Date: 2018.06.16
Home / UTM Firewall. / おうちでUTM F/W - Sophos XG Firewall SFOS v17.1.0 マイナーアップデート&HA構成での手動ファームウェアアップデート編
Sophos XG Firewall Home Editionのファームウェア、SFOSのv17.0系から17.1系へのマイナーバージョンアップとしてGA版(General Availability)がリリースされました。

今回は管理コンソール上に利用可能な最新ファームウェアとして出てくれなかったので手動でファームウェアファイルをアップロードして適用しました。
HA構成にしてから手動アップロードでのアップデートは初になります。

バージョンは「SFOS 17.1.0 GA(SFOS 17.1.0-152)」になります。




手動アップロードからの適用は動きが分からなかったのでとりあえずSlave(Auxiliary)側から実施してみようとしましたが、案の定、「設定を追加/変更する権限がありません。」と怒られました。
Sophos XG Firewall Home Edition v17.1アップデート セカンダリエラー

仕方ないのでMaster(Primary)側から実施する事に。
手動アップロードでのアップデートはv16.0のアップデート時「おうちでUTM F/W - Sophos XG Firewall SFOS v16 メジャーアップデート編」と同様の手順になります。

で、ダウンロードしてきた「VI-17.1.0_GA.VMW-152.gpg」を「アップロード&再起動」で適用開始すると「おうちでUTM F/W - Sophos XG Firewall HA構成でのファームウェアアップデート編」で実施した「利用可能な最新ファームウェア」からダウンロード適用した時と同様の順序で適用されました。
Slave側にも転送してくれるんですね、手動でアップロードしても。
この辺りは良くも悪くもブレないのはさすがです。

変化点はマイナーバージョンアップなのでそこまで多くはありません。
一番変わったのはある意味、ログイン画面のロゴかもしれない。
Sophos XG Firewall Home Edition v17.1アップデート ログイン画面ロゴ

機能面で新機能は

■クラウドアプリケーション可視化
・CASB(Cloud Access Security Broker)、通称キャスビーの実装でクラウドアプリケーションの可視化ができるように。(HTTPSスキャンの有効化が必要です。)

■App Control同期
・クラウド型エンドポイントのSophos Centralと同期させてセキュリティ制御するセキュリティハートビートでのアプリケーション管理が更に強化。

■電子メールセキュリティ
・より柔軟なSMTPポリシー例外をサポート。ドメインやアドレスでのホワイトリスト、ブラックリスト実装。

■SSL VPNポートオプション
・SSL VPNリスニングポートカスタマイズオプション。(一番実装が求められていた機能らしい。)

■ファイアウォール機能拡張
・ファイアウォールルールをダブルクリックで編集画面に入れるようになった。
・Googleが開発しているUDPをベースとしたWebプロトコル、QUIC(Quick UDP Internet Connections)が使われている場合にUDP over HTTPSをブロックして、TCPのHTTP/Sを強制させるオプションが追加。
Sophos XG Firewall Home Edition v17.1アップデート Google QUICブロック
・ACL例外を定義する柔軟性が追加(らしい。どの事かは今のところ見つけられず。)

■ワイヤレス機能拡張
・GUIからチャネル幅設定、Radius Accountingといったオプションの機能拡張。

■IPSec VPN IKEv2強化
・IPSec VPN接続に新しいIKEv2サポート導入。

■新しいハードウェアのサポート
・そのまま。仮想版には関係なし。

とまあ、個人的にはあまり関係のない機能追加ばかりでした。
HA構成で手動アップロードでのアップデート手順確立が一番の収穫だったかも。(基本的に一緒だったけど。)

まあ、以下がリリースノートになりますが、複数のバグフィックス等もされているのでアップデートはした方がいいのかなと。

What's New
Check out all the enhancements in XG Firewall v17.1 including the new Cloud Application Visibility feature in our XG Firewall v17.1 demo video.

Cloud App Visibility - brings the visibility pillar of CASB to XG Firewall, providing quick and easy Shadow IT discovery and visibility into data that may be at risk in cloud applications with great reporting on users and volume of data being uploaded and downloaded from cloud services.
Synchronized App Control - gets further enhancements in managing newly discovered applications, including options to search, filter, and delete applications. You’ll also see the category assigned to the discovered app in the list for easy reference.
Email Security - adds user management over individual SMTP block and allow lists via the User Portal. Domains or email addresses added to the Allow list will bypass policies (except for malware or sandboxing enforcement) and adding domains or addresses to the block list will automatically quarantine emails from those senders. In addition, more flexible SMTP policy exceptions are supported to provide parity with Sophos SG UTM.
SSL VPN Port Option - one of the most requested features on XG Firewall is the option to customize the SSL VPN listening port.
Firewall Enhancements - Enhancements have been made to the firewall and rule management to improve flexibility and streamline management even further. You can now double-click a firewall rule in the list to open it for editing. There's a new option to block Google QUIC's HTTPS over UDP forcing a fallback to TCP enabling full SSL inspection of the traffic. And there is now added flexibility in defining ACL exceptions to restrict access to services like the User Portal from a single alias, for example.
Wireless Enhancements - XG Firewall v17.1 provides wireless networking enhancements including the option to set the channel width for wireless radios in the GUI as well as Radius Accounting.
IPSec VPN IKEv2 Enhancements - XG Firewall v17 introduced new IKEv2 support for IPSec VPN connections and all stability and reliability enhancements, included in subsequent maintenance releases, are included with v17.1.
New Hardware Support - Support for the latest XG Series desktop hardware connectivity and features, unveiled in an earlier maintenance release, is also included in XG Firewall v17.1

You can find the PDF of what's new here: Sophos XG Firewall v17.1 Whats New.pdf.

Notes
In case you are managing your Firewalls using SFM/CFM, Firewalls running SFOS 17.1 GA won’t accept application filter rules when applied from a device group or template. You can manage application rules from the device-level view in SFM/CFM until this limitation is addressed in SFOS 17.1 MR-1.

Issues Resolved
NC-31554 [Base System] Missing color indication for ATP widget
NC-31662 [Base System] Change of the XG Firewall login screen
NC-31484 [Email] Emails are not removed from spool after update to SF 17.0 MR8
NC-31514 [Firewall] Editing IPv6 host is not possible
NC-31030 [SSLVPN] Remove misleading message "Port 443 is already in use by User Portal"
NC-31615 [Web] Remove file type data columns in cloud application dashboard

Issues Resolved in Beta3 build
NC-30212 [Base System] Device displays fail message for SFM/CFM heartbeat
NC-29075 [Email] Unable to update mail spool if mail address contains special character (')
NC-29757 [Email] CVE-2011-1473: POP/IMAP - Secure Client-Initiated Renegotiation vulnerability
NC-30160 [Email] Option "Skip mails (for malware scan) greater than" is not working for outbound traffic
NC-30183 [Email] Notification test email fails with authentication when mail send without saving configuration
NC-30303 [Email] Possible authenticated remote code execution in mail_sender
NC-30649 [Email] Permissions for Email protection are not exported correctly
NC-29216 [Firewall] Separate out filter and NAT table chains for IPsec in two different services
NC-29505 [Firewall] Traffic shaping rule for firewall has wrong default policy association
NC-29776 [Firewall] After migrating from CR to SF DNAT rules stop working after every reboot
NC-29990 [Firewall] Import/Export of destination local acl always set to "any" if any port is selected before
NC-30037 [Firewall] Validation missing if IPv4 is selected as IP version
NC-30197 [Firewall] Firewall rule filter is not working from second page onwards
NC-30588 [Firewall] Policy Tester ignores IP host groups in the firewall rule
NC-30766 [Firewall] Unauthenticated XSS in diagnostics component
NC-30871 [Firewall] Japanese column header not displayed in the right place in Protect -> Firewall
NC-19980 [Framework(UI)] Filter search containing backslash char will not find the match
NC-30575 [Framework(UI)] VPN FO Group selection widget doesn't display correctly in Chrome
NC-28826 [HA] HA migration does not complete if dedicated link goes down during migration process
NC-29572 [IPsec] GUI allows admin to select external certificate for Remote Certificate for IPsec Connection for Remote Access
NC-30830 [IPsec] CVE-2018-10811 & memleak: Import upstream strongswan patches
NC-30979 [IPsec] IPsec route can disappear if two connections use the same
NC-29889 [Network Services] Unable to lease the IP to some users
NC-31017 [RED] RED S2S client does not work with routed server address
NC-29733 [Reporting] Showing unknown character for Current HA status under reports with HA
NC-29846 [Reporting] Sort by Users/Byte is not working on Cloud Applications page
NC-30155 [Reporting] Wrong label displayed for widget of Cloud Application
NC-30190 [Reporting] Records are not displaying in HTML export for "Records Per Chart 25 and more" for some widget of Cloud application
NC-28789 [Sandstorm] ExcludeSandstormFileTypes is not available in SandboxSettings XMLAPI data
NC-27461 [SFM-SCFM] Compatibility v17: Firewall UI issues at device level
NC-28913 [SFM-SCFM] Compatibility v17: Appliance unsync when applying L2TP (Remote Access) or IPSEC configuration
NC-29907 [SSLVPN] Not able to edit SSL VPN (Remote Access) policy
NC-30847 [SSLVPN] Unable to set user portal port to SSL VPN port
NC-29278 [Synchronized App Control] Renaming an Endpoint does not update SAC table
NC-29820 [Synchronized App Control] No new logs since 2 days - /tmp is full on XG85
NC-31020 [Synchronized App Control] Synchronized Application Control page is taking too long to load
NC-31229 [Synchronized App Control] SAC data table not loaded after migration to v17.1 Beta1
NC-30054 [UI] Device Access page showing error on Auxiliary machine
NC-29602 [WAF] API Get for SecurityPolicy does not return Traffic Shaping settings for the policy
NC-29876 [WAF] Website hosted over WAF taking more time to load when Common Threat Filter enabled
NC-30448 [WAF] Rewrite HTML for site path with special characters leads to memory allocation failure
NC-28699 [Web] Cloud Applications Control center widget - spacing issue
NC-28762 [Web] After power failure, Android devices captive portal does not disappear after logging in
NC-29002 [Web] API Import for WebFilterPolicy with dependent entities failed
NC-29164 [Web] Proxy drops HTTP Response when 100 and 200 in same packet
NC-29166 [Web] AV files served from cache are not scanned if 'scan av' flag enabled after file was cached
NC-29385 [Web] Data mismatch for Control Center and reporting widget for Cloud Application
NC-29479 [Web] Usercache is not updated when classification set through AppClassificationBatchAssignment
NC-29504 [Web] Captive Portal customization Reset to Defaults does not work
NC-29601 [Web] Policy Test Tool not working
NC-29809 [Web] When cloud dash board page contains more than 10 apps, some apps will not show app-icon warning exclamation triangle mark when changing app classification
NC-29984 [Web] WebFilterURLGroup API Doc is misleading
NC-30606 [Web] Fail to change application classification when changing to other languages
NC-30682 [Web] Cloud Applications page loading failed in XG85 appliance
NC-31042 [Web] Cloud Applications dashboard column names have overlapping text in French
NC-27033 [Wireless] Pending text is wrapping to next line for Wireless APs counter
NC-27535 [Wireless] UI is not displaying WiFi client's IP when multiple clients are connected to AP
NC-28763 [Wireless] UI displays AP as inactive even if AP was active
NC-28765 [Wireless] AP goes in inactive mode when used "2.4 Ghz and 5 Ghz" Frequency band
NC-29419 [Wireless] Not able to configure channel 12 and channel 13 on Desktop refresh devices
NC-29988 [Wireless] Wireless network update is not reflecting when it is assigned to LocalWiFi1(OptionalWiFi)

Issues Resolved in Beta2 build
NC-29977 [WAF] Reverse authentication: Access possible for empty protection profile

Issues Resolved in Beta1 build
NC-28797 [Access] User Edit page doesn't load for some users who are part of multiple groups
NC-26797 [API] HA devices update from MR2 to MR3 result in primary unit being factory reset
NC-22530 [Authentication] Webfilter policy is not working for auto-created AD user
NC-28175 [Authentication] Customer from NC-21823 has updated and getting segfault for access_server
NC-16090 [Base System] Source port changes to random over IPSec VPN
NC-25783 [Base System] Import certificate option is missing for CSR
NC-26328 [Base System] Additional CPU cores not detected in v17 after license upgrade
NC-27022 [Base System] Import from configuration failed due to too long certificate name
NC-27076 [Base System] Ping utility not working
NC-27263 [Base System] Incorrect interface speed is shown via SNMP
NC-28033 [Base System] Packet capture and connection list issue
NC-28220 [Base System] Garner active.db file size is too big in /tmp/eventlogs due to LogViewer output plug-in
NC-28566 [Base System] Garner service restarts
NC-27087 [Certificates] Default CA regeneration fails
NC-27853 [DDNS] DynDNS update does not happen in the configured time range
NC-28177 [DNS] Unable to resolve DNS of services.vip.symantec.com when registering it in Services/FQDN Host
NC-22864 [Firewall] Quick QUIC block
NC-22878 [Firewall] Allow user to edit rule while double clicking on the rule
NC-22927 [Firewall] NATPolicy API export fails when it contains NAT profile created on network
NC-26433 [Firewall] Captive Portal access issue for Android devices
NC-26560 [Firewall] One time schedule in firewall rule for VPN traffic doesn't block traffic when schedule expires
NC-27004 [Firewall] Unable to send email due to Default Internet Scheme Policy
NC-27164 [Firewall, Performance] LAN interface become unresponsive
NC-28025 [Firewall] Policy Tester ignores service groups in the firewall rule
NC-28710 [Firewall] Display of firewall rule in Firewall Group overlaps with display of action
NC-28756 [Firewall] Appliance inaccessible after the backup restore
NC-28785 [Firewall] Packet capture log is empty when opened via hyperlink in log viewer for IPv6
NC-28791 [Firewall] Sometimes VPN is not working when bridge has WAN interface
NC-28800 [Firewall] Firewall Rule ID is shown with an incorrect ID
NC-29379 [Firewall] HA Aux appliance goes in failsafe mode when failed to load LBS module (occurs only in specific IPv6 condition)
NC-29243 [Framework(UI)] Subnet creation is broken for IE11
NC-25854 [HA] Disable HA fails on auxiliary appliance when LAG interface is used as peer admin port and a bridge interface is also configured in SFOS
NC-29040 [Hotspot] File name containing space is not working for images/stylesheets and logos of hotspots
NC-26514 [IPS] IPS core dumps with appliances in HA (A-A)
NC-27549 [IPS] ATP Exception is getting removed automatically
NC-28602 [IPS] Filter alignments in Application Filter Policy Rule are displayed incorrect
NC-29174 [IPS] IPS Policies are not being pushed out via SFM template
NC-25380 [IPsec] Add an option to auto create a Firewall rule
NC-22604 [Logging] GUI alignment issue when sender name or subject is longer
NC-26357 [Logging] Log viewer is not loading after adding any filter and read/write goes high after activity
NC-21745 [Mail Proxy] i18n file name is not displayed in log viewer and on sandstorm activity page for sandstorm module
NC-25746 [Mail Proxy] CVE-2012-4929: SSL/TLS CRIME Vulnerability on port 8094
NC-26472 [Mail Proxy] AwarrenMTA: few mails appear on queue after delivery (DB connect fail)
NC-26930 [Mail Proxy] XG not able to update spool due to special characters in failure reason
NC-27240 [Mail Proxy] Unable to send emails due to auto routing to rcpt DNS in case of greylisting reply for MX
NC-27365 [Mail Proxy] Display issues with german umlauts in SPX Template
NC-28081 [Mail Proxy] Unable to save the SMTP policy when some MIME types are selected
NC-28364 [Mail Proxy] Email should be quarantined if scanning fails due to unscannable file
NC-28819 [Mail Proxy] Quarantined emails are not visible on SMTP Quarantine
NC-29018 [Mail Proxy] XG is unable to block email attachments when sent via Powershell v5.1
NC-29103 [Mail Proxy] Unable to release quarantine mails with special characters from spam digest
NC-29315 [Mail Proxy] CTIPD service should be stopped if Email or WAF subscription is not activated
NC-29319 [Mail Proxy] Unable to release false positive outbound spam emails
NC-29339 [Mail Proxy] CVE-2013-0169: Multiple SSL/TLS vulnerabilities - POP/IMAP
NC-29437 [Mail Proxy] Multi-level subdomain getting 501 syntax error while “Reject invalid HELO or missing RDNS” enabled
NC-29671 [Mail Proxy] AwarrenMTA restarts when used with high CCLs on certain mails
NC-21993 [Network Services] Static MAC-IP binding issue
NC-28815 [Network Services] CVE-2018-5732 and CVE-2018-5733: DHCP vulnerabilities
NC-27874 [Networking] IP address in static DHCP leases is shown incompletely
NC-28029 [Networking] Firewall configured as DHCP relay agent is generating flood on internal DHCP server
NC-28564 [Networking] Backup-Restore failed for different interface name devices when VDSL interface is configured
NC-29721 [Networking] HA failover is taking 10 minutes in v17.0 MR5
NC-28320 [nSXLd] URL Category Lookup provides different results for UI and command line
NC-27556 [PPTP] PPTP Remote Access fails when user name is not in lower case
NC-27881 [Qos] Unit for bandwidth parameter is incorrect on the Dashboard
NC-27942 [RED] XG red to XG red not connecting over MPLS network
NC-22787 [Reporting] Dashboard uses incorrect design for ATP and UTQ widgets
NC-22829 [Reporting] Reports section in Control Center gets stucked when "None" is configured as Admin Profile for "Reports Access"
NC-25786 [Reporting] Logo is not displayed properly in SAR report
NC-27046 [Reporting] "Search Key" filter not working for Google Search Engine
NC-28918 [Reporting] Unable to view Objectionable websites in Control Center and Reports
NC-29465 [Reporting] Not able to send mail digest - due to PG connections full
NC-26575 [SecurityHeartbeat] Heartbeat DB opcode sync command gets stuck
NC-27258 [SecurityHeartbeat] Ipset opcode stucks in HA setup
NC-28065 [SSLVPN] Port 8443 should be useable at any time when not used somewhere else
NC-28219 [SSLVPN] Site-Site SSLVPN: Routes aren't added with IP HOST Group in remote network
NC-23106 [Synchronized App Control] [SAC] Extended Filter/Search function in app Lists
NC-22122 [UI] CVE-2007-6750: Apache Partial HTTP Request Denial of Service Vulnerability for port 8443, 443, 4444
NC-26436 [WAF] Common Threat Filter should be disabled in default Outlook Anywhere Web Protection Policy
NC-28405 [WAF] Content gets lost when using form-hardening
NC-28944 [WAF] HTTPS Certificate Error when editing a Business Application Rule
NC-29483 [WAF] Creating IP host object inline leads to hanging SlowHTTP UI
NC-29650 [WAF] CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request
NC-18038 [Web] Page redirections for authentication (and others) should use hostname not IP
NC-25617 [Web] Log virus name for unscannable content as "Unscannable" in the Web Virus report
NC-25745 [Web] CVE-2016-2183, CVE-2016-6329: SWEET32 SSL/TLS Vulnerability and Triple DES on port 8090
NC-26136 [Web] Change link of Guest User Registration on Captive Portal page into https
NC-27893 [Web] Unable to use apostrophe character in Captive Portal settings
NC-28457 [Web] No response when clicking on Captive Portal login button
NC-28601 [Web] Dynamic app filter rules which do not contain any applications is enforced for all applications
NC-28695 [Web] Block and warnpage previews use wrong template
NC-28759 [Web] Awarrenhttp segfaults when killed while scanning
NC-28792 [Web] IPS fails to close connections which are blocked by an app filter (causing proxy to timeout after 60 sec)
NC-28899 [Web] 'Block HTTP' option disappears if switching from a dynamic category to a non-dynamic one for an activity
NC-29124 [Web] Possible buffer overflow in Web Proxy's warn-proceed transformer
NC-5395 [Wireless] Wrong interface status shown on auxiliary appliance for wireless network
NC-19851 [Wireless] Support Radius Accounting on Remote APs & Local Wifi models
NC-26278 [Wireless] IP addresses not visible in Wireless Client List
NC-27261 [Wireless] Wizard is failing in XG85W(old model) after configuring SSID from wireless config page of wizard

【関連記事】
おうちでUTM F/W - Sophos XG Firewall Home Edition 関連記事一覧。


Secret

TrackBackURL
→https://000dandelion000.blog.fc2.com/tb.php/289-564c8d88