Sophos have released Sophos Firewall v19.5 EAP 1:

See here: Sophos Firewall v19.5 Early Access – Sophos Partner News

See the new features here: sophos-firewall-key-new-features

Xstream SD-WAN:

• SD-WAN Load Balancing builds on the powerful SD-WAN capabilities introduced in v19 to add load balancing across multiple SD-WAN links for added performance and redundancy.
• IPSec VPN Capacity is also significantly increased enabling up to double the number of concurrent tunnels depending on your XGS Series model.
• Dynamic Routing with OSPFv3 (IPv6) which has been one of our top requested features bringing enhanced routing, flexibility, security, and performance.

Xstream Protection and Performance:

• Xstream FastPath Acceleration of TLS encrypted traffic takes advantage of the hardware crypto capabilities in the Xstream Flow Processor to accelerate TLS encrypted traffic flows on the FastPath on the XGS 4300, 4500, 5500, and 6500. This provides added headroom and performance for traffic that requires deep-packet inspection.

High Availability:

• Several Status, Visibility and Ease-of-Use Enhancements improve the operation of high availability (HA) configurations.
• Redundant Link Support enables your high availability devices to be connected with multiple redundant HA links to add resiliency and reliability.

Quality of Life Enhancements:

• Host and Service Object Search enables you to perform free text searches for host and service objects by name or value.
• Enhanced .log file storage enables advanced troubleshooting.
• Azure AD SSO for for web console and UI login offers an alternate and easier method of authentication.
• Enhanced 40G Interface Support with auto-detection of advanced port configurations on XGS 5500 and 6500 models.

New 4G/5G Hardware Support

• New 4G/5G Interface Modules are launching alongside v19.5 provide new high-speed cellular connectivity options for modular desktop models including the XGS 116(w), 126(w), and 136(w).

Finally it’s here – and supported – Azure AD SSO (SFOS 19.5 is in early access at the moment)

The new integration of Azure Active Directory (Azure AD) with Sophos Firewall for single sign on to the Webadmin console is not supported, thus getting administration of firewalls even more granularity and security

Read more: Sophos Firewall v19.5: Azure AD SSO for Webadmin Login – Sophos Partner News

When using Windows VPN with ex. Cisco Meraki appliances or other devices, and you have not (For some unknown good reason ) joined the VPN appliance to Azure AD or the local Active Directory, and have the same username in the VPN appliance as on the AD,  you will of course, have users that have differential passwords to the users, as time passes.

By default Windows VPN will, when connected, pass the VPN credentials to the network ressources for authentication, but when they are different, you will be locked out, when accessing network ressources, as in ex. network shares:

The solution is to set the WIndows VPN to NOT use the VPN credentials, but let Windows use it’s own, this can be achived by editing the rasphone.pbk file, which is a “phonebook” for you VPN profiles.

VPN connections on Windows have UseRasCredentials option which allow user on non-domain machine work with domain resources using his/her VPN credentials.

Under the hood, when this option is enabled, Windows creates stored credentials for a VPN session:

cmdkey /list
Currently stored credentials:
    Target: Domain:target=*Session
    Type: Domain Password
    User: dom\username
    Saved for this logon only

The VPN can be configured for all users of the PC, but also just for one user, choose the one that fit’s in your installation:
# For all-user connections
$PbkPath = Join-Path $env:PROGRAMDATA ‘Microsoft\Network\Connections\Pbk\rasphone.Pbk’
(Get-Content -path $PbkPath -Raw) -Replace ‘UseRasCredentials=1′,’UseRasCredentials=0’ | Set-Content -pat $PbkPath

# For single user connections
$PbkPath = Join-Path $env:APPDATA ‘Microsoft\Network\Connections\Pbk\rasphone.Pbk’
(Get-Content -path $PbkPath -Raw) -Replace ‘UseRasCredentials=1′,’UseRasCredentials=0’ | Set-Content -pat $PbkPath

Thanks to Nash for advising how to catch theese two configurations: Solved: Failed Logins on DC from Meraki VPN Client? – The Meraki Community

After some time in the EAP testing, Sophos Firewall v19.5 is now available

Release notes:Sophos Firewall v19.5 is Now Available – Release Notes & News – Sophos Firewall – Sophos Community

What’s New:

Xstream SD-WAN:

• SD-WAN Load Balancing builds on the powerful SD-WAN capabilities introduced in v19 to add load balancing across multiple SD-WAN links for added performance and redundancy.
• IPsec VPN Capacity is also significantly increased enabling up to double the number of concurrent tunnels depending on your XGS Series model.
• Dynamic Routing with OSPFv3 (IPv6) which has been one of our top requested features bringing enhanced routing, flexibility, security, and performance.

Xstream Protection and Performance

• Xstream FastPath Acceleration of TLS encrypted traffic takes advantage of the hardware crypto capabilities in the Xstream Flow Processor to accelerate TLS encrypted traffic flows on the FastPath on the XGS 4300, 4500, 5500, and 6500. This provides added performance headroom for traffic that requires deep-packet inspection.

High Availability

• Several Status, Visibility and Ease-of-Use Enhancements improve the operation of high availability (HA) configurations.
• Redundant Link Support enables your high availability devices to be connected with multiple redundant HA links to add resiliency and reliability.

Quality of Life Enhancements

• Azure AD integration for SSO web console login offers an alternate and easier method of authentication.
• Host and Service Object Search enables you to perform free text searches for host and service objects by name or value.
• Enhanced .log file storage enables advanced troubleshooting.
• Enhanced 40G Interface Support with auto-detection of advanced port configurations on XGS 5500 and 6500 models.

Get the Full List of What’s New

Download the full What’s New guide for a complete overview of all the great new features and enhancements in v19.5.

See The New Features in Action

• SD-WAN Load Balancing
• High Availability
• Azure AD Integration
• Host and Services Search

How to get the firmware, documentation, and training

As usual, Sophos Firewall OS v19.5 is a free upgrade for all licensed Sophos Firewall customers and should be applied to all supported firewall devices as soon as possible, as it not only contains great features and performance enhancements, but also important security fixes.

This firmware release will follow our standard update process.  You can manually download SFOS v19.5 from the Licensing Portal and update anytime. Otherwise, it will be rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Sophos Firewall OS v19.5 is a fully supported upgrade from any v18.5 firmware as well as v19, including the recent v19 MR1 build 365 release, and the v19.5 EAP build. Please refer to the Upgrade Information tab in the release notes for more details.

Sophos has released a smaller bugfix-update for Sophos UTM, fixing high CPU issues with graph’s during DST change and SQLi in Quarantine manager.

It’s already GA, so inspect to find it in your UTM soon

Release notes:

Up2Date 9.713019 package description:

Remarks:
System will be rebooted
Configuration will be upgraded

News:
Maintenance Release

Bugfixes:
Fix [NUTM-13475]: [Basesystem] high CPU usage by rrdtool due to Daylight Saving Time Changes
Fix [NUTM-13682]: [Email] Post-auth SQLi in Quarantine Manager (CVE-2022-3345)

RPM packages contained:
glibc-2.15-22.17.1.18.gab638562.rb3.i686.rpm
glibc-64-2.15-22.17.1.18.gab638562.rb4.x86_64.rpm
glibc-64-locale-2.15-22.17.1.18.gab638562.rb4.x86_64.rpm
glibc-locale-2.15-22.17.1.18.gab638562.rb3.i686.rpm
libbz2-1-1.0.5-34.256.8.77.g6b5f3d94.rb6.i686.rpm
libbz2-1-64-1.0.5-34.256.8.77.g6b5f3d94.rb8.x86_64.rpm
AstaroPerl-5.10.1-1008.58.g8401a52.rb5.i686.rpm
libapr-util1-1.6.1-3.g09b600f.rb5.i686.rpm
libapr-util1-64-1.6.1-3.g09b600f.rb16.x86_64.rpm
libapr1-1.7.0-0.417222208.gada3837.rb6.i686.rpm
libapr1-64-1.7.0-0.417222208.gada3837.rb31.x86_64.rpm
libattr-2.4.43-1.18.2987.g8a7ac8d9.rb5.i686.rpm
libattr-64-2.4.43-1.18.2987.g8a7ac8d9.rb7.x86_64.rpm
libaviraglue-9.70-14.ga245b21.rb5.i686.rpm
libaviraglue-64-9.70-14.ga245b21.rb5.x86_64.rpm
libblkid1-2.19.1-6.72.1.1928.g9d8c7f8d.rb5.i686.rpm
libcap2-2.11-2.17.1.2507.g187c68b3.rb5.i686.rpm
libcap2-64-2.11-2.17.1.2507.g187c68b3.rb7.x86_64.rpm
libcom_err2-1.41.9-2.16.1.2049.g13b83782.rb5.i686.rpm
libcom_err2-64-1.41.9-2.16.1.2049.g13b83782.rb7.x86_64.rpm
libcurl4-7.19.7-1.64.1.2138.ge9bd53c0.rb5.i686.rpm
libcurl4-64-7.19.7-1.64.1.2138.ge9bd53c0.rb22.x86_64.rpm
libdnet1-1.11-87.17.2597.gd24ec231.rb5.i686.rpm
libdnet1-64-1.11-87.17.2597.gd24ec231.rb7.x86_64.rpm
libevent-1_4-2-1.4.5-24.24.1.2010.g22717216.rb5.i686.rpm
libevent-1_4-2-64-1.4.5-24.24.1.2010.g22717216.rb7.x86_64.rpm
libexpat1-2.0.1-88.41.1.2001.ga576b641.rb5.i686.rpm
libexpat1-64-2.0.1-88.41.1.2001.ga576b641.rb7.x86_64.rpm
libext2fs2-1.41.9-2.16.1.2049.g13b83782.rb5.i686.rpm
libgcc_s1-5.3.1+r233831-10.1.2152.g5635dbc5.rb3.i686.rpm
libgcc_s1-64-5.3.1+r233831-10.1.2152.g5635dbc5.rb3.x86_64.rpm
libgio-2_0-0-2.22.5-8.26.1.203.g7a1b38b1.rb5.i686.rpm
libglib-2_0-0-2.22.5-8.26.1.203.g7a1b38b1.rb5.i686.rpm
libglib-2_0-0-64-2.22.5-8.26.1.203.g7a1b38b1.rb7.x86_64.rpm
libgmime-2_4-2-2.4.26-12.g07a73c4.rb5.i686.rpm
libgmime-64-2_4-2-2.4.26-12.g07a73c4.rb9.x86_64.rpm
libgmodule-2_0-0-2.22.5-8.26.1.203.g7a1b38b1.rb5.i686.rpm
libgmodule-2_0-0-64-2.22.5-8.26.1.203.g7a1b38b1.rb7.x86_64.rpm
libgobject-2_0-0-2.22.5-8.26.1.203.g7a1b38b1.rb5.i686.rpm
libgobject-2_0-0-64-2.22.5-8.26.1.203.g7a1b38b1.rb7.x86_64.rpm
libgomp1-5.3.1+r233831-10.1.2152.g5635dbc5.rb3.i686.rpm
libgthread-2_0-0-2.22.5-8.26.1.203.g7a1b38b1.rb5.i686.rpm
libgthread-2_0-0-64-2.22.5-8.26.1.203.g7a1b38b1.rb7.x86_64.rpm
libidn-1.10-6.1.2148.g2d88120c.rb5.i686.rpm
libidn-64-1.10-6.1.2148.g2d88120c.rb5.x86_64.rpm
libldap-2_4-2-2.4.26-0.65.2.2110.geba96fdd.rb5.i686.rpm
libldap-2_4-2-64-2.4.26-0.65.2.2110.geba96fdd.rb15.x86_64.rpm
libmnl-1.0.3-2.gfab3ee1.rb5.i686.rpm
libmnl-64-1.0.3-2.gfab3ee1.rb9.x86_64.rpm
libnavlextensions-9.70-7.g3fa0c28.rb5.i686.rpm
libnavlextensions-64-9.70-7.g3fa0c28.rb9.x86_64.rpm
libnetfilter_conntrack-1.0.4-39.g5731e43.rb5.i686.rpm
libnetfilter_conntrack-64-1.0.4-39.g5731e43.rb9.x86_64.rpm
libnetfilter_queue1-1.0.2-6.g03d5254.rb5.i686.rpm
libnetfilter_queue1-64-1.0.2-6.g03d5254.rb9.x86_64.rpm
libnfnetlink-1.0.1-1.g290684d.rb5.i686.rpm
libnfnetlink-64-1.0.1-1.g290684d.rb9.x86_64.rpm
libnl-3.2.24-1.7.g2b466ad.rb5.i686.rpm
libopenssl1_0_0-1.0.2j-4.1.0.423181501.gd78e950d.rb5.i686.rpm
libopenssl1_0_0-64-1.0.2j-4.1.0.423181501.gd78e950d.rb5.x86_64.rpm
libopenssl1_0_0_httpproxy-1.0.2j-4.1.0.423181501.gd78e950d.rb5.i686.rpm
libpcap1-1.0.0-5.2.2754.gb46aae0f.rb5.i686.rpm
libpcap1-64-1.0.0-5.2.2754.gb46aae0f.rb7.x86_64.rpm
libpcre2-8-0-10.40-0.432800910.gd57005e.rb1.i686.rpm
libsaviglue-9.70-46.g2a291fd.rb6.i686.rpm
libsaviglue-64-9.70-46.g2a291fd.rb16.x86_64.rpm
libsqlite3-0-3.7.6.3-1.4.6.1.1996.gc3f1cd38.rb5.i686.rpm
libsqlite3-0-64-3.7.6.3-1.4.6.1.1996.gc3f1cd38.rb7.x86_64.rpm
libstdc++6-5.3.1+r233831-10.1.2152.g5635dbc5.rb3.i686.rpm
libstdc++6-64-5.3.1+r233831-10.1.2152.g5635dbc5.rb3.x86_64.rpm
libtscontrol-4.3.3-0.419727633.gb6f3097.rb5.i686.rpm
libtscontrol-64-2.5.1-0.419727633.gb6f3097.rb9.x86_64.rpm
libucl-0.7.3-0.420232221.g1a535c5.rb5.i686.rpm
libuuid1-2.19.1-6.72.1.1928.g9d8c7f8d.rb5.i686.rpm
libuuid1-64-2.19.1-6.72.1.1928.g9d8c7f8d.rb7.x86_64.rpm
libuv-1.8.0-0.420232132.g7d240c8a.rb5.i686.rpm
libxml2-2.7.6-0.64.1.2075.g274cd23b.rb5.i686.rpm
libxml2-64-2.7.6-0.64.1.2075.g274cd23b.rb5.x86_64.rpm
app-accuracy-client-9.70-2.ge9688a8.rb5.noarch.rpm
attr-2.4.43-1.18.2987.g8a7ac8d9.rb5.i686.rpm
bzip2-1.0.5-34.256.8.77.g6b5f3d94.rb6.i686.rpm
curl-7.19.7-1.64.1.2138.ge9bd53c0.rb5.i686.rpm
cyrus-sasl-2.1.22-182.23.1.2139.g47a2532d.rb5.i686.rpm
cyrus-sasl-64-2.1.22-182.23.1.2139.g47a2532d.rb5.x86_64.rpm
e2fsprogs-1.41.9-2.16.1.2049.g13b83782.rb5.i686.rpm
file-5.15-1001.109.gd30bbb28.rb5.i686.rpm
file-64-5.15-1001.109.gd30bbb28.rb5.x86_64.rpm
freefont-0.20080323-1.17.2451.g66f2562c.rb5.noarch.rpm
glib2-2.22.5-8.26.1.203.g7a1b38b1.rb5.i686.rpm
glib2-64-2.22.5-8.26.1.203.g7a1b38b1.rb7.x86_64.rpm
gmp-4.2.3-10.99.2948.gda2b9d60.rb5.i686.rpm
gmp-64-4.2.3-10.99.2948.gda2b9d60.rb7.x86_64.rpm
google-perftools-64-2.0-1.6.gcb34b39.rb8.x86_64.rpm
google-perftools-64-tcmalloc-2.0-1.6.gcb34b39.rb8.x86_64.rpm
google-perftools-tcmalloc-2.0-1.6.gcb34b39.rb5.i686.rpm
grub-0.97-162.172.1.2113.gf9923381.rb5.i686.rpm
irqd-0.7.0-1.0.426013820.gebebeee.rb5.i686.rpm
keyutils-64-libs-1.2-107.29.4.2175.gc1b3da88.rb7.x86_64.rpm
keyutils-libs-1.2-107.29.4.2175.gc1b3da88.rb5.i686.rpm
krb5-1.6.3-133.49.68.1.6.ge6a7bc3.rb6.i686.rpm
krb5-64-1.6.3-133.49.68.1.6.ge6a7bc3.rb12.x86_64.rpm
krb5-client-1.6.3-133.49.68.1.6.ge6a7bc3.rb6.i686.rpm
login-3.41-0.4.2.2373.g3b7ae5d1.rb5.i686.rpm
oculusd-1.0.0-0.431025110.g11711f7.i686.rpm
oculusd-64-1.0.0-0.431025110.g11711f7.rb3.x86_64.rpm
oculusd-dlz_oculus-1.0.0-0.431025110.g11711f7.i686.rpm
openldap2-client-2.4.26-0.65.2.2110.geba96fdd.rb5.i686.rpm
openssl-1.0.2j-4.1.0.423181501.gd78e950d.rb5.i686.rpm
openssl-64-1.0.2j-4.1.0.423181501.gd78e950d.rb5.x86_64.rpm
p0f-3.07b-20.gda7c7e3.rb2.i686.rpm
pcre-7.8-2.18.2984.ga375f832.rb5.i686.rpm
pcre-64-7.8-2.18.2984.ga375f832.rb5.x86_64.rpm
perl-Test-Simple-0.98-1.971.g7226cf3.rb5.noarch.rpm
rrdtool-1.4.8-1030.ga9c65a6d.rb2.i686.rpm
samba-4.6.8-5.ge57a58c.rb1.i686.rpm
sqlite3-3.7.6.3-1.4.6.1.1996.gc3f1cd38.rb5.i686.rpm
tokyocabinet-1.4.48-0.420232257.g69fa4be.rb5.i686.rpm
tokyocabinet-64-1.4.48-0.420232257.g69fa4be.rb9.x86_64.rpm
tools-9.70-37.g36a8ed3.rb5.i686.rpm
tools-64-9.70-37.g36a8ed3.rb5.x86_64.rpm
uriparser-0.8.4-0.418859849.gcc9afc5.rb5.i686.rpm
uriparser-64-0.8.4-0.418859849.gcc9afc5.rb9.x86_64.rpm
util-linux-2.19.1-6.72.1.1928.g9d8c7f8d.rb5.i686.rpm
vim-7.2-8.17.1.2063.g5e8137e6.rb5.i686.rpm
vineyard-plugin-4-85.gfed83b0.rb5.i686.rpm
vineyard-plugin-64-4-85.gfed83b0.rb6.x86_64.rpm
vineyard-plugin-64-tib-4-85.gfed83b0.rb6.x86_64.rpm
vineyard-plugin-tib-4-85.gfed83b0.rb5.i686.rpm
xorg-x11-libxkbfile-7.4-1.14.2820.ge2e0b2cf.rb5.i686.rpm
ep-confd-9.70-933.gbf28f9e66.rb7.i686.rpm
ep-confd-tools-9.70-890.g259cddf70.rb15.i686.rpm
ep-cssd-9.70-24.gae93503.rb1.i686.rpm
ep-cssd-64-9.70-24.gae93503.rb2.x86_64.rpm
ep-hotspot-web-9.70-1.g1bc5be2.rb12.i686.rpm
ep-mdw-9.70-872.g3e4ac21b.rb5.i686.rpm
ep-sandboxd-9.70-74.g95e67cf.rb7.i686.rpm
ep-sandboxd-64-9.70-74.g95e67cf.rb9.x86_64.rpm
ep-sandboxd-perl-helpers-9.70-74.g95e67cf.rb7.i686.rpm
ep-screenmgr-9.70-4.g45070e0.rb11.i686.rpm
ep-up2date-9.70-46.g230bec0.rb3.i686.rpm
ep-up2date-downloader-9.70-46.g230bec0.rb3.i686.rpm
ep-up2date-pattern-install-9.70-46.g230bec0.rb3.i686.rpm
ep-up2date-system-install-9.70-46.g230bec0.rb3.i686.rpm
ep-webadmin-9.70-842.gdfc8c5346.rb11.i686.rpm
ep-webadmin-contentmanager-9.70-66.gfdab308.rb9.i686.rpm
u2d-appctrl43-64-9-10.x86_64.rpm
u2d-avira4-64-9-361.x86_64.rpm
ep-chroot-afc-9.70-4.g014e49b.rb5.noarch.rpm
ep-chroot-smtp-9.70-93.gfaad2c0.rb5.i686.rpm
chroot-afc-9.70-14.ge406839.rb3.i686.rpm
chroot-afc-64-9.70-14.ge406839.rb3.x86_64.rpm
chroot-bind-9.11.3-0.426017970.g1fe6c66.rb5.i686.rpm
chroot-smtp-9.70-73.g3480df2d.rb5.i686.rpm
ep-httpproxy-9.70-328.g0f2a61aa.rb2.i686.rpm
ep-httpproxy-64-9.70-328.g0f2a61aa.rb2.x86_64.rpm
ep-httpproxy-perl-helpers-9.70-328.g0f2a61aa.rb2.i686.rpm
ep-httpproxy-user-account-9.70-328.g0f2a61aa.rb2.noarch.rpm
ep-release-9.713-19.noarch.rpm

As default, users are created in “Users”, and Computers in “Computers” OU, but these are the default folders, and one may want to defferentiate between them, in ex. when using Azure AD Hybrid and Autopilot or Intune, when new computers are domain joined, you want them to go to specific sync’ed OU’s instead:

To see the default OU’s, that are in use today, type this into Powershell:

Computers:

Get-ADDomain | select computerscont*

Users:

Get-ADDomain | select userscont*

How to change:

Computers:

redircmp “OU=Autopilot Domain Join,DC=domain,DC=local”

Users:

redirusr “OU=Users,OU=Microsoft365,DC=domain,DC=local”

That’s it! – Effective immediately

[MS-ADTS]: Well-Known Objects | Microsoft Learn

When running the vCenter Server 8 Upgrade, you may see this:

“Upgrade phase timed out. The time planned for the upgrade phase was 60 minutes. The upgrade phase has already been running for 60 minutes.”

It happens during the migration af the vCenter Analytics data, my server had over 40000 files, so I ran this script:

VMware vCenter Analytics Service is restarting often with out of memory errors and vSphere Skyline Health is unable to connect with “Unable to query vSphere health information error” (85116)

And the result:

After this – the migration suceeded without any other error

Thanks to Jorge for pointing it out: VMware: Upgrade vCenter 7.0.3 to 8.0, stucks at 39% – Exporting VMware Analytics Service data – FIXED – The Blog of Jorge de la Cruz

Sophos has released MR2 for SFOS v19, the MR2 for 19.5 will come later on:

Release notes:

Source: Sophos Firewall OS v19 MR2 is Now Available – Release Notes & News – Sophos Firewall – Sophos Community

Just soft-released, here are the release notes:

Now there is support for the new 5G expansion module for the desktop models!

We are pleased to announce that Sophos Firewall OS v19.5 MR1 is now released.  This update to Sophos Firewall brings support for some exciting new hardware products plus a few feature enhancements and bug fixes.

What’s New in SFOS v19.5 MR1

Support for New XGS 7500 and XGS 8500 appliances

We’re broadening our XGS Series hardware portfolio to include two new 2U appliances. This allows us to address new opportunities in larger enterprise and campus environments, in addition to the existing SMB and distributed edge space.

These models are built from the core to provide the performance required for the most demanding networks:

• Dual processor architecture with enterprise-grade acceleration for trusted traffic and applications
• Up to 47% higher throughput for all key protection vs. next highest model (XGS 6500):
  • Up to 190 Gbps Firewall throughput
  • Up to 141 Gbps IPsec VPN throughput
  • Up to 93 Gbps IPS throughput
  • Up to 76 Gbps NGFW throughput
  • Up to 34 Gbps Threat Protection throughput
• Industry-leading ROI per Protected Mbps vs. comparable competitive models
• High performance, high capacity with dual redundant Non-Volatile Memory express (NVMe) SSDs and a significant RAM increase over our other 2U models.
• High speed built-in connectivity with two QSFP28 ports on each model supporting ports speeds of up to 40 Gbps on the XGS 7500 and 100 Gbps on the XGS 8500.
• Up to 2x better power efficiency than the industry average for comparable models in combination with IPsec VPN.

The updated web pages will be published later today: sophos.com/compare-xgs. Further information on hardware availability will be provided via the Partner News blog from February 16, 2023.

Support for New 5G Module for XGS 116(w), 126(w), 136(w)

We’re introducing a 5G cellular module for all XGS 116, 126, and 136 models (including w-models) which have a modular expansion bay.

The new global module enables 5G cellular network connections using the 5G Sub-6 bands, with download speeds of up to 4.5 Gbps and upload speeds of up to 660 Mbps (this may vary by carrier and region). The module also provides automatic fallback to 3G and 4G LTE (Cat-20) networks.

Our optional slot-in module becomes a fully supported, fully integrated part of the appliance, managed from your firewall console. This provides significantly better compatibility and interoperability than competitive external solutions.

We deliver the module with four cable-connected antennas to allow optimal coverage and performance.

Further technical details are available in this Knowledgebase article.

Other Enhancements and Bug fixes

• Xstream SD-WAN – Enhancements to SD-WAN rule management. Clone SD-WAN rules above or below, move to nth position, create at top or bottom.
• Backup Management – Firmware version is now included to the name of the backup file for improved identification.
• Firmware upgrade – A warning message has been added to alert to the risk of a factory reset when upgrading to a firmware version for which migration is not supported.
• Includes 30+ important issues, stability and security fixes

Check out the v19.5 MR1 release notes for full details.

How to get the Firmware and Documentation

Sophos Firewall OS v19.5 MR1 is a free upgrade for all licensed Sophos Firewall customers and should be applied to all supported firewall devices as soon as possible to ensure that you have all the latest security fixes and feature updates.

This firmware release will follow our standard update process.  You can manually download SFOS v19.5 MR1 from the Licensing Portal and update anytime. Otherwise, it will be rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience.

Sophos Firewall OS v19.5 MR1 is a fully supported upgrade from all previous versions of v19.5, all previous versions of v19.0 including the latest v19.0 MR2 and all previous versions of v18.5 including the latest v18.5 MR5. Please refer to the Upgrade Information tab in the release notes for more details.

Full product documentation is available online and within the product.

When decommisioning the home folders in Active Directory, ex. because of Sharepoint / OneDrive migration, you can use this one-liner to remove all the old mappings:

get-aduser -filter{Homedirectory -like ‘*’} -SearchBase ‘OU=Ou,DC=domain,DC=com ‘|Set-ADUser -Clear homedirectory -Verbose

So you come from this:

To This:

Source: [SOLVED] Powershell Removing all home directory mappings (spiceworks.com)

Sophos has released a new update for Sophos UTM today. Itøs already GA so you shoould find it ready in your applikance

Release notes:

Up2Date 9.715003 package description:

Remarks:
System will be rebooted
Configuration will be upgraded

News:
Maintenance Release

Bugfixes:
Fix [NUTM-14015]: [AWS, Basesystem] Unable to upgrade to 9.713-19 from 9.712-13 on AWS – BOOT issue
Fix [NUTM-14049]: [AWS] PAYG License Expires When IMDSv2 is Enabled
Fix [NUTM-13488]: [Basesystem] Address vulnerability in GNU tar – CVE-2021-20193
Fix [NUTM-13490]: [Basesystem] Address vulnerabilities in Zlib – CVE-2018-25032, CVE-2022-37434
Fix [NUTM-13770]: [Basesystem] RESTful API authentication – Autocomplete attribute not set on password field
Fix [NUTM-13906]: [Basesystem] Address DHCP Vulnerabilities – CVE-2022-2928, CVE-2022-2929
Fix [NUTM-13908]: [Basesystem] IPsec doesn’t re-connect on DHCP interface after firmware upgrade to 9.712
Fix [NUTM-14016]: [RED] All RED connections drop and reconnect after RED server core dump
Fix [NUTM-13656]: [Sandstorm] Excessive Sandbox database error messages in system.log
Fix [NUTM-13898]: [Wireless] Address Local WiFi driver vulnerabilities – CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722

RPM packages contained:
libksba-1.0.4-1.25.1.2194.ga20f8ffc.rb4.i686.rpm
libsaviglue-9.70-48.gd1f4c3c.rb5.i686.rpm
libsaviglue-64-9.70-48.gd1f4c3c.rb5.x86_64.rpm
oculusd-1.0.0-0.432775799.g0be4678.rb3.i686.rpm
oculusd-64-1.0.0-0.432775799.g0be4678.rb3.x86_64.rpm
oculusd-dlz_oculus-1.0.0-0.432775799.g0be4678.rb3.i686.rpm
perf-tools-3.12.74-0.434058663.g1ba2494.rb4.i686.rpm
tar-1.26-1.2.13.1.1989.gaec2a3fd.rb4.i686.rpm
zlib-1.2.8-961.g82c11108.rb4.i686.rpm
zlib-64-1.2.8-961.g82c11108.rb4.x86_64.rpm
ep-branding-ASG-afg-9.70-52.gb476cf8.rb3.noarch.rpm
ep-branding-ASG-ang-9.70-52.gb476cf8.rb3.noarch.rpm
ep-branding-ASG-asg-9.70-52.gb476cf8.rb3.noarch.rpm
ep-branding-ASG-atg-9.70-52.gb476cf8.rb3.noarch.rpm
ep-branding-ASG-aug-9.70-52.gb476cf8.rb3.noarch.rpm
ep-confd-9.70-956.g769453159.rb7.i686.rpm
ep-cssd-9.70-26.g3638cd0.rb4.i686.rpm
ep-cssd-64-9.70-26.g3638cd0.rb4.x86_64.rpm
ep-hotspot-web-9.70-2.g568bb12.rb3.i686.rpm
ep-mdw-9.70-880.gd713d4ad.rb7.i686.rpm
ep-red-9.70-64.g9b7422a.rb3.i686.rpm
ep-restd-9.70-16.gae53d6a.rb3.i686.rpm
ep-sandboxd-9.70-93.ge1ef722.rb4.i686.rpm
ep-sandboxd-64-9.70-93.ge1ef722.rb4.x86_64.rpm
ep-sandboxd-perl-helpers-9.70-93.ge1ef722.rb4.i686.rpm
ep-webadmin-9.70-854.geed7d057c.rb5.i686.rpm
ep-cloud-ec2-9.70-10.g781cda6.rb3.i686.rpm
chroot-afc-9.70-16.gd0f4a68.rb3.i686.rpm
chroot-afc-64-9.70-16.gd0f4a68.rb3.x86_64.rpm
chroot-bind-9.11.3-0.434677350.g67d6840.rb3.i686.rpm
dhcp-chroot-client-4.4.1-4.g7aea2a5.rb3.i686.rpm
dhcp-chroot-server-4.4.1-4.g7aea2a5.rb3.i686.rpm
ep-httpproxy-9.70-351.gb6db1f3a.rb5.i686.rpm
ep-httpproxy-64-9.70-351.gb6db1f3a.rb5.x86_64.rpm
ep-httpproxy-perl-helpers-9.70-351.gb6db1f3a.rb5.i686.rpm
ep-httpproxy-user-account-9.70-351.gb6db1f3a.rb5.noarch.rpm
kernel-smp-3.12.74-0.434058663.g1ba2494.rb4.i686.rpm
kernel-smp64-3.12.74-0.434058663.g1ba2494.rb7.x86_64.rpm
ep-release-9.715-3.noarch.rpm

Sophos has released the MR2 for v195 today, it will hardening the webadmin interface, for thoose who allow <ANY> access:

Release notes:

The adoption rate of our new Sophos Firewall v19.5 firmware continues to be our fastest ever, with nearly half of install base already running the latest major release 19.5.

We are pleased to announce the availability of our second major maintenance update to v19.5 with this release.

What’s New in SFOS v19.5 MR2

Important Security and Hardening Enhancements

With this release, we are implementing two security enhancements that help harden your firewall and follow industry best-practices for the protection of your firewall from attacks.

Web Admin access for specific IPs:

• We strongly recommend disabling web admin console access from all WAN sources (the Internet) to reduce the potential for a brute force or reconnaissance attack. Instead, we suggest that remote management of your firewalls be performed through Sophos Central which is free for all customers.
• However, if you absolutely need to provide WAN access to the web admin console, v19.5 MR2 enforces WAN access from specific IP addresses and networks using an ACL exception rule (Administration > Device access > Local service ACL exception rule). It will no longer be possible to enable web admin console access from all WAN sources.
• There is no impact for existing deployments: Web admin access if already enabled from all WAN sources continues to work even after you upgrade onto v19.5 MR2 except if it is no longer being used (see next point). However, as mentioned above, we strongly encourage you to disable this or at least use the new ACL exception rule to improve your security posture.

Web Admin or User Portal Access from all WAN sources (Internet) disabled after 90 consecutive days of inactivity:

• Many customers have setup WAN access to the web admin console and/or User Portal long ago, do not use it, and have forgotten about it, leaving their firewalls potentially exposed to a brute force or reconnaissance attacks from the Internet.
• 19.5 MR2 will automatically disable web admin and/or user portal access from the internet (all WAN sources) after 90 consecutive days of inactivity.
• Access configured using the new ACL exception rule will NOT be disabled even after 90 days of inactivity.
• There is no impact for existing deployments with active usage. If you have Web admin or User portal access enabled from all WAN sources, access to these portals will remain unaffected as long as there is activity at least every 90 days.

Be sure to check out our recent article on Best Practices for Securing Your Firewall

New How-To Guides

• Routing and NAT configuration for IPsec: New how-to tutorials are linked directly from the relevant section of the product to help with IPsec deployments including use cases such as system generated DHCP relay traffic, authentication traffic, and traffic to a host through existing IPsec tunnel.

Other Enhancements:

• Dynamic Routing: Now supports up to 4K multicast groups for added scalability in the dynamic routing deployments.  This eliminates any issues related to dynamic routing failing to join multicast groups.
• SD-RED: A new banner is added to notify admins about the approaching EoL (End-of-Life) for legacy RED 15(w) and RED 50 devices.  Customers should upgrade their RED devices to the latest models with higher performance and improved connectivity.

Check out the v19.5 MR2 release notes for full details.

Release notes:

Due to an issue that was discovered in the early stages of the original release of 9.7 MR15, we are re-releasing it with a fix as 9.715-4. The release will be rolled out in phases:

• In phase 1 you can download the update package from our download server. Click the link and navigate to the folder UTM / v9 / up2date.
  • If you haven’t yet updated to 9.715, use this package: 
  • Up2date package – 9.714 to 9.715 https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.714004-715004.tgz.gpg
  • Md5sum is 9981953d85768acc758f2dee951fd3cb https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.714004-715004.tgz.gpg.md5
  • If you already updated to the original 9.715 release, use this package:
  • Up2date package – 9.715003 to 9.715004 https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.715003-715004.tgz.gpg
  • Md5sum is 09996a5acdc02c721b2cf1720106c900 https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.715003-715004.tgz.gpg.md5
• During phase 2 we will make it available via our Up2Date servers in several stages.
• In phase 3 we will make it available via our Up2Date servers to all remaining installations.

The issue found in version 9.715 affected a small number of UTMs running in HA configuration with multiple WAN links, some of which do not start up quickly, and a large number of IPSec tunnels.

• NUTM-14133 [Cluster, HA] After upgrading from 9.714-4 to 9.715-3 HA breaks

Details of this release, along with previous releases, can be found on our official release notes page.

Sophos has released the new v19.5 MR3!

We have seen quite a few customers with crashing firmwares, where the power needs to be re-plugged, so we surely look forward to this update, to make the devices more stable!

There are also a new SSD firmware package for the 1U devices!

Here are the release notes:

Sophos Firewall OS v19.5 MR3 is Now Available – Release Notes & News – Sophos Firewall – Sophos Community

Sophos Firewall: v19.5 MR3: Feedback and experiences – Discussions – Sophos Firewall – Sophos Community

Sophos has released 9.716 for their UTM, here are the release notes:

UTM Up2date 9.716 released – Release Notes & News – UTM Firewall – Sophos Community

After install, whichs looks stable, we’ll get the following info on what’s been upgraded:

Up2Date 9.716002 package description:

Remarks:
System will be rebooted
Configuration will be upgraded

News:
Maintenance Release

Bugfixes:
Fix [NUTM-13537]: [Basesystem] VLAN interfaces on a RED interface will be deactivated if the RED interface is disabled and then enabled
Fix [NUTM-13689]: [Basesystem] Upgrade Apache to 2.4.56 to address numerous vulnerabilities
Fix [NUTM-14038]: [Basesystem] Address OpenSSL Vulnerabilities (CVE-2023-0286, CVE-2023-0215)
Fix [NUTM-14051]: [Basesystem] Upgrade Postgres to 9.2.24 to address numerous vulnerabilities
Fix [NUTM-14089]: [Basesystem] High CPU usage by rrdtool due to DST
Fix [NUTM-14139]: [Basesystem] Mexico Time zone still switches to DST
Fix [NUTM-13882]: [Email] Randomly getting error and can’t download the emails from Mail Manager
Fix [NUTM-14039]: [Email] Potential denial of service vulnerability in email service: CVE-2002-20001 and CVE-2022-40735
Fix [NUTM-14107]: [Email] SPX Announcement Email w/o Message-ID Header
Fix [NUTM-14172]: [Email] Potential denial of service vulnerability in SPX portal and Webadmin: CVE-2002-20001 and CVE-2022-40735
Fix [NUTM-14217]: [UI Framework] WebAdmin Post-auth Command Injection (CVE-2023-3367)
Fix [NUTM-14134]: [WAF] Potential denial of service vulnerability in Webserver Protection: CVE-2002-20001 and CVE-2022-40735

RPM packages contained:
libapr-util1-1.6.3-0.452200719.g67b5657.rb5.i686.rpm
libapr-util1-64-1.6.3-0.452200719.g67b5657.rb5.x86_64.rpm
libapr1-1.7.4-0.452200750.g614b0d4.rb5.i686.rpm
libapr1-64-1.7.4-0.452200750.g614b0d4.rb5.x86_64.rpm
libopenssl1_0_0-1.0.2j-4.1.0.451415806.ga7e529a4.rb3.i686.rpm
libopenssl1_0_0-64-1.0.2j-4.1.0.451415806.ga7e529a4.rb3.x86_64.rpm
libopenssl1_0_0_httpproxy-1.0.2j-4.1.0.451415806.ga7e529a4.rb3.i686.rpm
libudev0-147-0.110.1.2152.g6efc81d4.rb8.i686.rpm
firmwares-bamboo-9400-0.450518779.ge525b6f.rb2.i586.rpm
modauthnzaua-9.70-270.gcb78b67.rb125.i686.rpm
modauthzblacklist-9.70-372.gefe2089.rb31.i686.rpm
modavscan-9.70-387.g4b59fec.rb11.i686.rpm
modcookie-9.70-377.g63c8b0f.rb24.i686.rpm
modcustomblockpage-9.70-279.gbe16bc0.rb97.i686.rpm
modfirehose-2.5_SVNr1309567-14.g4ab2622.rb124.i686.rpm
modformhardening-9.70-367.g820d795.rb28.i686.rpm
modpcap-9.70-0.142961807.g994d6f0.rb124.i686.rpm
modproxymsrpc-0.5-121.gc7f8565.rb133.i686.rpm
modreverseauth-9.70-364.g469bdce.rb61.i686.rpm
modsecurity2-2.9.7-0.451411612.g53657e3.rb3.i686.rpm
modsecurity2_beta-2.9.0-460.g62b8fdb.rb128.i686.rpm
modsessionserver-9.70-0.247653793.g4179dcf.rb128.i686.rpm
modurlhardening-9.70-367.g820d795.rb28.i686.rpm
modwafexceptions-9.70-322.gd203205.rb75.i686.rpm
modwhatkilledus-2.01-0.258193062.g46092ac.rb128.i686.rpm
openssl-1.0.2j-4.1.0.451415806.ga7e529a4.rb3.i686.rpm
openssl-64-1.0.2j-4.1.0.451415806.ga7e529a4.rb3.x86_64.rpm
postgresql92-9.2.24-0.443148038.g247f3cd.rb6.i686.rpm
postgresql92-64-9.2.24-0.443148038.g247f3cd.rb6.x86_64.rpm
red-unified-firmwares-9700-0.451377173.g9003adc.rb2.i586.rpm
rrdtool-1.4.8-1183.g20c535b9.rb7.i686.rpm
rubygem-sophos-iaas-1.0.0-1.0.451597817.gda345c6a.rb1.i686.rpm
timezone-2023c-74.74.1.0.447544299.gffea2640.rb6.i686.rpm
udev-147-0.110.1.2152.g6efc81d4.rb8.i686.rpm
ep-confd-9.70-981.g9ed7008a6.i686.rpm
ep-ha-aws-9.70-14.gda345c6a.rb1.noarch.rpm
ep-mdw-9.70-902.g57fa525f.rb7.i686.rpm
ep-notifier-9.70-3.g3db6182.rb2.i686.rpm
ep-sasi-5.1.4-0.449740534.g58c41be.rb4.i686.rpm
ep-webadmin-9.70-855.g389bdb02a.rb6.i686.rpm
ep-webadmin-contentmanager-9.70-67.g14e31b3.rb5.i686.rpm
ep-cloud-ec2-9.70-11.gadd9b85.rb3.i686.rpm
ep-chroot-smtp-9.70-95.g677a076.rb5.i686.rpm
chroot-bind-9.11.3-0.449358503.g997f076.rb4.i686.rpm
chroot-httpd-2.4.56-0.451669677.gd347561.rb6.i686.rpm
chroot-reverseproxy-2.4.57-2.ge1e8bc9.rb2.i686.rpm
ep-chroot-pop3-9.70-11.ga5a2d06.rb3.i686.rpm
ep-httpproxy-9.70-364.g614f787b.rb5.i686.rpm
ep-httpproxy-64-9.70-364.g614f787b.rb5.x86_64.rpm
ep-httpproxy-perl-helpers-9.70-364.g614f787b.rb5.i686.rpm
ep-httpproxy-user-account-9.70-364.g614f787b.rb5.noarch.rpm
ep-release-9.716-2.noarch.rpm

Sophos has released the EAP for Sophos Firewall v20

I have tested it and it has a lot of great new – much wanted – features

Here are the release notes:

We are pleased to announce that the Early Access Program (EAP) is now underway for the latest and greatest Sophos Firewall OS release. This update to Sophos Firewall brings a number of exciting enhancements and top requested features.

Active Threat Response:

• Extending Synchronized Security to MDR and XDR provides a direct feed for security analysts to share active threat information with the firewall to enable it to automatically respond to active threats without creating any firewall rules.
• Dynamic Threat Feeds introduces a new threat feed API framework that is easily extensible. It enables threat intelligence to be shared from Sophos X-Ops team, other Sophos products like MDR and XDR, and ultimately 3rd party threat feeds in the future.
• Synchronized Security now extends the same Red Heartbeat automated response that Sophos Firewall has always had to MDR/XDR identified threats to ensure compromised hosts are not able to move laterally or communicate out while details including host, user, and process are readily available for follow-up. Synchronized Security has also been enhanced with added scalability and reduced false missing heartbeats for devices that are in a sleep or hibernate state.

Remote Worker Protection and SASE:

• ZTNA Gateway Integration makes ZTNA deployments even easier by integrating a ZTNA gateway directly into the firewall. This means any organization that needs to provide remote-access to applications hosted behind the firewall, doesn’t need to deploy a separate gateway on a VM – they can simply take advantage of the gateway integrated into their firewall. When combined with our single-agent deployment on the remote device, ZTNA couldn’t possibly get any easier – it’s literally zero-touch zero-trust..

• 3rd Party SD-WAN Integration makes it easy to onramp SD-WAN traffic onto Cloudflare, Akami, or Azure backbone networks to take advantage of their enormous infrastructure, reach, and networking and security services.
• Sophos DNS Protection is our new cloud-delivered web security service that will be available separately in early access very soon. It provides a new Sophos hosted domain name resolution service (DNS) with compliance and security features that are fully supported by Sophos Firewall. This service provides an added layer of web protection, preventing access to known compromised or malicious domains across all ports, protocols, or applications – both unencrypted and encrypted. More news on this new service coming soon.

Network Scalability and Enhancements:

• New VPN Portal provides a new containerized hardened self-service portal for end users to download VPN clients and configuration, auto-provisioning, and clientless VPN bookmarks.

• IPsec Enhancements includes seamless HA failover, tunnel status monitoring via SNMP, unique PSK support for the same local and remote gateway connections, and DH Group 27-30 / RFC6954 support.
• SSL VPN Enhancements include FQDN (fully qualified domain name) host and group support for both remote access and site-to-site SSL VPN.
• SD-WAN Scalability increases SD-WAN gateway scalability by 3x to 3072 gateways and the number of SD-WAN profiles to 1024
• IPv6 Enhancements include DHCP Prefix Delegation to seamlessly integrate with your ISP and new enhancements to the dynamic routing engine now support BGPv6 for improved IPv6 interoperability.

Quality of Life Enhancements:

• Interface Enable/Disable delivers a top requested feature to easily disable or enable network interfaces on the firewall without losing any configuration.
• Object Reference Lookup addresses another top requested feature to find where a given host or service object is used in rules, policies, and routing.
• Hi-Res Display Support adds increased horizontal scalability to the management console to take advantage of high resolution displays to reduce horizontal scrolling.
• Auto-Rollback on Failed Firmware Updates reduces any disruption, including high-availability deployments.
• Backup and Restore now includes the option to restore a backup from a firewall with integrated WiFi to a firewall without.
• Azure AD SSO for Captive Portal adds support for user authentication on the captive portal using their Azure AD credentials.
• Azure Group Import and RBAC adds support for a new import assistant for Azure AD groups and automatic promotion for role-based admin changes.

Other Enhancements

• Web Application Firewall (WAF) Enhancements include geo IP policy enforcement, custom cipher configuration and TLS version settings, as well as improved security with HSTS enforcement as well as X-Content-Type-Options enforcement.
• Azure Single Arm Deployment Support enables the choice of a smaller instance size to save on infrastructure costs and reduce network and operational complexity.

Get the Full List of What’s New

Download the full What’s New guide for a complete overview of all the great new features and enhancements in v20.

Getting Started

Please visit the SFOS v20 EAP registration page to get started.

Sophos Firewall OS v20 EAP1 is a fully supported upgrade from any previous supported firmware version, including the most recent v19.5 MR3 release.

Once you’re up and running, please provide feedback through your Sophos Firewall’s feedback mechanism (top right of every screen on your Firewall). Also visit our EAP community forums to share your experience with others.

Note: Please do not call Sophos Support for issues related to the EAP. Troubleshooting and support for all EAP versions is handled solely through the online Sophos Community EAP forums.

Sophos released this new update some weeks ago, it’s a small fix, primarily a CVE fix for EXIM:

Release notes:

Up2Date 9.717003 package description:

Remarks:
System will be rebooted
Configuration will be upgraded

News:
Maintenance Release

Bugfixes:
Fix [NUTM-14362]: [Basesystem] Increase granularity of ethernet offload options
Fix [NUTM-14368]: [Email] Exim: libspf2 vulnerability – CVE-2023-42118

RPM packages contained:
libspf2-1.2.10-2.gc596159.rb1.i686.rpm
ep-confd-9.70-985.g1195e5bdf.rb1.i686.rpm
ep-mdw-9.70-906.ga33c437a.i686.rpm
ep-release-9.717-3.noarch.rpm

Community blog:

UTM Up2date 9.7 MR17 (9.717) released – Release Notes & News – UTM Firewall – Sophos Community

Hooray – v20 has been released, with many anticipated features!

Have been running since the EAP and there was not many bugs to smash! – here to get going:

RELEASE NOTES: Sophos Firewall v20 is Now Available – Release Notes & News – Sophos Firewall – Sophos Community

Sophos just released UTM version 9.7 MR18 (9.718). As this is a regular maintenance update it will be released in three phases:

• In phase 1 you can download the update package from their download server. Click the link and navigate to the folder UTM / v9 / up2date.
  • Up2date package – 9.717 to 9.718 https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.717003-718005.tgz.gpg
  • Md5sum is 61ab2c8f45baa2aace8dfa80446c7caa https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.717003-718005.tgz.gpg.md5
• During phase 2 they will make it available via our Up2Date servers in several stages.
• In phase 3 they will make it available via our Up2Date servers to all remaining installations.

Details of this release, along with previous releases, can be found on their official release notes page.

Other news

• Maintenance Release
• Security Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues resolved

• NUTM-14068 [Basesystem] Tar Vulnerability – CVE-2022-48303
• NUTM-14219 [Basesystem] Remove support for weak TLS signature algorithms in Web Admin and User Portal
• NUTM-14237 [Basesystem] Remove deprecated XSS protection header from Web Admin and User Portal
• NUTM-14285 [Basesystem] Disable session tickets on Web Admin and User Portal
• NUTM-14288 [Basesystem] Samba Vulnerability – CVE-2022-2127
• NUTM-14197 [Email] Email stuck in queue with scanner timeout
• NUTM-14289 [Endpoint] Remove Endpoint Protection from WebAdmin and system backend
• NUTM-14305 [Logging] Failed logins for SSL VPN Remote Access are not displayed in reports
• NUTM-14218 [RED] Disable DHE ciphers support for RED in UTM
• NUTM-14339 [WAF] Daily WAF Coredumps: Segmentation fault (11)
• NUTM-13182 [Web] Reflected XSS in Web Proxy – CVE-2021-4429
• NUTM-13988 [Web] Improve performance and error handling for AD SSO

Source:

UTM Up2date 9.7 MR18 (9.718) released – Release Notes & News – UTM Firewall – Sophos Community

File contents:

Up2Date 9.718005 package description:

Remarks:
System will be rebooted
Configuration will be upgraded

News:
Maintenance Release

Bugfixes:
Fix [NUTM-14068]: [Basesystem] Tar Vulnerability – CVE-2022-48303
Fix [NUTM-14219]: [Basesystem] Remove support for weak TLS signature algorithms in Web Admin and User Portal
Fix [NUTM-14237]: [Basesystem] Remove deprecated XSS protection header from Web Admin and User Portal
Fix [NUTM-14285]: [Basesystem] Disable session tickets on Web Admin and User Portal
Fix [NUTM-14288]: [Basesystem] Samba Vulnerability – CVE-2022-2127
Fix [NUTM-14197]: [Email] Email stuck in queue with scanner timeout
Fix [NUTM-14289]: [Endpoint] Remove Endpoint Protection from WebAdmin and system backend
Fix [NUTM-14305]: [Logging] Failed logins for SSL VPN Remote Access are not displayed in reports
Fix [NUTM-14218]: [RED] Disable DHE ciphers support for RED in UTM
Fix [NUTM-14339]: [WAF] Daily WAF Coredumps: Segmentation fault (11)
Fix [NUTM-13182]: [Web] Reflected XSS in Web Proxy (CVE-2021-4429)
Fix [NUTM-13988]: [Web] Improve performance and error handling for AD SSO

RPM packages contained:
libaviraglue-9.70-15.g05c370e.rb3.i686.rpm
libaviraglue-64-9.70-15.g05c370e.rb3.x86_64.rpm
libopenssl1_0_0-1.0.2p-3.64.1.0.463785659.gf62a29e6.rb5.i686.rpm
libopenssl1_0_0-64-1.0.2p-3.64.1.0.463785659.gf62a29e6.rb5.x86_64.rpm
libopenssl1_0_0_httpproxy-1.0.2p-3.64.1.0.463785659.gf62a29e6.rb5.i686.rpm
modformhardening-9.70-396.g46d9e07.rb2.i686.rpm
openssl-1.0.2p-3.64.1.0.463785659.gf62a29e6.rb5.i686.rpm
openssl-64-1.0.2p-3.64.1.0.463785659.gf62a29e6.rb5.x86_64.rpm
samba-4.6.8-7.g086016e.rb3.i686.rpm
tar-1.26-1.2.13.1.2159.g2d4155e4.rb7.i686.rpm
ep-reporting-c-9.70-160.g86afec0.rb3.i686.rpm
ep-branding-ASG-afg-9.70-53.g4841911.rb3.noarch.rpm
ep-branding-ASG-ang-9.70-53.g4841911.rb3.noarch.rpm
ep-branding-ASG-asg-9.70-53.g4841911.rb3.noarch.rpm
ep-branding-ASG-atg-9.70-53.g4841911.rb3.noarch.rpm
ep-branding-ASG-aug-9.70-53.g4841911.rb3.noarch.rpm
ep-confd-9.70-996.ga285eb830.rb1.i686.rpm
ep-mdw-9.70-920.g385e17fa.rb6.i686.rpm
ep-postgresql92-9.70-13.gf93811d.rb3.i686.rpm
ep-postgresql92-64-9.70-13.gf93811d.rb3.x86_64.rpm
ep-red-9.70-65.g9667def.rb4.i686.rpm
ep-sasi-5.1.4-0.460027334.g2ac730b.rb4.i686.rpm
ep-tools-9.70-39.gbf0b59b.rb4.i686.rpm
ep-tools-cpld-9.70-39.gbf0b59b.rb4.i686.rpm
ep-up2date-9.70-53.g001edab.rb2.i686.rpm
ep-up2date-downloader-9.70-53.g001edab.rb2.i686.rpm
ep-up2date-pattern-install-9.70-53.g001edab.rb2.i686.rpm
ep-up2date-system-install-9.70-53.g001edab.rb2.i686.rpm
ep-webadmin-9.70-858.gb5357bac7.rb6.i686.rpm
ep-chroot-httpd-9.70-38.g30b26c1.rb4.noarch.rpm
ep-chroot-smtp-9.70-99.gba89c2b.rb5.i686.rpm
chroot-bind-9.11.3-0.463876495.g0b281fc.rb1.i686.rpm
chroot-ipsec-9.70-89.g4e40652.rb2.i686.rpm
chroot-smtp-9.70-74.gd2863e6a.rb6.i686.rpm
ep-httpproxy-9.70-368.g05b1f1db.rb5.i686.rpm
ep-httpproxy-64-9.70-368.g05b1f1db.rb5.x86_64.rpm
ep-httpproxy-perl-helpers-9.70-368.g05b1f1db.rb5.i686.rpm
ep-httpproxy-user-account-9.70-368.g05b1f1db.rb5.noarch.rpm
ep-release-9.718-5.noarch.rpm