When you try to delete a shared mailbox, which is placed in Office 365 (Exchange Online), and you are running Hyrbid, you may see this:

The following error occurred during validation in agent ‘Windows LiveId Agent’: ‘Unable to perform the save operation. ‘TESTDELT’ is not within a valid server write scope.’

Then when you try to delete it from the ECP on the on-premise Exchange server:
… “isn’t a mailbox user.”

Workaround

Use powershell on the on-premise Exchange:
Remove-remotemailbox –identity testdelt@domain.com

Run AAD Connect delta sync.

You could also delete the user account, for the shared mailbox, and force a AAD Connect delta sync.

Finally, it’s here..bam bam baaaaammmm

Looking forward to test it, and will return with results, if you want your hands on it, go here:

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-fire-eap-firmware-is-here

From the page above:

Good news! The XG Firewall v18 Early Access Program (EAP) 1 firmware is available for you to download and begin testing!

In an earlier post, Chris McCormack provided information on some of the key new features in the release including the new Xstream Architecture. You can get detailed information on all the features in the release by reading our “What’s New in v18” document.

Because this is the first build of the v18 release there are a few things we’d like to bring to your attention before you download the firmware and begin testing it.

• We’ve attempted to make the build as bug-free as possible, however as is the nature of early access firmware we cannot guarantee it will be. Therefore, use the firmware in production at your own discretion.
• The firmware has yet to be tuned for performance. Expect to see faster speeds in future builds.
• As part of the EAP we’ll continue to add additional features into future builds. You can find the features in those later builds in the “What’s New in v18” document.

Download the v18 EAP 1 Firmware

Don’t know where to get the firmware? Go to the XG Firewall v18 EAP page, fill out the online form and you’ll have access to the v18 EAP firmware download.

Getting Started

Once you’re ready to go, we’ve got some great resources to help you get started:

• “What’s New in v18” – See the complete feature list with descriptions
• v18 Evaluation Guide Slides – Learn about the features we’d like you to test
• v18 Public Release Notes – Read the latest notes about the v18 build
• v18 Known Issues and Limitations – Get information on any known issues, advice for users and incomplete features in v18

Things to Know Before Upgrading

Before upgrading to v18 EAP 1 from an earlier version, there are a few things to note:

• You can upgrade to v18 from v17.5 MR6 or later MR versions of v17.5.
• Rollback and firmware switch are supported as usual. You can roll back to v17.5 MRx if you experience any issues during the v18 EAP.
• Backup and restore are supported as usual. SG Firewalls running SFOS, Cyberoam firewalls and XG Firewall backups can be restored on v18.
• Due to a minimum memory requirement of 4GB of RAM, XG 85 and XG 105 models cannot upgrade to v18 and must remain on a 17.x version.
• v18 firmware is not supported on Cyberoam models. However, Cyberoam firewall backups can be restored on an XG Firewall running v18.

Share Your Feedback

Communicating your experiences with the v18 EAP 1 firmware is crucial to its success, so we want to hear from you! Please share your feedback via the Sophos Community or through your XG Firewall’s feedback mechanism in the user interface.

• How to report a bug? Check out this post that outlines the info needed.

Thank you for taking the time to test the v18 EAP 1 release. We’re excited about all the new features this release will bring to Sophos XG users and we appreciate your help making it happen!

Sincerely,

Your Sophos XG Firewall Product Team

Outlook 2016, 2019, 365 prompting for a password when adding a second mailbox in Exchange Online, with the primary mailbox still on-premises.

This can happen in these scenarios:

• A user’s mailbox is on-premises, and they have access to another user or shared mailbox which has already been moved to Exchange Online
• A remote archive has been created for the user using e.g. Enable-Mailbox -RemoteArchive

In this case, Outlook will prompt for a password when trying to connect to the online mailbox.

Fix it, by adding the following registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Exchange
• New, DWORD (32-bit)  Value.
• Name: AlwaysUseMSOAuthForAutoDiscover
• Value: 1

This will force Outlook, to always use Microsoft Office 365 Authentication, for Autodiscover, read more here:

https://support.microsoft.com/da-dk/help/3126599/outlook-prompts-for-password-when-modern-authentication-is-enabled

Sometimes you can hear users complain about not being able to search in Outlook and OWA, one thing that often causes this, is the Content Indexing in Exchange server.

So how to find out?

Go to Exchange Powershell, and type:

“Get-MailboxDatabaseCopyStatus * | sort name | Select name,status,contentindexstate”

You will get a status of your databases ContentIndexState that will show:

Catalog state: FailedAndSuspended.

Stop theese services:

Stop–Service MSExchangeFastSearch

Stop–Service HostControllerService

After that, find out where the Exchange database involved, resides:

Get–MailboxDatabase <DATABASE NAME> | select EdbFilePath

In here, we find the GUID folder for the index, delete that folder or rename it:

Start the two services again:

Start–Service MSExchangeFastSearch

Start–Service HostControllerService

Now the indexing service will be starting up again, slowly crawling through the database, but please remember, this will take a long time to complete, also if the database is big!

Everything can be done during work hours, without any kind of interruption.

After a while, try to run this command again:

As you can see, now it’s not suspended anymore, just “Failed”

Then after some time, run the command another time:

An now we are crawling

Finally we will reach this:

And search should start working again

Sophos has released EAP2 today for XG SFOS v18, it gives a lot of fixes and new features, looking so much forward to EAP3

Important Issues Resolved in SF v18 EAP 2

• NC-50214 [DHCP] DHCP server dead with specific configuration
• NC-48712 [Email] Antivirus service in stopped state, cannot recover it
• NC-51717 [DDNS, Email] DDNS uses wrong IP when interface is configured with PPPoE + Alias
• NC-37775 [Firewall] Configuring over 20 time schedulers on the various firewall rules is causing CSC freeze
• NC-50712 [Firewall] NAT Rules UI error
• NC-47482 [Firmware Management] Firmware mismatch issue – both firmware slots showing same firmware
• NC-52441 [Firmware Management] Some time firmware ‘install’ opcode getting timeout and installation failed
• NC-51568 [IPS-DAQ] Coredump in snort
• NC-52085 [IPS-DAQ] Wget not working for IPv6 sites in bridge mode – SSL decrypt not working
• NC-49919 [IPsec] Dgd service stopped and unable to start
• NC-48106 [Logging Framework] XG85 – /tmp partition fills up
• NC-51956 [Web] Slow browsing with DPI Mode – System with 4gb RAM
• NC-52710 Gateway status was showing down after upgrading to EAP1 Refresh
• NC-52642 “Last 24 hours Memory” Usage Report Bubble show wrong figure
• NC-52684 /tmp full : Appliance storing backup frequently at /tmp/backup
• Plus 200+ issues and stability fixes are part of EAP 2

New Features and Highlights in SF v18 EAP 2

• User based uplink selection in the SDWAN policy routes
• Sandstorm threat intelligence detailed report is now available
• VLAN members in bridge
• Improved Firewall and NAT rule management
  • Advanced filter now has exclusion, proxy, HTTP scanning options
  • Firewall exclusion config is now seen on the manage page
  • Move firewall rule to <nth> position (across the pages)
  • Retain filter on firewall page (session wise)
  • Add / Detach multiple rule to a Group
  • Policy test tool error correction
  • Linked NAT
    • Added Hide linked rule option on NAT manage page
    • Linked NAT rules can be filtered from NAT type filter
    • Auto-populated linked NAT details
    • Added Override SNAT config icon with the tool tip on NAT rule manage page
    • Added Health Check interval (on UI) on NAT Policy page
• A part of HA enhancement (other improvements have been planned in EAP 3)
  • Added cluster ID to eliminate VMAC conflict limitation
  • Now supports option to use host/ hypervisor MAC to eliminate vSwitch Promiscuous mode limitation
  • Now supports pre-emption/ Failback
  • Eliminated downtime in case of upgrade using “Firmware Upgrade now and boot later” option
  • HA synchronization now happens over SSH tunnel based secure communication
• CLI option to enable-disable policy route trigger on reply traffic and system generated traffic
• Port agnostic protocol identification for HTTP and SMTP in Snort

Read more:

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-eap-2-firmware-has-been-released

Sophos has released EAP 3 for XG

Release notes:

The XG Firewall v18 Early Access Program (EAP) 3 firmware release is now available for download.

To get the latest release, go to the XG Firewall v18 EAP page. With EAP 3, we have moved to more secured firmware signing method, hence, you will see “.sig” extension for the firmware update files than the older “.gpg” extension.

Note: If you’ve already registered for the v18 EAP and upgraded your XG Firewall firmware, there’s no need to re-register to gain access to the v18 EAP 3 release. You will see a notice in the firewall UI to upgrade through the Up2Date service.

We’ve updated the “Known Issues, Advice for Users, and Incomplete Features” document with new information.

Please remember, this is still an early build of the v18 release so there are some things we’d like to bring to your attention before you download the firmware and begin testing it.

• We’ve attempted to make the build as bug-free as possible, however as is the nature of early access firmware we cannot guarantee it will be.
• The firmware is continually being tuned for performance. Expect to see faster speeds in future builds.
• As part of the EAP we’ll continue to add additional features into future builds. You can find the features in those later builds in the “What’s New in v18” document.

New Features and Highlights in SF v18 EAP 3

• SD-WAN Application Routing and Synchronized SD-WAN
• QuickHA mode and other High Availability (HA) Enhancements
  • Update HA configurations without breaking HA; includes downgrade firmware and modify Port monitoring list
  • Deploy HA in single click using QuickHA mode – supports flexible order of configuring primary and auxiliary
  • Keepalive request and attempts configurations to tune timeout for cross location HA
  • Option to assign multiple IPs to Auxiliary unit
  • Added cluster ID to eliminate VMAC conflict limitation
  • Now supports option to use host/ hypervisor MAC to eliminate vSwitch Promiscuous mode limitation
  • Now supports pre-emption/ Failback
  • Eliminated downtime in case of upgrade using “Firmware Upgrade now and boot later” option
  • HA synchronization now happens over SSH tunnel based secure communication
• Flow Monitoring Improvements
  • Real time bandwidth on the Live connections screen; Analyze bw utilization for users, source IP and applications in a single view
• Bridge Interface Enhancements
  • support ARP broadcasts, Spanning Tree Protocol (STP) traffic, and filter non-IP protocols by specifying the ethernet frame type
• VLAN Filtering
• DPI and SSL/TLS improvements (includes key issues addressed related to DPI and SSL/TLS)
  • SSL/TLS rules can no longer include the ‘WAN’ zone as a source. We do not support the use case of decrypting inbound SSL/TLS connections from the Internet to an internal Web Server, which requires a different form of key/cert management. We removed this option to avoid confusion as there is rarely a need to do ‘outbound’ SSL/TLS decryption on connections originating outside the firewall.
  • Fixed: Some log entries for blocked connections were taking up to 30 minutes to appear in the log
  • Added a set of built-in FQDN host objects and groups for sites impacted by SafeSearch feature. SafeSearch enforcement by web policy only works in Proxy mode. These network can be used in firewall rules to direct Search Engine traffic through the Web Proxy while protecting other traffic with DPI mode.
  • In the Control Center chart showing encrypted/decrypted connections, the ‘Decryption limit’ is no longer shown unless the actual traffic load is close to the limit. This fixes an issue where the scaling of the chart meant that it was not very informative for modest traffic loads.
  • Revised the captions and layout of the Web options in Firewall Rule to help clarify how the various options relate.
  • SSL/TLS log now shows the whole server cert fingerprint
  • SSL/TLS rules list UI has filtering capability
  • SSL/TLS rules can now use FQDN Host and Group objects (note that there is a known issue that prevents FQDN Host objects being added to a rule via the UI)
• Improvements related to Sandstorm threat intelligence
  • When Sandstorm is licensed and enabled, files that trigger virus detections will now be sent for static analysis
  • Sandstorm Control Center widget displays a new set of counts to reflect the new functionality

Note: Route based VPN will be part of future EAP release.

Important Issues Resolved in SF v18 EAP 3

• NC-53875 Fixed allocation issues resulting in IPS keeps getting restarted
• NC-52853 Fixed garner core dump related to feedback channel in XG330
• NC-52662 Fixed continuous receiving ‘fw_fp_invalidate_microflows:459: Queueing invalidate work ffff8801ed1bb5c0’ error in syslog.
• NC-51952 WAF firewall rule update failed after migration from 17.5 MR8 to 18.0 EAP1
• NC-50549 Drop packet does not show all the info for firewall rule ID 0 drop compare to v17.5
• NC-53988 Kernel panic in XG450 appliance
• key issues addressed related to DPI and SSL/TLS (detailed out in the section above)
• Packet capture and connection list issues
• Plus 200 issues and stability fixes are part of EAP 3

Getting Started

Once you’re ready to go, we’ve got some great resources to help you get started:

• Recommended Reads – Check out these important forum posts
• “What’s New in v18” – See the complete feature list with descriptions
• v18 Interactive training course – Enroll in this interactive training course to learn more about v18
  • Home page for Sophos Customer Training
• v18 Admin Guide – Read the latest admin guide for v18
• v18 Evaluation Guide Slides – Learn about the features we’d like you to test
• v18 Public Release Notes – Read the latest notes about the v18 build
• v18 Known Issues and Limitations – Get updated information on any known issues, advice for users and incomplete features in v18

Things to Know Before Upgrading

Before upgrading to v18 EAP 3 from an earlier version, there are a few things to note:

• You can upgrade to v18 EAP 3 from v17.5 MR6 or later MR versions of v17.5 including latest MR9; as well as from any earlier v18 EAP.
• Rollback (firmware switch) is supported as usual. You can roll back to v17.5 MRx if you experience any issues during the v18 EAP. As an example, the active firmware on the firewall is v18, and the second firmware version is v17.5. Administrators can switch between these two and the configuration on each will stay as it is.
• Backup and restore are supported as usual. SG Firewalls running SFOS, Cyberoam firewalls and XG Firewall backups can be restored on v18.
• Due to a minimum memory requirement of 4GB of RAM, XG 85 and XG 105 models cannot upgrade to v18 and must remain on a 17.x version.
• v18 firmware is not supported on Cyberoam models. However, Cyberoam firewall backups can be restored on an XG Firewall running v18.
• Downgrading from v18 to older firmware – using v17.5 or earlier firmware file – is NOT supported. The Web console will the give appropriate message. v18 uses Grub boot loader. The changed bootloader cannot recognize v17 firmware. Administrators can still use the hardware ISO of v17.5 or an earlier version to get the firewall on an older firmware version and restore the downgraded firmware’s backup.

Recommended upgrade process when you test multiple v18 early access releases:

• This is applicable if you have upgraded to v18 from v17.5. When you further upgrade from v18-EAP(x) to v18-EAP(x+1), you can first switch to v17.5 and upgrade from v17.5 directly to v18-EAP(x+1). From there, you can then restore the backup of v18-EAP(x). This way you will always have v17.5 firmware in your second firmware slot, and leave an option open to roll back to v17.5 if needed.

Support

• Please do not call the general Sophos Support Hotline for EAP issues.
• Troubleshooting support for EAP versions is handled solely through the online Sophos Community EAP Forums.

Share Your Feedback

Communicating your experiences with the v18 EAP firmware is crucial to its success, so we want to hear from you! Please share your feedback via the Sophos Community or through your XG Firewall’s feedback mechanism in the user interface.

• How to report a bug? Check out this post that outlines the info needed.

When updating your ESXi host through esxcli to a newer version, in my ex. from u2 to u3, I got this error, when running this command;

esxcli software profile update -p ESXi-6.7.0-20191204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

And the error:

[InstallationError]
[Errno 28] No space left on device
vibs = VMware_locker_tools-light_11.0.1.14773994-15160134
Please refer to the log file for more details.

Various checks may show, that storage is not an issue, so I found two workarounds working:

1. Set the system swap location:

2. Download the affected vib file manually and install:

cd /tmp

wget http://hostupdate.vmware.com/software/VUM/PRODUCTION/main/esx/vmw/vib20/tools-light/VMware_locker_tools-light_11.0.1.14773994-15160134.vib

esxcli software vib install -f -v /tmp/VMware_locker_tools-light_11.0.1.14773994-15160134.vib

After it’s installed, do the update at the top, of this article again, and it should work, given that you do NOT need space

Moving futher towards v18 GA, Sophos released th EAP 3 refresh

New Features and Highlights in SF v18 EAP 3 Refresh-1

• Route Based VPN
  • Simplifies VPN policy creation with larger/dynamic networks.
  • Network topology changes don’t impact IPSec VPN ‘policy’
  • Also interoperates with non-Sophos route based VPN tunnels
  • Configure IPSec using “Tunnel Interface” connection type listening on WAN interface. And assign IP to auto-created XFRM Interface. And configure routing (Static, Dynamic, SD-WAN PBR), firewall and NAT rules as required
  • IPSec and MPLS can now be active at the same time, use RBVPN in SD-WAN policy routing

• NAT Improvements addressing early feedback we received from community contributors
  • Server access assistant (DNAT): Destination NAT assistant (or wizard) enables workflow to publish an internal server over internet in a few clicks
  • Default SNAT rule at the bottom of the NAT rule table that MASQ traffic going out of WAN interfaces.
    • There is an open issue in Refresh-1 that turns on the default rule post migration. For No-NAT environments, please manually disable this rule to maintain the behavior.
  • NAT rule UX placement is now consistent with firewall UI

• Flow monitor UX fixes
  • Stability fixes for handling large number of live connections
  • Retain sorting on BW columns on refresh
  • Negative Value in Upstream/downstream Bandwidth column
  • Same Upload and download values when data is grouped by Source IP address/User

• Memory optimization and Performance improvements

Important Issues Resolved in SF v18 EAP 3 Refresh-1

• NC-53500 XGFW interferes with certain SSL website connections
• NC-53016 Email Blocked Senders cannot be updated
• NC-52641 IPS Service getting DEAD
• NC-53228 Continuous receiving ‘daemon.debug /bin/smcroute[6387]: Debu: 28 byte IGMP signaling dropped” in syslog.log
• NC-54038 Wrong notification message displayed after disabling firewall rule
• NC-52090 LogViewer: “Action is not Allowed” filtering not working in detailed view
• Flow monitor UX fixes
• Plus 150 issues and stability fixes are part of EAP 3 Refresh-1

Source:

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-eap-3-refresh_2d00_1-firmware-has-been-released

Sometimes it would be great to get a users password for their email, if it maybe is used for a lot of places, sending notifications of broken IT equipment, luckily, Plesk have a command that solves that, SSh to your server:

Type following command:

/usr/local/psa/admin/bin/mail_auth_view

And you will get:

If they are not encrypted

UTM Up2Date 9.701 Released

https://community.sophos.com/products/xg-firewall/b/blog/posts/sophos-xg-firewall-v18-is-now-available

Now it’s done, here are the full release notes:

An easy to use exploit, have been discovered for Exchange 2010, 2013, 2016 and 2019, patch now.

If you have a login for a normal user, you can execute code on the server as “SYSTEM” account through Exchange Control Panel (ECP)!:

Read more and see video:

https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

Microsoft patch:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Recently, there have been sold Exploits on the dark web, for exploiting Zyxel NAS devices, but researchers have found out, that firewall’s also have the vulnerbility:

https://krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/

Zyxel advisory – please note, not all Zyxel devices can be patched, so time for a replacement:

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

UTM Up2Date 9.702 Released

Release notes:

XG Firewall v18 GA-Build339 Enhancements:

This version adds v17.5 MR10 to v18.0 GA-Build339 upgrade and config migration support.

This version introduces the ability to disable SSL/TLS inspection rules, with a new toggle switch on Rules and Policies > SSL/TLS inspection rules. This is set to ‘Off’ by default for customers upgrading from SFOS version 17.5, to avoid potential behavioral changes on upgrade. You must turn it on to enable the new Xstream SSL/TLS decryption functionality, including the SSL/TLS traffic statistics son Control Center.

When SSL/TLS inspection is set to ‘On:

• All traffic will be inspected to determine if it is SSL/TLS or not.
• SSL/TLS decryption rules will be applied and connections will be logged as required by the rules.
• SSL/TLS traffic statistics will be updated and shown on the Control Center.

When SSL/TLS inspection is set to ‘Off’:

• No SSL/TLS decryption rules are evaluated or applied.
• No traffic is decrypted by the DPI Engine. Traffic handled by the Web Proxy will still be decrypted, based on firewall rule configuration.
• No SSL/TLS statistics are gathered. The statistics shown on the Control Center will no longer update.
• For traffic matching firewall rules that have a web policy set, and that are not configured to use the web proxy, the DPI Engine still uses SSL/TLS inspection to enforce policy on non-decrypted HTTPS connections.

There is an additional control in Rules and Policies > SSL/TLS inspection rules > SSL/TLS inspection settings > Advanced settings labeled ‘SSL Engine’. If this is set to ‘Disable’, the SSL/TLS inspection engine will not be used at all. This option is only intended to be used for troubleshooting as directed by Sophos Support. When ‘SSL Engine’ is set to ‘Disable’:

• No SSL/TLS decryption rules will be evaluated or applied
• No traffic will be decrypted (unless it is being handled by the Web Proxy, based on firewall rule configuration)
• No SSL/TLS statistics will be gathered. The statistics shown on the Control Center will no longer update.
• The DPI Engine will be unable to apply web policy to any HTTPS traffic. This applies to traffic matching a firewall rule that has a Web policy set, and that is not using the Web proxy.

Plus, Several important issues have been resolved:

A bit delay’ed because of COVID-19, but here you go – It’s an very important fix for XG due to kernel panics when a lot of users are on SSLLVPN!:

XG Firewall v18 GA-Build354 Enhancements:

• Sophos Connect (IPSec VPN) lease now supports more than 255 IP addresses in address range (NC-57067)
• Fixed: Issues related to upgrade from v17.5 MRx to v18.0 GA (NC-57910)
• Fixed: kernel panic issue related to SSLVPN tunnels (NC-56732)

Please refer XG Firewall v18 highlights for more details on all-new Xstream Architecture delivering extreme new levels of visibility, protection and performance. Also, check out our XG Firewall v18 playlist on YouTube to find out what’s new in XG Firewall v18!

Get it now!

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through MySophos.

For fresh installations, please find the following installer images:

• HW-18.0.0_GA-Build354-354.iso
• SW-18.0.0_GA-Build354-354.iso
• VI-18.0.0_GA-Build354.HYV-354.zip
• VI-18.0.0_GA-Build354.KVM-354.zip
• VI-18.0.0_GA-Build354.VMW-354.zip
• VI-18.0.0_GA-Build354.XEN-354.zip

Things to know before upgrading

• Supported hardware appliances
• Important upgrade information

Note: Please note that upgrading from SFOS v17.5.x to SFOS v18 GA-Build354 may take longer than normal, due to the file system correction checks. The approximate time is dependent on the hard disk size and state. More info available in this KBA.

When setting up RDS farms, you can setup your workspaceid, to match your FQDN, and then buy a certificate, that matches that, to your broker – fair enough, but when the broker redirects to your RDS Hosts, you will eventually, get a certificate error, because the RDS host use a self-signed .local certificate. So you may then think, let’s go and install a real certificate on our RDS host, then you ex. get that rdsh01.domain.local does not match certificate *.domain.com

They can easily be solved by implementing “Disjoint namespace”, that in short does that you can use your real certificate on the server, even though it’s joined to a .local AD

So:

– Join then server to your AD
_ Go into the settings for the domain on the server and change the DNS Suffix, so instead of rdsh01.domain.local, write rdsh01.domain.com, after this, it’s still domain joined, but you can install a real certificate on the server

Fully supported by Microsoft, here is an article about it and it’s pro’s and con’s:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/disjoint-namespace

Tested på RDS/WIN 2019 OK

Sophos has finally released newer hardware for their RED solution, now they call them SD-RED, and there are two models; SD-RED 20 and SD-RED 60, they have new features like SFP ports, much larger bandwidth support, and the SD-RED 60 has two PoE ports, that could power two Sophos APX access points, here is what’s in the box:

Technical Specifications for SD-RED

Model Name	SD-RED 20	SD-RED 60
Capacity
Maximum Throughput	250 Mbps	850 Mbps
Physical Interfaces (Built-in)
LAN Interfaces	4 x 10/100/1000 Base-TX (1 GbE Copper)	4 x 10/100/1000 Base-TX (1 GbE Copper)
WAN Interfaces	1 x 10/100/1000 Base-TX (shared with SFP)	2 x 10/100/1000 Base-TX (WAN1 shared port with SFP)
SFP Interfaces	1x SFP Fiber (shared port with WAN)	1x SFP Fiber (shared port with WAN1)
Power-over Ethernet Ports	None	2 PoE Ports (total power 30W)
USB Ports	2 x USB 3.0 (front and rear)	2 x USB 3.0 (front and rear)
COM Ports	1 x Micro-USB	1 x Micro-USB
Optional Connectivity
Modular Bay	1 (for use with optional Wi-Fi OR 4G/LTE Card)	1 (for use with optional Wi-Fi OR 4G/LTE Card)
Optional Wi-Fi Module	802.11 a/b/g/n/ac Wave 1 (Wi-Fi 5) dual-band capable 2×2 MIMO 2 antennas	802.11 a/b/g/n/ac Wave 1 (Wi-Fi 5) dual-band capable 2×2 MIMO 2 antennas
Optional 3G/4G LTE Module	MC7430/MC7455 Sierra Wireless Card	MC7430/MC7455 Sierra Wireless Card
Optional VDSL Modem	Optional SFP Modem (not yet supported)	Optional SFP Modem (not yet supported)
Physical Specifications
Dimensions	225 x 44 x 150 (w*h*d) mm 8.86 x 1.73 x 5.91 (w*h*d) inches	225 x 44 x 150 (w*h*d) mm 8.86 x 1.73 x 5.91 (w*h*d) inches
Weight	0.9 kg/1.8 kg (1.98 lbs/3.97 lbs) Unpacked/Packed	1.0 kg/2.2 kg (2.2 lbs/4.85 lbs) Unpacked/Packed
Power Supply Adapter	AC Input: 110-240VAC @50-60 Hz DC Output:  12V +/- 10%, 3.7A, 40W”	AC Input: 110-240VAC @50-60 Hz DC Output:  12V +/- 10%, 6.95A, 75W
Power Redundancy Support	Yes, optional 2nd power supply	Yes, optional 2nd power supply
Power Consumption	Idle: 6.1Watt/20.814 BTU Full Load: 22.6Watt/77.114 BTU	Idle: 11.88 Watt/40.536 BTU Full Load without PoE: 25.33 Watt/86.429 BTU Full Load with PoE: 62.48 Watt/213.190 BTU
Noise level (average)	Fanless	Fanless
Temperature (operational)	0°C to 40°C (32°F to 104°F)	0°C to 40°C
Temperature (storage)	-20°C to 70°C (-4°F to 158°F)	-20°C to 70°C (-4°F to 158°F)
Humidity	10-90% RH, non-condensing	10-90% RH, non-condensing
Safety Regulations
Certifications (Safety, EMC, Radio)	CE/FCC/IC/RCM/VCCI/CB/UL/CCC/KC/ANATEL	CE/FCC/IC/RCM/VCCI/CB/UL/CCC/KC/ANATEL

Read more: https://www.sophos.com/en-us/products/next-gen-firewall/sd-wan.aspx

Download datasheet: sophos-sd-red-ds

Today they released UTM 9.703. The release will be rolled out in phases.

In phase 1 you can download the update package from their download server, in phase 2 they will spread it via their Up2Date servers.

Up2Date Information

News

• Maintenance Release

Remarks

• System will be rebooted
• Configuration will be upgraded
• Connected REDs will perform firmware upgrade
• Connected Wifi APs will perform firmware upgrade

Issues Resolved

• NUTM-9381 [Access & Identity] WebAdmin user getting an error while browsing ‘Sophos Transparent Authentication Status’ tab
• NUTM-11258 [Access & Identity] [SAA] Wrong version of SAA displayed in Windows with MSI installer
• NUTM-11578 [Access & Identity] Patch strongSwan (CVE-2019-10155)
• NUTM-11589 [Access & Identity] [SAA] Add TLS 1.2 support for Windows client
• NUTM-11590 [Access & Identity] [SAA] Add TLS 1.2 support for macOS client
• NUTM-11675 [Access & Identity] Patch PPTP and L2TP pppd (CVE-2020-8597)
• NUTM-11109 [Basesystem] Status lights blinking green constantly on SG 1xx and XG 1xx series
• NUTM-11173 [Basesystem] IPsec doesn’t re-connect on DHCP interface after firmware upgrade
• NUTM-11255 [Basesystem] Fix “Internet IPv6” binding in case of multiple IPv6 uplinks
• NUTM-11417 [Basesystem] SG115rev3 HA eth3 interface flapping after update to 9.7
• NUTM-11645 [Basesystem] Patch libxml2 (CVE-2019-19956, CVE-2020-7595)
• NUTM-11561 [Configuration Management] Unable to load certificate list in WebAdmin when large number of certificates present
• NUTM-10803 [Email] S/MIME signed mails have an invalid signature if 3rd party CA is used
• NUTM-11240 [Email] Recipient verification fails due to incomplete LDAP search query
• NUTM-11662 [Email] Bad request for release mails out of the quarantine report after update to 9.7 MR1
• NUTM-11485 [Kernel] Patch Linux Kernel (CVE-2019-18198)
• NUTM-11288 [Localization] AWS Current Stack link is incorrect
• NUTM-11081 [Network] Up-link balancing not clearing conntracks when interface goes down
• NUTM-11218 [Network] ulogd restarting/core-dumps
• NUTM-11614 [Network] Increase GARP buffer
• NUTM-11676 [Network] Patch pppd (CVE-2020-8597)
• NUTM-11573 [RED] RED interface doesn’t obtain IP after UTM reboot
• NUTM-11467 [RED_Firmware] RED15w WPA/WPA2 enterprise cannot connect
• NUTM-11822 [RED_Firmware] RED15 firmware update might fail if flash has bad blocks
• NUTM-11378 [Reporting] Top5 Malware won’t be displayed in Executive Reports if those are sent as PDF
• NUTM-11220 [Sandstorm] When opening Sandstorm activity which contains Korean characters for example, you get this error “cannot decode string with wide characters at encode.pm line 174”
• NUTM-10202 [UI Framework] [SAA] Live user table doesn’t scale with very long names
• NUTM-11084 [UI Framework] Webadmin Information popup not visible
• NUTM-11191 [UI Framework] Can’t download certificate in WebAdmin when name contains apostrophe
• NUTM-11584 [UI Framework] Replace FTP Up2date download link in WebAdmin with HTTPs
• NUTM-11598 [UI Framework] Internal Server Error alert thrown with initial Webadmin request after installation
• NUTM-11725 [UI Framework] Update prototype
• NUTM-11130 [Web] Add configuration for savi_scan_timeout
• NUTM-11346 [Web] Warn page proceed fails due to missing parameters
• NUTM-10269 [Wireless] SSID stops broadcasting

NUTM-11581 [Wireless] User with “Wireless Protection Manager” rights is unable to change wireless settings if mesh is configured