Sophos UTM: Neues Update (9.506-2)

Schon am 21.11.2017 hat Sophos ein neues Update für die Sophos UTM veröffentlicht welches zahlreiche Probleme behebt. Bei mir wird das Update noch nicht via Up2Date angeboten.

Hier ist Liste der behobenen Probleme:

  • NUTM-8651: [AWS] AWS Permission for „Import Via Amazon Credentials“
  • NUTM-7678: [Access & Identity] Pluto dies with coredump at L2TP connections
  • NUTM-8211: [Access & Identity] SSL VPN connection issue with prefetched AD groups
  • NUTM-8756: [Access & Identity] AUA debug log contains plain text passwords
  • NUTM-8889: [Access & Identity] ESPdump with algorithm GCM does not work
  • NUTM-8912: [Access & Identity] HTML5 VPN: keyboard input not working on Android devices
  • NUTM-7670: [Basesystem] Update to BIND 9.10.6
  • NUTM-8427: [Basesystem] postgres[xxxxx: [x-x] FATAL: could not create shared memory segment: No space left on device
  • NUTM-8769: [Basesystem] Small models of SG105 / SG115 / SG125 / SG135 take over 5 minutes to accept network connection
  • NUTM-9063: [Configuration Management] Regenerating the Web Proxy CA breaks all SSL VPN clients
  • NUTM-8313: [Email] POP3 Proxy generate core dumps in versions v9.414 and v9.501
  • NUTM-8509: [Email] Remove 3DES and SHA1 from SMIME
  • NUTM-8645: [Email] MIME Type Detection 9.5
  • NUTM-9061: [Email] User cannot open the SMTP Routing tab
  • NUTM-8419: [Logging] „Search Log Files“ has different search result in spite of same time frame
  • NUTM-8783: [Logging] SMBv1 still required for remote logging to a smb share
  • NUTM-8341: [Network] Network monitor core dump
  • NUTM-8685: [Network] Some clients display an „Unknown“ vendor on the wireless client list
  • NUTM-8738: [Network] Error messages in fallback log about damaged static routes
  • NUTM-8838: [Network] Watchdog consumes constantly 100% CPU
  • NUTM-7396: [RED] UTM RED kernel log shows „seq invalid“ messages
  • NUTM-6968: [REST API] Restd: supporting usage of new object right after creation
  • NUTM-7981: [Reporting] WAF-reporter logs irrelevant information
  • NUTM-8359: [Reporting] SMTP log on Mail Manager is empty after upgrading postgres to 64bit
  • NUTM-7802: [Sandboxd] If using a ‚ character in the email address, postgres is not able to insert this to the TransactionLog (Sandbox)
  • NUTM-8715: [UI Framework] Unable to access „Manage Computers“ page
  • NUTM-8061: [WAF] WAF still reporting virus found when AV engine on the UTM is updating
  • NUTM-8751: [WAF] Newly created web server listens on the slave node instead of the master node
  • NUTM-8806: [WAF] Issue with TLS settings for virtual webserver
  • NUTM-8861: [WAF] Leftover of shm files cause a WAF restart loop
  • NUTM-5964: [WebAdmin] Support Access: WebAdmin not properly displayed after login via APU
  • NUTM-8512: [WebAdmin] Can’t use string („0“) as a HASH ref while „strict refs“ in use at /wfe/asg/modules/asg_ca.pm line 1105
  • NUTM-8571: [WebAdmin] User with only „Report Auditor“ rights receives strict refs error after login into WebAdmin
  • NUTM-8807: [WebAdmin] External link to Sophos UTM Knowledge Base is not correct
  • NUTM-8871: [WebAdmin] Year of Single Time Events cannot be later than 2019
  • NUTM-7994: [Web] Customized templates do not allow to accept quota and access site
  • NUTM-8037: [Web] HA: Low disk space alert from slave
  • NUTM-8107: [Web] CONFD.PLX is taking high CPU load
  • NUTM-8502: [Web] HTTP Proxy coredumps with CentralFreeList in v9.413
  • NUTM-8687: [Web] Segfault and coredump from HTTP proxy
  • NUTM-8691: [Web] Certificate error on accessing sites with https scanning enabled
  • NUTM-8752: [Web] NTLM Issue with AD SSO in Transparent Mode
  • NUTM-8771: [Web] Wrong country showing up in Web proxy requests
  • NUTM-8826: [Web] Teamviewer via Standard Mode with AD-SSO not possible since v9.502
  • NUTM-8834: [Web] iOS11 user agent string is not detected as iOS
  • NUTM-8849: [Web] Can’t download Traveler_90119_Win.zip with HTTP proxy in Transparent Mode
  • NUTM-3129: [Wireless] SG125w failed to create interface wifi0: -23 (Too many open files in system)
  • NUTM-4720: [Wireless] Issues with 2.4 GHz channel 12 and 13 / inconsistent channel availibility / AWE_DEVICE_CHANNEL_INVALID
  • NUTM-8288: [Wireless] Roaming issues with iPhone7 and RADIUS authentication
  • NUTM-8391: [Wireless] AP55C/AP100X disconnecting from UTM repeatedly

In meiner Umgebung, war der Bug “User cannot open the SMTP Routing tab” besonders nervig…

Hier geht es zu den Sophos Release Notes. Bei Updates für die UTM bietet es sich hier immer an, mal einen Blick in die Kommentare zu werfen, bisher ist es allerdings recht ruhig.

Das Update kann hier direkt runtergeladen werden:

u2d-sys-9.505004-506002.tgz.gpg

Neues Update (9.506-2)

6 Replies to “Sophos UTM: Neues Update (9.506-2)”

  1. Typisch Sophos -.-
    Nach dem Update mag Exchange 2013 nicht mehr durch die WAF mittels TLS 1.1 kommunizieren. Live-Log sagt wenig aus. Ich such mich dumm und dusselig nach der Drop Down Box für die TLS Version um dann nach einer halben Stunde per Zufall festzustellen, dass man die TLS Version nun nicht mehr pro VServer einstellen kann, sondern nur noch generell unter der Advanced in der WAF -.- Mit TLS 1.0 geht es auf einmal wieder. Ich vermute hier aber ein generelles Problem, da wir immer auf 1.1 oder höher gefahren sind.

  2. Ich kann den Sacherverhalt von Sebastian 100% bestätigen. Update bei WAF mit TLS1.1 -> geht nicht. WAF auf TLS1.0 runter -> geht.

    Mal sehn ob’s nen schnellen fix gibt.

  3. Achtung, es gibt Probleme im HA Modus im ESXi Umfeld. Nach dem Update von 9.505-4 auf 9.506-2 waren gewisse VM-Server (die VM’s, welche auf dem gleichen Host liefen, wo der Passive UTM VM lief) im Netz nicht mehr erreichbar! Erst nach herunterfahren des „passive“-Nodes waren diese plötzlich wieder erreichbar. Neuerstellung des HA hat nicht geholfen. Ich musste wieder auf 9.505-4 restoren, danach lief alles wieder OK. Ich warte erstmals 1-2 Updates ab, dann sehen wir mal weiter :)

  4. Sorry, my German-speaking brain isn’t creating thoughts at the moment.
    If anyone else has the same problem with VMs as Tom, please let us know if the following fixes your issue:
    How to resolve issues with Virtual UTMs configured for High Availability:
    1. Login to the UTM console as root.
    2. Enter the following command to determine if HA virtual_mac is enabled:
    cc get ha advanced virtual_mac
    3. If the output is 1, you can disable it by entering the following:
    cc set ha advanced virtual_mac 0
    4. Restart all virtual UTMs.
    Bitte auf Deutsch weiterhin.

  5. No, this does not fix the HA issue on VMware. This feature has already been enabled previously.
    The latest version apparently tries to use the other machine’s MAC-address.
    It worked flawlessly on 9.505-4.
    I sent the following email to the Sophos support. They are investigating it (hopefully).

    „I built a nearly identical setup in a test environment within our VMware cluster.
    I was able to get it working on an older version of UTM 9: The asg-9.505-4.1.iso – 9.505-4
    The HA worked just fine on this version. Even with only „Allow MAC address changes“ checked.
    I had it working in our real environment before updating to the latest version 9.506-2 as well, but I thought I might have just caught a lucky moment.
    HA in 9.505-4 worked just fine. The machines kept their MAC addresses.
    On 9.506-2 however, once one appliance was turned off, the other appliance apparently tries to use the MAC-address of the other machine.
    This simply doesn’t work at all.
    On 9.505-4, it worked flawlessly.

    Virtual MAC-addresses have already been disabled and MAC-address changing and forged transmits are accepted.

    On the screenshot you can see the MAC-addresses of the second UTM (utm1.local).
    The REAL addresses (assigned via VMware vSphere) are:

    00:50:56:66:8e:b0 => eth0
    00:50:56:66:8e:b1 => eth1
    00:50:56:66:8e:b2 => eth2
    00:50:56:66:8e:b3 => eth3

    The first appliance has the following addresses:
    00:50:56:66:8e:a0 => eth0
    00:50:56:66:8e:a1 => eth1
    00:50:56:66:8e:a2 => eth2
    00:50:56:66:8e:a3 => eth3

    The MAC-addresses on the second (Slave) UTM were switched to some MAC-addresses from the primary UTM (a0 instead of b0 – like on the older 9.505-4)

    After turning off one virtual machine, Windows soon clears its ARP-table entry and then is unable to resolve the MAC-address of its gateway (the UTM).“

    His reply so far:
    „I have not had enough time to evaluate if this is a bug. I am leaning towards that though since is worked in the previous version before.

    As it relates to the downgrade, you would have to have a backup of the configuration file from 9.505-4“

  6. Wir haben das gleiche Problem wie Sebastion und Andreas geschildert haben.
    Seit dem Update funktioniert Exchange 2013 Autodiscovery und Outlook Anywhere nicht mehr.
    OWA ging zum Glück noch. Haben jetzt auch auf TLS1.0 runter gestellt als Workaround.
    Bin mal gespannt was Sophos dazu sagt.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.