unreachable".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-12043
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.209 (virga_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Webserver Protection - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    RDWeb via WAF is not possible on customers site

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    We don't have protocol support for Microsoft's RDG-RPC protocol suite which they added with Windows Server 2012 (we only support the "old" MSRPC suite). Whenever such a RDG (2012) connection fails the log contains line stating
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    method="RDG_IN_DATA"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    or
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    method="RDG_OUT_DATA"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    it's a strong indication the lack of protocol support is causing the connection to fail. Currently, this cannot be mitigated using the WAF.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-12042
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.208 (american_gods_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Reporting: Graphs and values in mail reporting are inconsistent

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The graphs and values in the mail reporting are inconsistent due different time frames. The graphs reach back for 24 hours, whereas the report is generated live of "today".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12041
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.305 (eir_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Appliance Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Network chipset 82574L ( UTM 220 rev 4/5, UTM 320 rev 4/5) :Detected Hardware Unit Hang / Reset adapter unexpectedly

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        For devices with an Intel 82574L network card chipset you might see messages like e1000e 0000:01:00.0 : Detected Hardware Unit Hang: or e1000e 0000:01:00.0 : Reset adapter unexpectedly in the kernel log.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This chipset is also used in UTM 220 rev 4/5, UTM 320 rev 4/5.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Please ensure that PoE is disabled for the port the UTM is connected to.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-12038
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 9.206 (arcus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Failed login reported from wrong IP Address

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Sometimes when the message 'Failed to connect backend' appears
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          the next failed login is being reported as coming from the ip of the last successful login.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-12036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM-V9 9.207 (duplicatus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • EmailSecurity - SMTP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Microsoft Exchange 2013 changed behavior of RCPT verification with callout

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Microsoft changed in the Exchange the behavior for its recipient verification. The Mailserver sends the "550" after "data" instead of after "rcpt to:" This is NOT RFC conform.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Use Recipient verification over Active Directory.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-12035
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 9.209 (virga_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Appliance Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Detected Hardware Unit Hang and Reset adapter unexpectedly still exists (82583V / UTM 120r5)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If you notice the following log lines in kernel.log for this specific adapter type (82583V) on
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              a UTM120r5, please disabled ASPM in BIOS setup.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2014:09:11-15:09:24 utm kernel: [129844.820420] e1000e 0000:05:00.0 eth0: Detected Hardware Unit Hang:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2014:09:11-15:09:28 utm kernel: [129848.833045] e1000e 0000:05:00.0 eth0: Reset adapter unexpectedly

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Verify the adapter:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              utm:/root # lspci | grep Ethernet
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              02:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              03:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              04:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              05:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Procedure:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Press DEL during UTM reboot - disable ASPM in BIOS at
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Advanced -> PCI Express Configuration -> Active State Power-Management

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Check that it worked:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              lspci -vvv | grep ASPM | grep LnkCtl

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              All entries have to be set to disabled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              utm:/root # lspci -vvvv | grep LnkCtl
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-12032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.250 (alpha93_1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Network - DHCP, DNS & NTP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                DynDNS: IPv6 limitations
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • The only services that support IPv6 are DYN & FreeDNS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • The only strategy that supports IPv6 is 'interface' because the used web service only returns IPv4 addresses

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Both supported services, DYN & FreeDNS only supply A-records for their servers used in the Update-URLs: members.dyndns.org & freedns.afraid.org. That means customers need an IPv4-uplink for DynDNS, IPv6-only-uplink won't work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • DYN always also sets the A-record to the public IPv4 of the request sender, even though an IPv6-address was supplied via the 'myip'-parameter in the Update-URL. That means it's not possible to set/update the AAAA-record only, it always also updates the A-record (to a possibly undesired value).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • The FreeDNS API only returns Update-URLs for A-records. That means trying to set an IPv6-address for an A-record converts the record type to AAAA and the A-record is lost. To workaround that, customers now can specify the corresponding FreeDNS Update-URL in the 'hostname' field in WebAdmin. For A & AAAA to work for the same hostname, two FreeDNS services, one A-only and one AAAA-only need to be created using the corresponding Update-URL as hostname.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                There is no workaround for API limitations of DynDNS services

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-12030
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.104 (fractus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Webadmin runs into timeout during lengthy report generation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The WebAdmin runs into a timeout while the query is executed (timeout warnings may be displayed in WebAdmin). This may happen if it takes too long to generate the dashboard data which is derived from the database.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  none

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-12029
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.204 (incus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web Protection - HTTP/S Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    http://www.zermatt.ch/Unterkunftsverzeichnis#/ does not load shelter list when http proxy is in transparent mode

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Sophos UTM does not currently support the Websocket protocol when in transparent mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Add an exception for the site at Web Protection > Filtering Options > Misc, under �Skip transparent mode destination hosts/nets�.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-12026
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.203 (velum_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      OTP is not useable when the password has numeric characters

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The UTM cannot determine if a 6-digit number at the end of the password is a passcode or the end of the password, so it takes it as the passcode.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      As a consequence OTP users cannot not have a password that ends in 6 digits.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Use a password without digits at the end

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12025
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.201 (post92_ga_1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Web Protection - HTTP/S Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Policy tester returns wrong group membership if local security groups are used (groups in groups)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If a user is a member of a local AD group that is sub-group of a global AD group, policy tester results for that user will be inconsistent with the actual behavior of the proxy profile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        None

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-12024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 9.203 (velum_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Webserver Protection - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Outlook anywhere behind the WAF didn't work

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If an Outlook Anywhere is behind the WAF and the test tool from microsoft (https://testconnectivity.microsoft.com/) is used you will get some errors in the output from the test tool.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          But there is no issue when you use the WAF config for the outlook client. Everything works fine and the error from the test tool can be ignored.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Independent from the error in the output of the microsoft test tool you can use the OA config for outlook on the clients.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-12014
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM-V9 9.000 (ga_9_000)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Virtualization
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NIC ordering on VMWare not stable, might change if interface are added/removed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If adding or removing NICs for VMWare instances, it can happen that the remaining interfaces change their names, so that they are not associated with the correct interface objects anymore.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-12007
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 9.109 (novonucleus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Argos information is not synced to cluster slave - http proxy requests cannot be authorized

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              SAA client client information is not synced to slave node in HA/ Cluster setups.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              In HA setups (active/passive) clients using SAA client need to authenticate on master again after e.g. takeover is performed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              On cluster setups (active/active) the usage of SAA client will result in wrong profile matching when HTTP Proxy + SAA auth is in use, because authentication and proxy traffic may be handled on different nodes for the same client request.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NA

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-12004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.194 (beta92_rc2)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • WebSecurity - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Rev. Auth.: form auth fails with some browsers if path contains special characters

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Form based reverse authentication uses session cookies. The matching of cookie to paths in browsers seems to be implemented very inconsistently regarding escaping of special characters. In some cases authentication will fail because the cookie is not sent by the browser. E.g. when using Firefox and paths containing the single quote character '

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The following special characters seem to be safe to use in URLs in all tested browsers: -._~!$&()+,=:@

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                We recommend limiting site paths using reverse authentication to using those characters (in addition to alpha numeric characters).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-12002
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.107 (pannus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • WebSecurity - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Eicar virus was uploaded althought the WAF said "Access denied with code 400"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Eicar virus was uploaded althought the WAF said "Access denied with code 400"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1) The file to be uploaded is split into several files and those files are uploaded separately. Even if the file as a whole is a detectable virus, the file segments - now each a file by themselves - could be clean in regards to AV scanning. This is a general problem for AV scanning, not specific for the WAF and cannot be solved the WAF either.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2) The file to be uploaded is wrapped in additional data which is used by the web page framework to carry meta data. From a WAF point of view, all of it is payload since every byte - no matter whether actual payload or meta data as seen by the web page framework - could be part of a virus. Hence, the whole stream is passed to AV scanning which then fails to extract the (potential) virus from the stream. Again, this is a general AV scanning problem which cannot be solved by the WAF.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-11979
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.105 (lacunosus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Authentication
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    AD SSO fails on ReadOnly DC

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If configured AD SSO against a ReadOnly DC on a UTM, SSO will fail. While the client tries to authenticate with kerberos you will get following errormessages in the http logfile: "gss_accept_sec_context: Decrypt integrity check failed"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Set the AD SSO server to ReadWrite mode or do the SSO against an ReadWrite Server.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-11973
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.103 (nebulosus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Appliance Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Reboot command from LCD panel doesn't work after initial installation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      During the installation of UTM software on Sophos appliances, the LCD is used to show the installation status.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Other functions of the LCD program, don�t work during installation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The used base system / environment for the installer, is different as in normal operation and doesn�t offer all functions.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      When you use the LCD program or WebAdmin to shut down or reboot the appliance during normal operation, the system will do a clean shutdown before it reboots or halt.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The installer will always force the reboot instead.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      To reboot the appliance after installation, use the �Reboot� button on the final screen or press �CTRL + ALT + DEL�.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If you want to power off the appliance at the end of installation, you have to switch it off using the switch of the power supply.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTM-7656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM 9.4 MR8 (9.411)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ULOGD coredumps in 9.411

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ULOG restarts with Coredumps .
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This has no usual effect on any service or Neither this has any side effect ,as the ulogd recovers .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The reason for the restarts could be because of the following reasons

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • IPv6 traffic

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Fragmented packets that are invalid and are dropped.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-7784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.4 MR9 (9.412)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Warn pages with category webmail didn't work as expected

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This issue affects customer who wants to block/warn access to gmx.de or web.de for example.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          When you click proceed from a 'Warn', you are allowed to continue browsing the warned category for 30 minutes as long as:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • You stay on the domain you were 'warned' for - if you go to gmx.de (Web Mail) and then to hotmail.com (also Web Mail) you should see another warning because the two domains are different.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Or you follow a link or access another domain with the same category, in a way that the HTTP request references the original domain in the 'Referer' field. For example, if you go to hotmail.com and that page loads content from mail.live.com, you should not get another warning.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The problem with "webmail" is that they use a number of different domains that are categorized differently, presumably because they're used for different purposes. When you go to gmx.de, it's categorized as 'Web Mail' but redirects you to gmx.net, which is 'Internet Services. Once you have logged in, it then tries to load email content from 3c.gmx.net which is again categorized as 'Web Mail'. For some reason, there is no 'referer' header for, the UTM treat them as a new domain and try to return a warning. But because the request is for a background connection/API lookup and not a web page, the warn page never gets displayed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          In such cases you can work around the problem by re-categorizing 3c.gmx.net as 'Internet Services' locally, or by re-categorizing gmx.net as 'Web Mail' locally.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-7366
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.35 MR1 (9.351)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Installation
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Installer doesn't detect newly manufactured SG550/SG650 in 9.3x

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The newly manufactured SG550/650 design was changed. One memory module was moved to the other CPU (slot change). This results in the hardware detection seeing the "new" SG550/650 differently. This was changed in the 9.4 installer, but not in 9.3x.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-11877
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 8.950 (beta90_6)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • VPN - HTML5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              HTML5 VPN Webapps: Popups are disabled

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              HTML5 VPN Webapps: Popups are disabled

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              As of now, popups are blocked by the internal Firefox. The user will be informed when blocking has taken place.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-11880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 8.960 (beta90_7)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SAA user names are not displayed for IPS in the reports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Reverse DNS and user are not displayed for ips in the reports

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                For IPS reverse DNS and Users (SAA) are not displayed by the inline report and in the executive report. Only the ip addresses are displayed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-12101
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.351 (quaternary_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Daily Executive Report type PDF does not include IPS or ATP section if they are empty

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Daily Executive Report type PDF does not include IPS or ATP section if they are empty.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Use HTML only version.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-12011
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 9.200 (ga_9_200)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Virtualization
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    [Hyper-V] No link status reported with 'tulip' driver (legacy NICs)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Legacy network adapters are not supported in Hyper-V.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    From:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    https://technet.microsoft.com/en-us/library/cc770380.aspx

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The legacy network adapter requires processing in the management operating system that is not required by the network adapter. We recommend that you use the legacy network adapter only to perform a network-based installation or when the guest operating system does not support the network adapter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-11948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.070 (beta91_3)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Network Protection - Loadbalancing & QoS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Uplink balancing: PING for monitoring via type UDP is always sent over the first active Interface (->all interfaces may go down)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If the monitoring type "UDP" is used for uplink balancing, the uplink may be continuously toggled if the first uplink interface is down.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If possible, try to use monitoring via TCP or PING.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12069
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.303 (saga_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Wireless Protection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Bridge with a Wifi interface and some other Ethernet doesn't work after Update to v9.3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Wifi Traffic is not processed correctly from the separate Zone interface to the LAN in a bridge which is setup between a LAN and a separate Zone interface.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-11885
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 8.970 (beta90_rc1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • AUA
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Backend Membership groups limited to AD Users do not work

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The backend membership authentication didn't work if limited to Active Directory users, only when limited to Active Directory groups.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          For example Authentication failed for user ads_test3 when using the following LDAP string:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          CN=ads_test3,CN=Users,DC=auth2k8r2,DC=qa
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          but it worked when using the following LDAP string:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          CN=ads_group1,CN=Users,DC=auth2k8r2,DC=qa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          (User ads_test3 is a member of the ads_group1)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-11984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM-V9 9.308 (gefjon_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Kernel
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MAC addresses are not rewritten correctly if DNAT is configured on bridge interfaces

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The UTM doesn't send the radius packets to the radius server if the AP and the radius server are in the same network and if there is bridge configured on the UTM including this network.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Put the bridge interface into the promiscuous mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Example: ifconfig br0 promisc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Please note: You have the enable the promiscuous mode again after an UTM reboot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-11999
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 9.193 (beta92_rc1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Webserver Protection - HTTP Reverse Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              wrong HTTP/S redirect using multiple vhosts with wildcard domains and subdomains

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Using HTTP to HTTPS redirection in combination with wilcard domains could lead to using the wrong virtual webserver.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Example:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • virtual webserver A

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • HTTPS, HTTP->HTTPS redirection enabled

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • wildcard certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • domains: *.mydomain, sub.mydomain

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • real webserver: real1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • virtual webserver B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • HTTPS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • domain: main.mydomain

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • real webserver: real2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The request http://main.mydomain is correctly redirected to https://main.mydomain. Afterwards the request https://main.mydomain is answered by the wrong real webserver, real2 instead of real1.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-12045
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 9.280 (rc93_1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Network - Interfaces
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                UMTS modem: UTM needs reboot to detect device after installation
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-11987
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.180 (beta92_4)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Network Protection - IPS and C&C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ips: the changes of the rule counters in the attack pattern tab are only visible when reloading the tab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The rule counters in the IPS Attack Pattern Tab are not updated instantly when changing the rule age.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Reload the Attack Pattern Tab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-11866
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 8.920 (beta90_3)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web Protection - HTTP/S Proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    HTML5 VPN: Websocket error when accessing User Portal via HTTPS proxy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    When the HTML5 VPN portal is accessed via a HTTP proxy that intercepts SSL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    connections, the HTML5 VPN portal doesn't work. The user gets a popup error
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    message "Websocket Error".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    You can only work-around this issue on the HTTP proxy side. If the HTTP proxy
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    is under your control, you need to configure a SSL interception bypass for
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    the address of the HTML5 VPN portal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-11936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.003 (opacus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • EmailSecurity - Encryption
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      S/MIME verification doesn't work for users having different certs for verification and encryption

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Incoming mails which have different certificates for signature and mail encryption cannot be verified/decrypted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Internal Storage can only hold one certificate for a remote user, due to this the verification/decryption fails if different certificates are used.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      -

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12037
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.207 (duplicatus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Wireless Protection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        [NUTM-1141] Change behavior how NAC enforce WiFi connections

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The desired functionality or behaviour can be achieved by setting the mac filter type to "Black list" in SSID configuration. In this case only, the black listed mac group and non-complaint devices are blocked. Other complaint and non-managed devices are able to join the wireless Network.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        However, the default behaviour is set to block everything expect complaint devices, so that more security is achieved.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTML-12001
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM-V9 9.100 (ga_9_100)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • High Availability - Cluster
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [NUTM-407] Up2Date button can be used before all up2date packages are distributed to all nodes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Up2Date button can be pressed before all Up2Date packages have been distributed to all nodes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If you want to be sure that all packages have been distributed:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Login with ssh and check on all nodes in /var/up2date/sys that the Up2Date package had been distributed. If it is available on all nodes you can press the Up2Date button.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTML-12083
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM-V9 9.309 (gunnlod_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Appliance Hardware
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SG210 - FlexiPort NIP-51084 not recognized

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            How to do hardware changes to a cluster:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1) Power down all nodes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2) Do hardware changes (module addition/removal/changes)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3) Power up master
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4) Power up worker and slav node

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If this is done differently there is high chance that cluster is in inconsistent hardware state. This can result in strange behavior.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTML-11879
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM-V9 8.960 (beta90_7)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • VPN - IPsec
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              User "m�ller" can't log in via Cisco VPN Clien

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Users with non-ASCII characters (for example m�ller) can't login via Cisco VPN. In aua.log, the username is garbled like: m��lle

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2012:05:22-11:05:36 ich10 aua[22278]: id="3005" severity="warn" sys="System" su
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              b="auth" name="Authentication failed" srcip="10.x.x.x" user="m��lle" caller
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ="REF_IpsRoaForAdminToInter" reason="DENIED"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTML-11883
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM-V9 8.970 (beta90_rc1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Reporting
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Websecurity reporting does not work for IPv6 address URLs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Websecurity reporting does not work for IPv6 address URLs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If an request contains an IPv6 address in the URL host part, this request does not show up in the websecurity reporting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTML-11939
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM-V9 9.004 (pileus_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Application Control
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Facebook options like facebook post are not blocked until you select 'Facebook'

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Enabling a sub-category of 'Facebook' without enabling 'Facebook' itself will not work and will allow access to the sub-categories, although these are checked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Workaround: sub-categories of 'Facebook' can only be blocked when 'Facebook' is enabled itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTML-11863
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM-V9 8.920 (beta90_3)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • VPN - HTML5
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Username cannot be left blank for SSH connection type

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "Automatic login" for the SSH connection type in the HTML5 VPN Portal is not checked - Username cannot be left blank.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NUTML-11992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UTM-V9 9.191 (partner_beta92_3.1)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SUM
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Import of a filter action omits entries for blocked / allowed websites
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NUTML-12090
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UTM-V9 9.310 (fulla_9)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Network - DHCP, DNS & NTP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        webadmin does not check hostname in a host object (network definition)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        From a DNS point of view, the hostnames "hostname" and "hostname." (note the '.') denote the same host. The UTM does not regard these as being equal. It is therefore possible to configure two different hosts, which resolve to the same hostname. This is an invalid BIND configuarion and will prevent BIND from starting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Workaround is to not have a host in both styles, but use either the notation with, or without dot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NUTM-6318
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UTM 9.4 MR5 (9.408)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Whitelist/blacklist object can't be recreated if filter action not saved

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If an administrator creates a whitelist/blacklist object within a Web Filter action, but then doesn't save the filter action (eg. clicks Cancel), another whitelist/blacklist object with the same name cannot be created in any other filter action.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          When attempting to create one, an error appears: "The whitelist/blacklist object with the same name '(name)' already exists.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This issue can be resolved manually by deleting the object via the backend, as follows:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1. cc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            127.0.0.1 MAIN > OBJS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            127.0.0.1 OBJS > http
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            127.0.0.1 OBJS http > domain_regex
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            127.0.0.1 OBJS http domain_regex > REF_HttDom
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            REF_HttDomGoogle[Google,http,domain_regex] REF_HttDomTestwhitel[testwhitelist,http,domain_regex
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Remove the object: 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            127.0.0.1 OBJS http domain_regex > delete REF_HttDomTestwhitel

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          NUTM-6199
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UTM 9.4 MR5 (9.408)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Sandstorm
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sandstorm parentproxy not available for license without WebProtection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Customers using Sandstorm only in conjunction with Email Protection can not configure a parent proxy on the Webadmin GUI. The missing WebProtection license disables the required pages in the Webgui.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If a parent proxy is required, because no direct connection to the Internet is allowed, the proxy can be set using the cc cli-utility
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cc -> http
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The variables are:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • parent_proxy_host$

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • parent_proxy_port$

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • parent_proxy_status$

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NUTM-5734
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • UTM 9.4 SR2 (9.406)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Logging & Reporting, View Log Files, Search Log Files, Filter issue

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              407s are deliberately suppressed because they can create a bunch of noise that is not useful in most cases. That is also the cause why it is not possible to search for specific http status codes (407 for example) - You can search logs on the back-end.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              NUTM-5460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UTM 9.4 MR3 (9.405)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Checksum errors while using svn checkouts through proxy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SVN issue with pipeline requests

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                user@system:~/Downloads/Test$ svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk/rules /home/tottie/Downloads/Test/
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                A 30_text_de.cf
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                svn: E200014: Prüfsummenfehler für »/home/tottie/Downloads/Test/25_dcc.cf«:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Expected: 5415b271d2bc689ac76d97e230518d49
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                actual: f7ff14025e549b7b45afcf78cc3ad6f2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Our httpproxy, like most proxies in the market, does not support pipeline requests.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                NUTM-5346
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UTM 9.4 MR3 (9.405)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Network
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  SOCKS Proxy with Auth failed for Skype

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Skype is sending the password with null characters in the string, which is not supported by our SOCKS proxy. The SOCKS proxy expects cleartext strings.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NUTM-4404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UTM 9.35 SR1 (9.352)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Web
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Tranparent skiplist with additional address of UTM as destintation host doesn't work

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Requests goign to URLs, which resolve to a local address on the UTM, can't skip the transparent proxy. Even if it is added to the "transparent skiplist" as desination host, the request will still be intercepted by the transparent proxy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    None.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Zero Trust Network (ZTNA)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Generated on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    03 Dec 2024 - 08:00:02 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Last modified on:
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    08 Aug 2024 - 08:59:24 UTC
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Key Affected versions Fix versions Components Summary Description Workaround
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SP-6998
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ZTNA_AgentMaintenance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ZTNA Windows Agent cannot co exist with Dell's 'Optimiser' app with 'Express Connect' featue

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ZTNA Windows Agent cannot co exist with Dell Expressconnect feature on Dell Optimizer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NZT-6805
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ZTNA GW v2.1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Application access is failing after the downgrade from 2.1.GA to 2.0.2-MR-3347

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            After downgrading from ZTNA Gateway version from 2.0.2-GA-3968 to 2.0.2-MR-3347, the app access will not work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Update the Gateway FQDN and save. App access will be restored.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SP-6974
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ZTNA_AgentMaintenance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                [ZTNA-WINDOWS] On enabling autologon on the Endpoint machine, the DNS resolution for ZTNA agent based application fails.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Steps to reproduce the issue:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1. Enable autologon on the Endpoint machine which has 2024.2 installed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2. Access the ZTNA agent based application.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3. Application access might be successful. Now reboot the machine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4. Access the ZTNA agent based application. Sometimes the ZTNA agent based application DNS resolution fails.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SP-6873
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • ZTNA_AgentMaintenance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Linphone softphone is not working with ZTNA Agent (SIP app server FQDN DNS query packets are not reaching TAP interface)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Linphone softphone is not working with ZTNA Agent (SIP app server FQDN DNS query packets are not reaching TAP interface)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SP-6874
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ZTNA_AgentMaintenance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Any protocol using dynamic ports like TFTP is not supported by ZTNA gateway

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Any protocol using dynamic ports like TFTP is not supported by the ZTNA gateway. TFTP is a UDP-based protocol. Servers listen on port 69 for the initial client-to-server packet to establish the TFTP session, then use a port above 1023 for all further packets during that session. Clients use ports above 1023.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SP-6875
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ZTNA_AgentMaintenance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            DNS server behind ZTNA gw is not accessible from ztna client

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Accessing an application from a ZTNA endpoint via another DNS server that is hosted behind a ZTNA gateway is not possible as of now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SP-2087
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ZTNA_AgentMaintenance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                [ZTNA-MAC] The ZTNA reset button in Sophos Agent UI doesn't work on macOS

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The ZTNA reset button used to reset the ZTNA user in Sophos Agent UI doesn't work on macOS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SP-6747
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SSE v1.0 GA
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SASEAgent-Mac
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • ZTNA_AgentMaintenance
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  macOS ZTNA Agent conflicts with Wireguard VPN and Open VPN

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ZTNA and WireGuard both use Network Extensions for VPN functionality. However, only one VPN can work if multiple VPN clients are installed on the system. Apple sets this limitation, and there's no workaround for it. So we can only use one VPN client at a time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The problem with OpenVPN and ZTNA happened because Apple devices use NECP. NECP helps stop VPNs from getting stuck in loops. Please take a look at A Peek Behind the NECP Curtain.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  In simple terms, when both Modern Web and ZTNA are turned on/enabled, they make the system follow a rule called NECP. This rule tells the operating system to send all network traffic to the default or main interface.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  NZT-3731
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • ZTNA GW v2.1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Gateway
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Ztna GW stops working intermittently

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ZTNA Gateway stops working abruptly due to a native Kubernetes issue. A reboot of the gateway doesn’t solve the issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This is a corner case reported by a partner and there is no workaround for it. A new gateway needs to be deployed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    A new gateway needs to be deployed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    NZT-5960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • ZTNA v3.0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Gateway
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Resources configured across different points of presence will not be displayed on user portals.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Resources deployed across different points of presence will not appear when the user accesses a different gateway’s user portal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      For example, application 1 is mapped to gateway 1 which is configured via eu-central-1 point of presence and application 2 is mapped to gateway 2 which is configured via us-east-2. If the user accesses the user portal of gateway 1 by entering the gateway’s external FQDN, they would be able to see only application 1 or any other applications that are configured via eu-central-1.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      N/A. This behaviour will be fixed in subsequent releases.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      NZT-5961
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • NoRelease
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ZTNA v2.1 EAP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Gateway
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Userportal access is not possible unless a resource is attached to the Firewall gateway.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When there are no resources attached to the gateway, there are no tunnels established with the dataplane. Hence userportal access cannot be accessed. This is applicable only when the gateway platform type is a Firewall.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Add a resource of any type to access the user portal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        NZT-1969
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Gateway
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Users are facing 403 error after updating usergroup name in Azure AD

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Users are facing a 403 error after updating a user group name in Azure AD and accessing an application with the updated group name. 

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Move the usergroup (ie updated) from the Assigned group of the resource to Available group list. (Un assign group for the resource)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Move the updated usergroup available in the Available groups section to Assigned group section.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Resource access starts working.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            NZT-2516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Gateway
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ZTNA cloud formation stack creation is failing in Osaka AWS region

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Users won’t be able to successfully deploy AWS gateway in OSAKA AWS region.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Use other AWS regions for AWS gateway deployment.