Skip to content
Avanet
Sophos UTM update v9.6 released

Sophos UTM update v9.6 released

Sophos has released UTM version 9.600. We have listed all the changes that made it into version 9.6:

Let’s Encrypt integration

Many customers have been waiting for Let’s Encrypt integration on the UTM. With version 9.6 the long wait finally seems to be over. The certificate can be created via the WAF and is renewed automatically.

Tip: If you have configured a DNAT rule for HTTP you need to disable it on the interface on which Let’s Encrypt is configured. Country blocking can also interfere here, so you should create an exception.

ATP: New Advanced Threat Protection library

Advanced Threat Protection has received a new library and now provides even more protection and better performance.

RED: New RED firmware

The RED 15 and RED 50 receive new firmware that includes current drivers for 3G/4G USB sticks. This is intended to improve support for such 3G/4G sticks.

Sandstorm: Manual file upload and reports

In future an administrator will be able to manually upload a file to Sophos Sandstorm for execution. This means that files which were not received by email or web download can also be analysed with Sophos Sandstorm. Reporting in Sandstorm has also been improved and now provides more detailed data over a given period of time.

SMTP proxy: Improvements

The SMTP proxy gains support for the submission port and a configurable listen address.

WAF: Custom error pages

All error pages delivered by the WAF can now be customised with your own designs. This also allows you to apply your corporate identity consistently across all pages.

Sobering news regarding IKEv2

IKEv2 has been requested by the community many times. According to Sophos there was not enough time to integrate IKEv2 into UTM 9.6. To be quite honest: you should no longer expect IKEv2 to come to the UTM at all. If we look at the XG roadmap it is extremely full and this is clearly where the main focus lies. The UTM roadmap, by comparison, is practically empty.

If you absolutely need IKEv2 we recommend that you move to the new SFOS operating system as soon as possible. If you have an SG appliance there are no additional costs for the switch and the remaining license term is carried over. If you need support with the migration we are happy to help. As of today (23.11.2018) we have not installed a UTM for 1.5 years – only XGs. We only call on our UTM know-how for the many migrations to SFOS.

Note: During the update the UTM system is rebooted and the configuration updated. Keep in mind that the connected REDs and access points will also receive a firmware update.

Important: After the update to UTM 9.6 the old HTML template for content warnings in the HTTP proxy no longer works correctly. Please download the updated templates, adapt them to your needs and upload them to the UTM again. For more information see the following article: KBA133167 - Sophos UTM: Changes to customized web templates in 9.6.

Bug fixes

  • NUTM-10128 [Access & Identity] MDW waits hours for lock on shared cache with AUA
  • NUTM-10130 [Access & Identity] Unable to connect RDP type bookmark with NLA
  • NUTM-7418 [Access & Identity] SAA - Rename Client Auth CA
  • NUTM-9368 [Access & Identity] SSL VPN: optional user auth not working
  • NUTM-9525 [Access & Identity] Disk filling up with argos error messages in endpoint.log
  • NUTM-9843 [Access & Identity] HTML5 VPN portal connections periodically stop working until service is restarted
  • NUTM-10080 [Basesystem] Update to latest Avira SAVAPI version
  • NUTM-10366 [Basesystem] Missing IP address in IPset of user network for STAS
  • NUTM-9783 [Basesystem] IPsec routing issue if gateway interface has additional addresses
  • NUTM-9810 [Basesystem] IPset Object takes 30 seconds to update after SSL VPN connection was established
  • NUTM-9860 [Basesystem] Selfmon trying to start DHCP even when not in use
  • NUTM-10226 [Email] Can’t release POP3 messages due to URL in User Portal
  • NUTM-9681 [Email] cssd coredumps and root partition is filling up
  • NUTM-9716 [Email] S/MIME encryption - automatic certificate extraction causing high load / no webadmin access
  • NUTM-9733 [Email] Change default encryption algorithm to ‘smime’
  • NUTM-9853 [Email] Fix policy traversal (for gpg, smime, unscanable)
  • NUTM-9882 [Email] Umlauts in mail addresses get corrupted if SPX encryption is used
  • NUTM-10181 [Network] Remove DNSdynamic from available dynamic DNS providers
  • NUTM-10307 [Network] ATP exception still working after deletion
  • NUTM-10337 [Network] High CPU load by AFCd when hotspot is enabled
  • NUTM-10414 [Network] Segfault in oculusd
  • NUTM-2791 [Network] Fix detection of sub applications in Application Control
  • NUTM-4767 [Network] SSH for single host skipping AFC check
  • NUTM-9462 [Network] Update to BIND 9.11 ESV
  • NUTM-10197 [RED] All REDs disconnect intermittently
  • NUTM-10227 [RED] Offline provisioning does not work
  • NUTM-10303 [RED] Unified FW: split networks does not work
  • NUTM-10384 [RED] Update hostapd for Unified-FW
  • NUTM-9026 [RED] TP-LINK MA260 dongle on RED doesn’t work anymore after update to v9.5
  • NUTM-9795 [RED] RED50 issue with large packets in Transparent/Split mode
  • NUTM-10060 [Reporting] ATP alerts / events not deleted after three days
  • NUTM-10201 [Reporting] Unable to download S/MIME internal user certificate
  • NUTM-10352 [Sandstorm] Sandstorm Activity Report table and graph do not show same data
  • NUTM-10367 [Sandstorm] Sandstorm Activity Graph does not include email cached results
  • NUTM-2644 [UI Framework] Webadmin prefetching list box not displaying any users, if one user contains a single tick
  • NUTM-10066 [WAF] Existing certificate chain overrides after new certificate chain has been added
  • NUTM-10185 [WAF] Using printenv SSI directive in custom theme causes segfault
  • NUTM-10315 [WAF] Let’s Encrypt can’t be enabled after upgrade from 9.5 (/etc/ssl/certs not accessible)
  • NUTM-10316 [WAF] Let’s Encrypt certificates allow wildcards in domain name list
  • NUTM-10332 [WAF] Let’s Encrypt not working over IPv6
  • NUTM-9809 [WAF] Potential memory allocation failure for “Rewrite HTML” + location with special characters
  • NUTM-10188 [WebAdmin] [OTP] QR code not visible for the first user login
  • NUTM-10214 [WebAdmin] Breach Vulnerability in WebAdmin (CVE-2013-3587)
  • NUTM-6945 [WebAdmin] Popup too small for secret when deleting SHA512 OTP token
  • NUTM-7381 [WebAdmin] Login to UserPortal only works at second try when using RADIUS authentication
  • NUTM-9424 [WebAdmin] Webadmin session interrupted with pop-up “Backend connection failed”
  • NUTM-10200 [Web] Segfault in libc-2.11.3.so
  • NUTM-10284 [Web] HTTP Proxy crash with coredumps
  • NUTM-9676 [Web] HTTP Proxy out-of-memory segfault / HTTP Proxy stops working with “Avira engine not available”
  • NUTM-9854 [Web] Warning page bypass using crafted URLs
  • NUTM-9873 [Web] File blocked due to MIME type detection even if there is an exception
  • NUTM-9956 [Web] HTTP Proxy coredumps in geoip scanner
  • NUTM-10365 [Wireless] RED15w: SSID isn’t broadcasted when “Enterprise Authentication” is in use
Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.