Software Update: Sophos XG Firewall 16.05.4 MR4

Sophos has released a new version of its XG Firewall with 16.05.4 MR4 as the version number. This software runs on physical hardware as well as in a soft appliance for VMware, Hyper-V, Xen and KVM delivered. In addition to the paid variants for businesses, Sophos offers this firewall for home use at no cost, such as on this page can be read. For the various image and update files you can visit the MySophos portal. The announcement of this release looks like this:

SFOS 16.05.4 MR4 Released

Hi XG Community!

We’ve finished SFOS v16.05.4 MR4. This release is available from within your device for all SFOS v16.05 installations as of now and will increase the group in a few days. The release is available to all SFOS version via MySophos portal.

Issues Resolved

• NC-12352 [Authentication] It should not be possible to change the password of backend user
• NC-16959 [Authentication] SATC client is not differentiating between users
• NC-17300 [Base System, Certificates, License] During the first license sync sometimes the wrong certificate is stored
• NC-17701 [Base System, License] License activation screen improvements
• NC-14028 [Base System] RED site-to-site tunnel disconnects permanently when quick assist is used
• NC-15911 [Base System] XG not listening on port 9922 used for SAA
• NC-16164 [Base System] Garner dies due to memory corruption
• NC-16742 [Base System] Installation not possible on HP DL380G5 / DL360G5
• NC-16743 [Base System] Awarrenhttp, Awarrenmta, Warren services that after upgrade
• NC-17035 [Base System] Migration from CR 10.06.4020 to SF 16.05 MR1 failed
• NC-18049 [Base System] Not able to upgrade firmware from loader as 2 GB memory check fails
• NC-17432 [Certificates] Certificate with ID email has wrong ID after import
• NC-17246 [Clientless Access(HTTP/HTTPS)] URL rewrite inside HTML document not working
• NC-15855 [Firewall] Adding a zone without any service fails
• NC-16090 [Firewall] Source port changes to random over IPSec VPN
• NC-16695 [Firewall] Protect > Intrusion Prevention – column name text wrapped several times in Japanese language
• NC-16728 [Firewall] Display issues when editing firewall rules in Traditional and Simplified Chinese
• NC-17068 [Firewall] XG not forwarding IPv6 echo request which has no next header (next header=59) in IPv6 header or in extension header
• NC-17069 [Firewall] No ICMPv6 parameter problem sent when receiving unrecognized/unassigned next header in IPv6 header or in extension header
• NC-17350 [Firewall] IP family wise network/host validation is not done while adding local ACL rule via API
• NC-17459 [Firewall] App Filter (microapp enabled) causes port 443 traffic to be forwarded to proxy
• NC-17463 [Firewall] Upgrade from SF 15.01 MR3 to SF 16.05 GA results in factory reset
• NC-17519 [Firewall] Wrong country classification for IP address
• NC-17730 [Firewall] “HTTP service” message displays even HTTP service not there after saving the zone
• NC-17731 [Firewall] HTTPS service can be removed from zone, when accessing UI from bridge IP bound to same zone
• NC-17732 [Firewall] Duplicate entry of members are seen, when editing the default zones if members are associated with it
• NC-16712 [Framework part of Base] HA node in failsafe mode after software upgrade
• NC-17259 [Framework part of Base] Unable to see live graph from WAN zone and interface info
• NC-11687 [Framework(UI)] Changing system time requires relogin
• NC-15270 [Framework(UI)] Not able to select start date and end date for wireless time-based access
• NC-1701 [Framework(UI)] TAB focus is not visible in Chrome
• NC-17488 [Framework(UI)] Tooltips behave strange and point to a wrong element
• NC-18071 [Framework(UI)] Cannot filter for ‘Rule Type’ in Log Viewer
• NC-3965 [Framework(UI)] Cookie not reset after auto logout in userportal
• NC-16470 [Galileo Heartbeat] Traffic will be dropped due to Heartbeat if the client is connected to the same Network over LAN and Wifi at the same time
• NC-16599 [Galileo Heartbeat] Crash of heartbeat after “Broken Pipe”
• NC-15319 [HA] IPsec VPN not connecting after HA fail over through monitoring port
• NC-16832 [Hotspot] Minor UI inconsistency when trying to delete multiple hotspots
• NC-17440 [Hotspot] Two mail notifications sent when using “Password of the day” in HA
• NC-16639 [IDS + AppControl] Wrong risk level for Facebook Graph API and App is missing in “Very High Risk (Risk Level 5)” apps group
• NC-17796 [IDS + AppControl] Not able to configure QoS policy to application category ‘IM+ Android’
• NC-13255 [IPS] Service stopped/unregistered state after disabling firewall acceleration in HA mode
• NC-15636 [IPS] Unable to start IPS service on SW/VM appliances
• NC-15710 [IPS] DHCP option 67 is not working properly
• NC-17245 [IPS] IPS engine is not getting reply packets in TAP mode
• NC-18368 [IPS] WINGc categorization not working in TAP mode
• NC-5474 [IPS] IRQs not set correctly with appropriate CPU for given port-affinity
• NC-18197 [License] Administration part of the webadmin page is inaccessible
• NC-13375 [Mail Proxy] Email Quarantine only shows first part of day
• NC-17346 [Mail Proxy] SPX – after registering it takes time before first message is sent
• NC-17804 [Mail Proxy] Incorrect total utilization value shown in SMTP quarantine
• NC-17920 [Mail Proxy] Network can also be selected in host list while creating SMTP policy in MTA mode
• NC-18044 [Mail Proxy] SMTP service restarts sometimes on high load
• NC-18296 [Mail Proxy] Email address is truncated in notifications if sender address contains special chars
• NC-4480 [Mail Proxy] MIME filter,SMTP/S: Attachment name with i18n character is not proper in mail body
• NC-16898 [Network Services] Unable to add FQDN host using double dash (–)
• NC-17276 [Network Services] IPv6 SLAAC does not work according to RFCs
• NC-17699 [Network Services] Unable to delete bridge interface when bridge host used in SSL VPN Remote Access
• NC-16275 [Networking] IPSec S2S – DHCP reply packet is not forwarded to LAN when PPPOE is enabled on WAN interface
• NC-16837 [Networking] WWAN name should be updated to cellular WAN
• NC-6943 [Networking] PIM – Interface update from DHCP to PPPoE sets Candidate RP IP to undefined
• NC-17375 [RED] DHCP server settings will be reset to default if you change anything in the RED interface
• NC-17515 [RED] Monitoring Avaibility->Display wrong color code and tooltip status for RED status
• NC-18017 [RED] RED Tunnel unstable via PPPOE
• NC-16690 [Reporting] Double byte characters in PDF are corrupt
• NC-16729 [Reporting] Junk character in report PDF in Traditional Chinese language
• NC-16992 [Reporting] Sandstorm records disappear after some time
• NC-17330 [Reporting] Unable generate custom report with around 50000 records
• NC-17360 [Reporting] Daily report scheduling doesn’t work correctly with “Send email at 24 Hours”
• NC-17433 [Reporting] Long title runs off at the end of the PDF page for custom reports
• NC-17765 [Reporting] VPN traffic in executive repoprt shows no data
• NC-16257 [Routing] OSPF multicast group limit reached
• NC-17847 [SSLVPN] Wrong info message when saving global SSL VPN settings
• NC-6580 [SSLVPN] Disconnecting SSL VPN connections has to take remote port into account
• NC-17469 [SupportAccess] Service warning on deactivated SupportAccess
• NC-11118 [UI] Improve browser console for long syntax
• NC-17965 [UI] Language Selection on login doesn’t change the labels in the login mask
• NC-15815 [VPN] Incorrect IPSec configuration pushed by SFM
• NC-17260 [VPN] Import of configuration files not working
• NC-17768 [VPN] Cannot enable Cisco VPN if last remaining user stated on VPN screen is removed from the user’s screen
• NC-17863 [WAF] XG85 /tmp Partition is filling up
• NC-18010 [WAF] Fix segmentation fault in mod_xml2enc for multi-byte charsets
• NC-18047 [WAF] Special characters are encoded when HTML rewrite is enabled
• NC-13221 [Web] Extra parameters pushed from SFM to SFOS for web settings
• NC-13909 [Web] HTTPS traffic is proxy but Web Proxy is turned off
• NC-13960 [Web] SFOS breaks auto update on SAV for Mac
• NC-16693 [Web] Protect > Web some strings are cut off
• NC-16730 [Web] No captive portal redirection for new requested URL configured in exception with “Skip Policy Checks” action
• NC-17398 [Web] Unauthenticated user is able to access the Whatsapp/Facebook application
• NC-17481 [Web] Captive Portal redirecting to empty IP address
• NC-17740 [Wireless] Rogue AP scan failed in log viewer
• NC-1806 [Wireless] LocalWiFi – failed to configure IP address on WiFi interface
• NC-18025 [Wireless] Rogue AP Scan failed when click on “Scan Now”