• CPG 2023.19

Sophos Engineering is aware of an issue with Custom Role creation in Central Dashboard. Global Settings > Role Management >

Issue: A role that is defined for just Mobile (with any base-level permission) - When that administrator logs in, they will not see the main Central Dashboard ‘People’ page, and may not be able to perform steps needed in the administration workflow for Mobile Protection.

Until the Mobile role set is updated to include access to the People page; one of the following additional product categories can be added to the custom rule in the interim: Endpoint Protection, Encryption, Phish Threat, or Email Gateway.

Issue:- Sophos Engineering is aware of an issue/behavior where a customer is unable to turn on Partner assistance in the Central dashboard. After allowing the toggle button for Partner assistance, customers are unable to ‘save’ the change.

Impact:- Partners would be unable to manage the customer from the partner dashboard.

An upcoming fix for this will resolve this issue.

Workaround:- Sophos support is aware of a workaround, hence please report it to tech support in the interim of the fix.

• CPG 2023.10

Sophos Engineering is aware of an issue/behavior where a user(s) could see a previously configured delegation user. The original delegation from ActiveDirectory (msExchDelegateListLink attribute for a User/Group or Shared Mailbox) still shows/exists even after migrating to our Azure AD directory syncing.

Sophos Azure AD directory sync does not support delegation with directory objects (neither the original msExchDelegateListLink nor O365 mailbox permission configurations). The issue is that the original delegation is not able to be removed, and those users will received the quarantine digest for the user they were originally a delegate for.

An upcoming fix for this will remove the leftover delegation attributes from the directory objects stored in Central.

There are no workarounds for this issue in the interim of this being fixed

Sophos is aware of an issue/behavior in Sophos Central Partner Dashboard, under Settings & Policies > Administrators> - Partner is not able to add a new administrator if their email address has a Top Level Domain name that is longer than 4 characters. The message received: "Email is required" and the administrator is not able to be saved.

This specific requirement will be updated in the future. In the interim, it is possible to first create the partner administrator within your Partner Portal, then update their role in PDB when it's added.

• CPG 2021.40

When adding users on the Federation Global settings page (within the 'Custom Rules' user selection window), this can take longer than expected (minute +) when there are hundreds or thousands of users with logins to display.

While the performance/slowness is currently expected for customers with a large amount of users; If your list of users fails to load at all, and you are not able to add any custom rules, please raise up a Support case with Sophos, so that we can help manually add these for you in the interim.

Please provide us with the email addresses and login rule requested (Federated only, Central only, or Federated and Central) for those who you would like to have added. Please also reference 'CPLAT-44544'. Technical Support will be able to manually add these in, if it is not possible to do so by a customer.

The regulatory authorities in certain countries have specific SMS requirements, which may result in some customers not receiving SMS or receiving them as potential spam when signing in.

List of countries with special SMS requirements: Belarus, Egypt, India, Jordan, Kuwait, Philippines, Qatar, Russia, Saudi Arabia, Sri Lanka, Thailand, Turkey, United Arab Emirates (UAE), Vietnam, and Singapore

You may use the Multi-factor Authentication's authenticator app or the email and pin method to complete the sign-in process in any scenario where the SMS code is not being received.

• CPG 2022.42

Sophos Engineering is aware of an issue where the Firewall Management Report Generator times out within Central Dashboard (by showing an indefinitely spinning wheel while ‘Gathering report data…’ is displayed).

This is due to the requested data not being sent back to the UI within a 6-minute timeframe.

If a customer has an Advanced Firewall reporting license, the report can be configured as a scheduled report which can be viewed separately in the interim of this being resolved. If a customer does not have an Advanced Firewall reporting license, it may be possible to select a smaller timeframe of data that will display, though if that does not work, there is no workaround for this issue.

• CPG 2023.13

There is a known issue seen when attempting to make any changes to a user in Central Dashboard that has a ‘dot’ in its name (eg. First.last ). This is seen when going to People-->select the user in question--> select 'edit’-->attempt to make any changes from this modal box):

Attempting to make any changes to a user that has a dot in their username will fail as the validation check ‘Please enter valid first & last name.’ will be displayed preventing the change from being saved. See ‘Workaround’ for alternative methods to make changes to the above areas.

Note that currently, it is not possible to manually create a user where the user name has a dot in it. This is a security validation for manually created users but does not prevent users with a dot in their name from being imported via Directory Services.

If you need to do any of the following for a user that has a dot in their user name:

1. Change Role: Go to People-->Groups tab (then select group you want to add or remove them from, and perform the action from there)
2. Move or Change Group assignments: Go to Global Settings --> Role Management --> Select the Role you want to add or remove the user from and perform the action from there)
3. Send set up or welcome email: Go to People-->select the tick box for user(s) in question--> Select the 'Email Setup Link' button and perform the action from there)

• CPG 2023.04

Enterprise Dashboard: Access not Allowed error while trying to reset MFA for an EDB Admin.

Enterprise Dashboard: SuperAdmin trying to reset MFA for any EDB Admin.

SuperAdmin can recreate the affected admin from the scratch, which gives him the ability for the affected EDB admin to recreate passwords and go through MFA steps.

• CPG 2023.01

Global Template: An administrator who removes a customer from within a Global Template, after using a search query may remove customers from the assigned column.

The results of the search query are incorrectly seen as the number of customers. If the search team remains under the assigned column when selecting the save button, the subsequent confirmation dialog box will show you that you are removing many more customers than expected.

Example: If you have 100 customers listed under the assigned column. Your search for the name of one customer and move it over to the unassigned. This leaves the Assigned column showing zero customers (because the name of the customer is no longer listed). When you select the ‘save’ button - the next confirmation dialog box will tell you that you will be unassigning 100 customers (instead of the expected 99).

To avoid this in the interim this behavior is fixed, first clear the search term used before selecting the save button.

To avoid this in the interim this behavior is fixed, first clear the search term used before selecting the save button.

The remote assistance enablement in Sophos Central Dashboard may take longer than expected if there are a lot of self-service user accounts/Admin user accounts exist.

Reference KB Article: Sophos Central: Turn on Sophos Support remote access for either MSP/Flex or Enterprise Master-licensed Sophos Central accounts

In the interim of this being fixed, please wait until you see a pop-up message/green message box "Remote Access Enabled" once click the Save button. You may experience a number of pop-up windows with "Remote Access Enabled" message.

• CPG 2021.40

Central API: “Error 409. You can't use this API to delete users synced from Active Directory” returned when trying to delete a user who was added to Central via Adsync before November 21st, 2021 and has been unlinked (https://developer.sophos.com/docs/common-v1/1/routes/directory/users/{userId}/delete ).

• Users added to into Central after this date will not encounter this issue.

• This does not affect or prevent manually deleting these users within Central Dashboard UI.

These users affected will need to be deleted manually within Central Dashboard UI

• CPG 2023.01

Sophos Engineering is aware of a known issue seen in Central Dashboard where some environments with thousands of users, the User report may fail to load or export (HTTP ERROR 500)

Where: Logs & Reports → Users ( https://cloud.sophos.com/manage/reports/protection/users/create/all )

What issues can be seen?

• Either In the UI: Selecting a tab (eg. ‘Active’) may initially load the first 50, but scrolling for more may show a spinning wheel and then a blank page. (in web developer tools, there is a 500 error)

• Attempting to export: receives the error “This page is not working at the moment. can't currently handle this request. HTTP ERROR 500"

In the interim of this being addressed, please attempt sorting the page into smaller groups of users first via the 'Search by User Group' drop-down. Viewing users and exporting may be possible via the main People/User page to view/export users (Dashboard --> People)

• 2017.32

When viewing or exporting events based on Dates from the 'Logs & Reports' section of Sophos Central Admin;

The resulting events will be shown based off of a 24 hour UTC day instead of a 24 hour period within the time zone of the user.

"This is currently expected behavior though there are plans to have this changed in the future to better match the time zone of the user generating the report.

Additional information can be found in KBA: https://support.sophos.com/support/s/article/KB-000036898

• CPG 2022.27

If the API credentials used are active and confirmed valid (this can be tested using postman or curl to do a basic whoami and tenent list query outside of Kaseya) and this continues to trigger this error - Please ensure that the following is open (without any regional restrictions) from your VSA server:

• Open traffic to and from kaseya.int100fra.ctr.sophos.com

• Ensure the following IP Addresses are whitelisted - 18.159.54.20 , 3.123.181.234 , 52.59.169.88

Please ensure that the following is open (without any regional restrictions) from your VSA server:

• Open traffic to and from kaseya.int100fra.ctr.sophos.com

• Ensure the following IP Addresses are whitelisted - 18.159.54.20 , 3.123.181.234 , 52.59.169.88

Documented in https://community.sophos.com/sophos-integrations/w/integrations/105/sophos-integration-with-kaseya-vsa

• CPG 2022.21

Central Dashboard: ADsync on-premise utility - sync failures reported by some after the utility upgraded. Error = 409 Conflict

Local ADsync log will show the following error with each sync attempt since the utility was upgraded to version 5: "error": "CONFLICT", "message": "Directory source should be active and no other sync should be running to trigger a new sync."} / HTTP 409: Conflict

See workaround section for how to fix this

Expected behavior when another sync is still running

• CPG 2022.21

The Partner Dashboard ‘Sophos Customers’ page, may incorrectly show an empty Optix trial icon for one or more customers. The customers' dashboard does not have an Optix trial enabled.

In the interim of this being removed, the icon should be ignored.

• CPG 2020.14

When using Internet explorer please note that you may experience longer than normal page load times working in Sophos Enterprise and/or Sophos Central dashboards.

We expect to address this in the future, in the interim please use Chrome or Firefox to manage Sophos Dashboards.

• CPG 2022.18

Central Dashboard: Custom firewall reports are only able to be sent to local Central Administrators (not Partner or Enterprise administrators)

If a Partner or Enterprise Administrator attempts to add non local administrators to firewall reports (Firewall Management > Report Generator > (add or edit any report) > Available Recipients section.

If you add any Partner or Enterprise Dashboard administrators, these will not receive the report via email. Additionally, when you reopen the report, these administrator names added will show as UUIDs.

There is no workaround to this issue

There is no workaround to this issue. Currently only local administrators are able to be used for Firewall report delivery at the Central Dashboard level

There is a known behavior when viewing particular events on the Events Report page (https://cloud.sophos.com/manage/reports/protection/events/create). The Server re-protected events will remain visible, even after unticking the Event type ‘Computer and Server re-protected’ category.

Until this is resolved, the “Computer or server re-protected” event needs to be ignored in the report. As we understand that this can be annoying, there is a limitation in our current design, and the fix required, unfortunately, needs a good amount of changes. We are in the transformative process of handling all events to go through a centralized workflow.

"Reports that are exported as a PDF have times annotated as UTC

Reports that are exported as CSV have times listed in the time zone of the user running the report.

The times are the same in UTC "

This difference in how the times are presented between reports will be addressed in a future version of Central Admin.

This is an example of what to expect (all times are equal):

1. PDF is UTC time (Regardless of time zone where report is pulled)
= 9/8/17 10:57 PM

2. CSV report pulled from system in EST
= 2017-09-08 T 17:57:01-05:00

3. CSV report pulled from the system in PST
= 2017-09-08 T 14:57:01-08:00

• 2019.12

When logging into Central Partner Dashboard from the id.sophos.com page, you may sometimes get re-directed to a settings/text page instead of the Dashboard

Clearing the browser's cache will temporarily resolve this, though it may happen again until this is resolved.

In the interim, you can avoid this by either logging in to either the Partner Portal first (https://partnerportal.sophos.com then select the 'Manage Sophos Central' link) or log directly into the Partner Dashboard (https://cloud.sophos.com/manage/partner/)

Additional information can be found in KBA: https://sophserv.sophos.com/article/121583 (selecting the question "Why do I see a page of text after attempting to log into Partner Dashboard?")

• CPG 2019.45

When using custom date ranges within an Event report, the returned results incorrectly include events that go beyond the expected Timezone offset. 

Additional information can be found in our knowledge base article https://support.sophos.com/support/s/article/KB-000036898

• CPG 2022.06

There is a known issue/behavior where Partners who are managing thousands of computers within the Sophos Automate Plugin will see a dramatic delay when working within the ‘Computers’ section of our plug in (15 minutes to make a change/or see an update)

There is no workaround in the interim of this being addressed.

• CPG 2022.09

When using API credentials (Service Principals) - certain jwt token refresh errors can be logged in the Central Dashboards Audit log as 'anonymous:' and 'failed authentication' with the IP of source. (eg. siem.py script/ ADsync utility/ etc). This is an expected logging event that can occur during normal operation and it does not require any follow up action.

These entries can be ignored. See https://support.sophos.com/support/s/article/KB-000043845 for more information.

• CPG 2020.47

Sometimes during the EDB enablement process, the conversion of the Central Super Admin to Enterprise Super Admin may fail. In that scenario, you will get an 'Authentication Failure' when trying to log back into your newly created Enterprise Dashboard.

If you encounter this, please follow the 'Forgot Password' link/process which will repair your login and access for that account.

• CPG 2019.15

While there is no limit given to the number of users that can be attempted to upload (outside of the 2MB file size limitation).

It is recommended to upload users in batches of 1000 at a time. It is possible to upload more at once, though depending on the time of day (peak business hours) you may experience this timeout behavior.

Additional information can be found in customer KBA https://support.sophos.com/support/s/article/KB-000038811?language=en_US

Using certain browser extensions, error 403 or 404 is received during the selection of the authentication type during MFA setup

Additional information can be found in customer KBA https://support.sophos.com/support/s/article/KB-000038802?language=en_US

• not planned to be changed

The feature to enable domain name override for reported users on macOS, detailed in this KB: https://support.sophos.com/support/s/article/KB-000036151 , requires that the user account type is Mobile.

By default, a direct Active Directory join uses this user type, however some other providers may not set it. Sophos’ detection of the user as a domain one requires the user account type to be mobile to trigger. There are no plans to change this behavior at this time.

If the provider allows it, set the user account type to Mobile. Apple has provided information here: https://support.apple.com/en-ca/guide/mac-help/mh32157/mac

• Fixed in 2023.1

If the _Sophos user is the first one created on the system, due to previous logins only being with remote accounts (eg: AD logins with no caching), it can be given the SecureToken. This can cause issues for other applications.

This is the same underlying cause as is detained in the Sophos SafeGuard KB here: https://support.sophos.com/support/s/article/KB-000037137?language=en_US

1: Uninstall Sophos
2: Remove the _sophos user by running: sudo /usr/bin/dscl . -delete /Users/_sophos
3: Ensure an account has a local profile, either by adding a local account, or enabling local profiles for active directory accounts
4: Re-install Sophos

Apple iCloud Private Relay uses an isolated connection that the OS does not provide to Sophos for purposes of web protection or control. If a user enables this (paid subscription from Apple), we cannot provide web protection or control on the system for non-local traffic.

None

• TBD

Multiple times per day the security heartbeat can report drops for macOS Monterey clients when they did not actually drop.

None

When Sophos and LightSpeed relay agent are installed together, web browsing will fail to load webpages and installs will fail.

Uninstall LightSpeed relay agent

Ava Reveal’s web protection filter and the Sophos web protection filters may cause web browsing to fail when both are loaded.

Sophos has worked with Ava and we have found that multiple content filters and a transparent proxy triggers an OS issue. As of August 2022, this is considered an incompatibility due to the OS.

Turn off Ava Reveal extension or uninstall Sophos for MacOS

• Will not be fixed

In the release 9.13.0 of the SEC-based Endpoint for macOS, the name of the OS no longer shows 11 or 12, but 10.16 in Sophos Enterprise Console

This will not be fixed before the retirement of this Endpoint in July 2023.

None

The device summary in Sophos Central lists ‘Endpoint Protection' or 'Server'Protection' as 'Pending...', when the Endpoint is assigned with a Special or Static Package via the Sophos Central 'Software Management’ functionality.

This is a cosmetic issue as static or special packages no longer provide information about the legacy ‘Endpoint Protection' or 'Server'Protection' modules and can be ignored.

None

Account Health Check “Autofix” cannot fix policies that have the advanced settings turned off/not on recommended.

None

The checks performed by Sophos Central determining if a device is a duplicate or not is case sensitive.

Sophos Central checks for the following information before making the decision to create a new entry or keep the existing one during the client registration:

-Domain name
-Computer name (Netbios name)
-OS (e.g. Win10, not more specific/detailed than that)
-FQDN
-Mac serial number (if a Mac)
-Whether SSPL or not (Linux)
-If it is marked as a clone always create a new entry

All of the checks are case-sensitive.

• known limitation, not planned to be fixed

CDB Hero Reports export PDF contains no data when created with Central Admin Dark Mode enabled.

Use light mode to generate a PDF report

• Planned for SPL 2023.2

When using the install option --do-not-disable-auditd when using SPL 2023.1, it does not enable auditd as expected.

A workaround for this issue can be found detailed in the following KB: https://support.sophos.com/support/s/article/KB-000044934

see linked KBA

• Core Agent version 2023.2

• Core Agent

The File Integrity Monitoring setup may file with the error “FIM service: Event Journals folder location could not be found atB:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals: [FAILED]” if a drive letter mapping A: or B: exist on the system that matches the actual system root, causing it to mistakenly set A: or B: as the system drive. Example:

B: "\Device\HarddiskVolume1"
C: "\Device\HarddiskVolume10"

Change the "A:" or “B:” drive mapping to a different volume that would not match the system root or set the drive mapping to “D:” (or higher), so that the “C:” drive mapping will be matched first.

• Core Agent version 2023.1

• Core Agent

Even though updating correctly from an Update Cache, Endpoints running on Windows 7, Windows 8.x, or Windows 10 x86 as well as Windows Server 2012 R2 (and below) are not listed in the ‘Using This Cache’ list in Sophos Central.

None

• TBD

• Device Encryption

On ARM64 devices that are using the SCM or UFS storage bus type for the internal storage, the encryption of data volumes (non-boot volumes) does not start. However, system drives (boot volumes) get encrypted as expected.

Known models affected by the issue: Lenovo Yoga C630, Samsung Galaxy Book S

Other ARM64 devices utilizing SCM or UFS storage bus type are expected to be affected as well.

For the time being, the only option is using the complete available space of the internal storage for the system volume.

• Core Agent

On computers with Sysinternals System Monitor (Sysmon) installed and configured with a "FileDelete" rule targeting ".bin" files, Sophos Endpoint Defense Service (SEDService.exe) will constantly run with high CPU.

This is caused by a conflict with Sysmon when SEDService.exe performs compression of Event Journal data and the subsequent deletion of the uncompressed *.bin Event Journal files. When .bin files are covered by a Sysmon FileDelete rule, Sysmon tries to rename/archive the Tamper Protected file and conflicts with Endpoint Defense Service, leaving the uncompressed file in place.

Removing .bin files from the TargetFilenames of the FileDelete rule resolves the issue. For details, please see KB-000044827

• Core Agent

Updates fail when Sophos Central Endpoint is installed alongside Check Point VPN version 86.40

Please see KBA for workaround steps - https://support.sophos.com/support/s/article/KB-000044497

• TBD (Win10 64bit and later) - TBD (WinServer 2016 and later) - TBD (W10 32bit/W8.1/W8/W7) - TBD (WinServer 2012/R2/2008R2)

• Intercept X

The creation of *.mdb files may trigger a Lockdown detection.

Disable Lockdown mitigation for MSAccess application via Threat Protection policy only to affected systems.

• Core Agent 2022.4 (WinServer 2016 and later)

• Core Agent

The Sophos Network Threat Protection Service utilizes a routine that is called every 30 seconds, which creates a local variable when initialized, resulting in a start of the Network Setup Service.

None

• TBD

• Intercept X

With ‘Monitor Mode’ enabled for the Sophos Central Account (Account Details -> Account Preferences -> Evaluation Modes -> Monitor mode), creating a Diagnose Log from Sophos Central will trigger a Credential Guard alert when Diagnose calls “C:\Windows\System32\tasklist.exe /M /FO CSV”

This is a detection that only occurs in Monitor Mode.

None

• Core Agent

Windows Servers might show an increased non-paged pool memory consumption from a pool tag labeled Sg01 or Sg03. The memory is allocated by the Sophos Endpoint Defense Data Content Records (used to keep track of PE-file information and SHA-256 values) which get loaded on boot.

None

• TBD (Win10 64bit and later) - TBD (WinServer 2016 and later) - TBD (W10 32bit/W8.1/W8/W7) - TBD (WinServer 2012/R2/2008R2)

• Intercept X

HitmanPro.Alert Service (Hmpalert.exe) is consuming high CPU when multiple thousand Exploit Mitigation Exclusions are applied to an Endpoint and stored in the Endpoint registry (e.g. under HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert_policy_\java.exe).

None

• TBD (Win10 64bit and later) - TBD (WinServer 2016 and later) - TBD (W10 32bit/W8.1/W8/W7) - TBD (WinServer 2012/R2/2008R2)

• Intercept X

Moving and overwriting files on a network location with Ransomware Protection enabled locally may slow down the move operation.

None

• TBD (Win10 64bit and later) - TBD (WinServer 2016 and later) - TBD (W10 32bit/W8.1/W8/W7) - TBD (WinServer 2012/R2/2008R2)

• Intercept X

Ransomware Protection may raise a false alert due to linking unrelated files together, when an identical number of bytes is being read/written

None

• TBD (Win10 64bit and later) - TBD (WinServer 2016 and later) - TBD (W10 32bit/W8.1/W8/W7) - TBD (WinServer 2012/R2/2008R2)

• Intercept X

The HitmanPro.Alert logfile (located at C:\Programdata\HitmanPro.Alert\Logs\Sophos.log) contains entries for non-normalized application paths, which are often logged for compiler applications:

Example:

YYYY-MM-DDTHH:MM:SS.FFFZ [Protected] PID 1234, Features 007D2E3000000100 Silent 0020000000000100, c:\\msys64\\opt\\rtems-5-win\\bin\\..\\lib\\gcc\\arm-rtems5\\7.5.0\\..\\..\\..\\..\\arm-rtems5\\app.exe

This can be relevant when defining exclusions for specific applications.

None

• Intercept X 2022.1.3.3

• Intercept X

Ransomware Protection may raise a false alert against license documents (license.html and license.htm)

None

• Intercept X 2022.1.3.3

• Intercept X

Ransomware Protection may raise an alert against Backup/Sync software if actual ransomware notes are restored from a backup and therefore terminates the backup/sync process.

None

• Intercept X 2022.1.3.3

• Intercept X

Ransomware Protection may raise a false alert due to linking unrelated files together when files share the same name (but different file extension)

None

• Intercept X 2022.1.3.3 (HMPA 3.9.0.1391) on Win10 64bit and later + WinServer 2016 and later - Intercept X 2022.1.3.3 (HMPA 3.8.5.36) on W10 32bit/W8.1/W8/W7 + WinServer 2012/R2/2008R2

• Intercept X

Folder-based Ransomware Protection exclusion (Windows) cannot be applied to root drives (e.g. “C:\”)

None

• Intercept X

Chrome or Edge (32-bit) may show error 0x80000001 on Endpoints running Intercept X with Data Execution Prevention mitigation enabled. This issue only impacts 32-bit versions of Chrome or Edge. The 64-bit version of Chrome or Edge is not impacted.

The issue is addressed in the current version of the Intercept X cumulative hotfix, available in Knowledge Base Article KB-000038477. Alternatively, until a fix for the issue is available, the Data Execution Prevention mitigation may be disabled for the impacted browser process.

• Core Agent

If a Microsoft Azure computer running Windows Server 2016 with a Mellanox network interface is started from the "Stopped (deallocated)" state, the Sophos Network Threat Protection service may get stuck in the start pending state. The service is pending a Windows Filtering Platform (WFP) call from the system which is not being returned when the system starts from a “Stopped (deallocated)” state, resulting in the issue.

This is an environmental/driver issue. No solution is available from Sophos Central Endpoint.

To prevent the issue on Windows Server 2016, avoid using the “Stopped (deallocated)” state when turning off the server. However, when the state has to be used, restart the server once again after it started from that state and is in the problematic state.

This issue only occurs on Windows Server 2016. In Windows Server 2019 and Windows Server 2022, starting the server from the “Stopped (deallocated)” state correctly returns the WFP call to the Sophos Network Threat Protection service, which allows the service to start correctly.

Please see KBA for additional information - https://support.sophos.com/support/s/article/KB-000044781

• Intercept X 2022.1.3.3 (HMPA 3.8.5.36) on "W10 32bit/W8.1/W8/W7" + "WinServer 2012/R2/2008R2"

• Intercept X

Browsing a website with Microsoft Edge on Windows 10 32-bit systems may result in error 0x80000001

Turn off Data Execution Prevention on Microsoft Edge for affected systems.

1. Sign in to Sophos Central.
2. Go to Overview > Endpoint Protection > Policies > Threat Protection Policy > Settings.
3. Click Add Exclusion (on the right of the page).
4. Under Exclusion Type, select Exploit Mitigation (Windows).
5. In the application list, select Microsoft Edge
6. Under Mitigations, turn off Data Execution Prevention.
7. Click Add.
8. Click Save.

• Core Agent

After upgrading servers to Core Agent 2022.2 Citrix User Profile Manager process may fail to delete users' temp profiles.

Possible symptoms:

i. user profile is not deleted automatically

ii. ongoing sessions (sessions not getting removed)

iii. some applications fail to launch halfway

Please raise a ticket with Sophos support with the reference https://sophos.atlassian.net/browse/WINEP-43577#icft=WINEP-43577/https://sophos.atlassian.net/browse/WINEP-43242#icft=WINEP-43242 and request to get the corresponding fix enabled.

• Core Agent

Due to an issue in the enumeration function of the Sophos Endpoint, Endpoints with Data Loss Prevention enabled may freeze and eventually crash with stop code DRIVER_POWER_STATE_FAILURE (9f) when a security token (e.g. YUBIKEY) is attached to the system.

Until a fix for the issue is available, exclude storage destinations from any Data Loss Prevention rule, to prevent the issue

• Core Agent

If Firefox is configured to use a WPAD for proxy configuration, it fails to browse.

Affects Core Agent 2.20.13 and above.

Use manual proxy configuration for Firefox. All other browsers handle WPAD fine.

• Updated in Core Agent 2022.2.1

• Core Agent

Customers using some Qualcomm Atheros chipset network cards can fail to connect to wireless networks after updating to core agent version 2022.1.x.

Other adapters use this chipset, including the Dell 1802 and 1702 network adapters. A full list of adapters we have seen impacted can be found here:

https://support.sophos.com/support/s/article/KB-000042044?language=en_US

Turn off IPS in the Central Threat Protection Policy

• Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)

• Core Agent

Some customers have reported Firefox having issues loading Gmail intermittently. This is due to a connection reset issue.

Applies to Core Agent version 2.20.13 and above. This has been improved in Core Agent 2022.2.1

In the Threat Protection policy, turn off Real-Time Scanning - Internet
In the Web Control policy, turn off Web Control

• Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)

• Core Agent

Web browsing and download speeds are slower Web Control and / or Real-time scanning Internet in Threat Protection is enabled

Turn off Web Control policy
Turn off the settings under Real-time scanning Internet in Threat Protection

• Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)

• Core Agent

Uploading larger files to FileVine or other document management systems may fail.

Turn off Web Control
Turn off Real-time scanning Internet

• Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)

• Core Agent

With HTTPS/SSL scanning turned on, unable to cast to Chromecast devices.

Add website exclusion for both HTTPS and Threat protection website exclusion for the IP of the Chromecast device

• Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)

• Core Agent

After the update to Windows Core Agent 2022.2.1.9 a BSOD may occur with the faulting module being - NETIO.sys

The issue is still under investigation, and improvements are expected in the next Core Agent version.

Please see KBA for workaround steps - https://support.sophos.com/support/s/article/KB-000044389

• Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later) - Not planned to be fixed (W10 32bit/W8.1/W8/W7/WinServer 2012/R2/SBS 2011/2008R2)

• Core Agent

When using Firefox and browsing a website (IE: Google) and clicking on different links quickly can generate an error: ERR_SSL_BAD_RECORD_MAC_ALERT

1. Close and re-launch Firefox
2. Turn off Web Control and Real-time scanning - Internet
3. Set "security.tls.enable_0rtt_data" = false on the about:config page for Firefox

• Core Agent 2022.3.0.56 (Win10 64bit and later) - Core Agent 2022.3.0.84 (WinServer 2016 and later)

• Core Agent

The download of large files fails when Senso Cloud, iBoss, and other third-party Windows Filtering Platform (WFP) programs are installed alongside Sophos Central Endpoint

The error seen in the browser:
Couldn’t download - Network issue  

Please see KB for workaround steps for reported product conflicts - https://support.sophos.com/support/s/article/KB-000044418

• Core Agent

The gold image switch is not working for VMware Horizon with ClonePrep environment.

The issue occurs here because when using “ClonePrep” the device is snapshotted and then spun up - a snapshot is then created from this new machine before it's snapshotted and cloned again.

As an example: The machine they use as the “GoldImage” GOLD-W10 is then renamed to W10-1 itself and then from W10-1 a new machine is created called W10-2 and this then repeats.

The workaround is to use the older style gold image prep script

The workaround is to use the gold image prep script during the shutdown.
Details are described in the following KB: https://support.sophos.com/support/s/article/KB-000035040

• Intercept X

Systems running CryptoPro CSP software (http://www.cryptopro.ru) raise APCViolation alerts against random processes on the system (e.g. C:\Program Files (x86)\Sophos\AutoUpdate\Telemetry\SubmitTelem.exe).

Disable "Prevent APC violation" in the Threat Protection policy of the Endpoints that need to run CryptoPro CSP.

• Intercept X 2022.1.3.3

• Intercept X

Improved Ransomware Protection compatibility with 3rd party software eFlow.

Hotfix version 3.9.0.1222 can be applied as a workaround.
Check KB-000038477 for details and download.

Virtualization platforms (e.g. Red Hat KVM, Nutanix VM, Proxmox) running Red Hat VirtIO Ethernet Adapter Service with the default netkvm.sys driver (C:\Windows\system32\drivers\netkvm.sys from 11/08/2016) may show various types of intermittent networking issues when Sophos Network Threat Protection Service is running and the service may show as stuck in a starting state after rebooting the system.

Update the Red Hat VirtIO Ethernet Adapter drivers to the latest version.

• Core Agent

Endpoints may lose internet browsing capabilities when resources are low.

Error seen in logs: 2022-04-27T13:43:18.079Z [ 4712: 4476] E Exception in input: Failed to read from device: Insufficient quota to complete the requested service.

The investigation of this topic is ongoing. For the time being the workaround mentioned here can be applied.

Turn off the following policies and settings:

Web Control policy
Three settings under Real-time scanning Internet in Threat Protection policy

• TBD (Win10 64bit and later) - TBD (WinServer 2016 and later) - TBD (W10 32bit/W8.1/W8/W7) - TBD (WinServer 2012/R2/2008R2)

• Intercept X

Folder-based Ransomware Protection exclusions that target a mapped network drive (e.g. X:\), do not apply.

Apply the latest Sophos Intercept X cumulative hotfix from KB-000038477 and change the mapped network drive exclusion to point towards the network location, using a wildcard for the server name. Example: If "X:\" is mapped to"\\server1\share2\folder3", update the folder-based ransomware exclusion to target "**\share2\folder3"

• Intercept X

ConnectWise Automate / LabTech Agent (LTAgent.exe) triggers Dynamic Shellcode mitigation on Servers running Intercept X with Exploit Mitigation and Dynamic Shellcode protection enabled. The ConnectWise Automate host server is unable to launch Automate Control Center as it relies on LTAgent.exe, which fails to launch.

Check KB-000044124 - Dynamic ShellCode Detection on ConnectWise Automate host server

• CM 2022.03

• UI (legacy)

Firewalls managed by Sophos Central without enabled IPS might get a message that enabling IPS worked though there is no valid Network protection license.

Get a valid Network Protection license

• CM 2022.39

• Micro Service
• SDWAN-PDB

If Customers are created by partner in any FSC region then PDB Customer inventory and PDB Firmware upgrade Functionality would not be available for the customers of FSC region.

These functionalities would be available to customers of FSC region along with PDB firewall Template support for FSC region.

Sophos Central may NOT upgrade Sophos firewalls to 19.5 GA even though the firmware is seen as on Sophos Central. 

As 19.5 GA is still in the staging phase (standard firmware releases phases), many firewalls would NOT have received the in-product firmware upgrade for this version. The firewall will NOT be upgraded from Sophos Central if the firewall hasn't received the 19.5 GA staging version. 

Refer KBA - https://support.sophos.com/support/s/article/KB-000044725?language=en_US

• CM 2.2 2021.49

• Full Sync

Default IPS policies will not be pushed to a Sophos FIrewall with version 18.5 MR2 if:

The firewall is being just added to CM after the update

There is a group configuration change affecting firewalls with 18.5 MR2

Basically, the full sync process will skip the IPS opcode configuration for these devices running on v18.5 MR2.

On Sophos Central, go to Firewall Management > Intrusion Prevention > IPS policy > Edit the Default policy > Save, and it would then be pushed to the XG Firewall.

• CM 2.0 EAP1

• NoRelease

• Central Management

From SF v18.5 MR2, when FIPS mode is enabled, the device will reboot with factory reset. 

If the Firewall is registered and central services are accepted by the Central Admin and Admin Enables FIPS mode, the device will boot with factory reset config.

On Re-registration and Enable Central Management, Endpoint already known to the Central and Central Management API considers this as a Bad request as Central Services already approved.

There are two workarounds:

After factory reset, Remove the firewall from Central
After factory reset, register the device to Central and de-register it.
After performing any of the above steps, register the device again and now Admin will be able to Enable Central Services (CM/CR)

• CM 2.1 2020.50

• NoRelease

• Import-Export

Steps to recreate:

• Create WAF rule on base Firewall A from which you would want to import the configuration

• Create a group(Group 1) in Central with using config import option "Import existing configuration"

• Import the configuration from Firewall A

• Import would get successful and full sync would also pass if we add any other Firewall device(Firewall B) to this group

• Get onto "Manage Policy" page of that created Group 1.

• You will see "Loading" error on Firewall rules page

Expected Output:

"Loading" error should not show on Firewall rules page on Group, after importing WAF rule

Actual Output:

"Loading" error is there on Firewall rules page on Group, after importing WAF rule

• CM 2.2 2021.16

• SD-WAN

Supporting only bundle license in an SDWAN connection group.

Following bundles are supported:

• CENTRAL_ORCHESTRATION_TERM

• XSTREAM_PROTECTION_TERM

• XSTREAM_PROTECTION

• XSTREAM_PROTECTION_WAF_EMAIL

This bundles are not supported:

• Standard Protection

• Enhanced Support

If a bundle is not supported then the customer is not able to use SDWAN because the device will not appear in SDWAN.

• CM 2.2 2021.04

• UI

Firewall display issues seen in Central with more than 50 groups.
Firewalls in group randomly disappear while managing firewall in Central.
If you logout and log back in, or you un-collapse, navigate away and comeback, firewalls are all displayed okay. This is a pure UI issue with scrolling inside an expanded group.

Collapsing the group and expanding again will solve this issue.

• CM 2.1 2020.35

• Global Policies

Firewall rule reordering in Sophos Central Management group policy page is not supported.

 User can reorder the rule in XG Firewall. 

• CM 2019.30

• Dummy

If the available bandwidth is limited, Firmware upgrades for Sophos firewall devices might fail if triggered via Sophos Central -> login -> Open XG firewall through RP tunnel -> Backup and Firmware -> Upload Firmware

• iView 02.00 MR-2 (02.00.0.776)

• On Premise Reporting

Web surfing Reports as PDF with more than 200 entries is not possible. Creating a web surfing report you can only get an output from the first 200 entries in the iview.

This is applicable both iview1/iview2.

Reason: The reason for this would be that PDF generation with all the records will impact the performance of iview.

The only work around would be to generate the detailed report in Excel format. Excel would support upto 100000 entries.

Issue seen when in the MDR section > select ‘Customize Preferences’

Refresh the browsers webpage

Shared mailboxes are not supported in the Outlook plugin.

The plugin is shown in OWA, but the functionality is incomplete. It is able to report campaign/non-campaign emails but it's not deleting the emails after submission.

Phish Threat currently uses the UTC timezone in all of its regions, there is also no logic defining the start of a work day. This means that there is a possibility that a Training reminder email is sent at 00:01 UTC on a Monday, which, depending on the timezone of the end-user, may be received during the day on a Sunday.

The very first reminder e-mail is sent as quick as possible to make sure users finish their training sooner than later. Every subsequent reminder email will follow the value selected in the frequency drop-down.

Taking Phish Threat Training via Smart Phones is not currently supported due to format supportability issue.

• 3.0 (2018.40)

• backend

If a user is deleted from the Phish Threat Dashboard but repopulate automatically after sometime, this is expected behaviour if a campaign was sent to the user within the last 30 days.
Both v1 and v2 report to Central the usage for the last 30 days, which is based on email addresses that were used as part of a campaign. When a reported email does not exist in Central, a user is created which is expected behaviour.

• 3.0 (2018.40)

• Campaigns

Creating and sending a Phish Threat Campaign without associated training material results in a 404 page being displayed when the enrollee clicks the link.

This allows a dry run of a campaign to be sent so that the admin can gauge how many of his employees are likely to need training. The admin should be able to check how many of the enrollees opened, and clicked on the email attack. But the enrollee should not see anything else, so they won't get suspicious when the new attack is sent.

• Legacy Support

• Legacy Support

• Customer Portal

The powershell script used to generate the macro within attachment attack documents is not working properly on Mac OS.

• 3.0 (2018.40)

• Campaigns

The following warning message might show up when clicking on a link within a Phish Threat campaign for G Suite customers with Central accounts in the East region giving users preemptive warnings:

Suspicious link: this link leads to an untrusted site. Are you sure you want to proceed to vk39fk6q.r.eu-west1.awstrack.me?

 Unfortunately a request cannot be made to delist from google as it requires proof of ownership. As the links are generated using Amazon services, we cannot supply this. A complete rehaul of Phish Threat will need to be made to change URLs for campaigns.

• v2.0

• Campaigns

Microsoft currently provides no effective way for us to monitor and remove domains/URLs from the Microsoft Defender SmartScreen list.

This means that the aforementioned feature is not compatible with our Phish Threat product.

• Campaigns
• Customer Portal

The "select all" functionality of the users selection fields in the "New Campaign creation - Enroll users" is limited to the first 40-50 users, unless the admin manually scrolls the user selection scroll box down to load the full user list into the browser and re-clicks the 'select all' function for adding/removing users to the campaign. 

• Campaigns

The normal workflow for Attachment Campaigns involves the fact that once the attachment has been opened, and the link inside of it activated, the user already failed the campaign - regardless of what's in the document.

Everything else about the Attachment Campaign should still work fine.

• Training

The following URLs are officially blocked in China.

https://sophos-phish-threat.go-vip.co/
https://staysafe.sophos.com

This means that training content will not work properly.

The only possible workaround would be for the affected users to use a tunnel-all VPN solution.

• Campaigns

When using AD sync with Phish Threat you cannot push out campaigns to sub-groups. The user must be a direct member of the group in order to receive the campaign.

• 3.0 (2018.40)

• Campaigns

If a campaign is created with large number of users then there are chances of page gets hang and campaign never gets completed.

Currently it is recommended to add less than 500 recipients at a time.
This will be improved in the future.

• 3.0 (2018.40)

• Campaigns

In rare instances customers may report when sending a training campaign they get presented with a "Oops, that page can't be found" error when clicking the training links.

The page may load after refreshing several times. Please wait and try the link again after some time.

This scenario can be seen during a web server refresh on the hosting server, normally it takes a couple of minutes to refresh all the training and landing pages - if the link was clicked during that specific refresh time the error will be received.

• v6.4.0

• User Interface

An error is display in the policy constructor of the Admin UI

Can't read modified policy script: cannot negate test pmx_delayed_mail at /opt/pmx6/lib/site_perl/5.8.7/PureMessage/Manager/Policy.pm line 26

The error comes from combining another test with a negated pmx_delayed_mail test.
Workaround is to separate the tests into two nested tests

Example

• UNKNOWN

The concurrency_limit_action option is ignored when running with the process pool enabled (the default setting). If the maximum allowed concurrency is reached, handling of subsequent SMTP connections is determined exclusively by the flags set in the INPUT_MAIL_FILTER option in sendmail.mc

• UNKNOWN

Because per-recipient tests split a message into multiple messages (one for each recipient), it is possible to scan the same message for spam and viruses more than once. This puts an unnecessary load on the system. Therefore, it is advisable to perform per-recipient blacklist/whitelist/optout tests before scanning for spam. Also, these tests should have an associated 'stop' action, so that processing does not continue. (The default policy script is an example of the correct configuration.)

Per-recipient rules that simply add a header or log some data should be avoided. This will minimize the amount of processing that PureMessage has to do. This is not a problem if no per-recipient tests are used. Per-recipient tests are:

• Any tests that employ an end-user list.

• The envelope-recipient matching test (envelope ``to'').

• UNKNOWN

If the policy.siv file is deleted, the PureMessage Manager's Policy editor does not generate the require "PureMessage" command. The workaround is to click "see the source", and then click on "/opt/pmx/etc/policy.siv", and add the line:

require "PureMessage";

at the top of the file. (#24992)

• UNKNOWN

When synchronizing publications via the Server Groups tab in the Manager, all subscribed edge servers (not just the selected edge server) are synchronized. To synchronize only one edge server, run the following command at the command line while logged in as the PureMessage user:

pmx-share sync -h HOST-NAME -p PUBLICATION_NAME

• UNKNOWN

Regardless of whether PureMessage has been configured to use port 28443 (the default) or port 28080 for End User Web Interface and Groups Web Interface access, the Local Services tab of the PureMessage Manager will indicate that port 28080 is being used for the HTTPD (RPC/UI) service

• UNKNOWN

In PureMessage configurations that use centralized quarantine digests, there is currently no support for mail-filtering servers that have different time zone settings. You must set all mail-filtering servers to Greenwich Mean Time (GMT).

• UNKNOWN

On multi-server deployments with Filter Role servers (that is, servers performing mail processing and quarantining) and a Central Server Manager (CSM), the Manager pmx-manager must be running on the edge servers in order to view quarantined message bodies when querying the quarantine on the CSM

• UNKNOWN

If PureMessage is installed without a database server, pmx-qmeta-index may display the following error when run:

Can't connect( HASH(0x8421378)), no database driver specified and DBI_DSN env var not set at\ /opt/pmx/lib/site_perl/5.6.1/PureMessage/MessageStore/pmdb.pm line 116

This error means that there is no database available to process the queue

• UNKNOWN

For PostgreSQL 9.x, the pmx-pg-tune tool analyzes system settings and configures shared memory for PostgreSQL in order to improve database performance. If your system settings are not in the recommended range, this command attempts to make the necessary adjustments. However, if your system has more than 8 GB of memory, pmx-pg-tune does not automatically set the shared buffers. You will have to set these manually. For more information, see "Tuning PostgreSQL for PureMessage" in the Sophos Knowledgebase, or contact Sophos Technical Support.

• UNKNOWN

End User Web Interface (EUWI) authentication currently favors the value of the initially granted cookie over any login form values. One of the consequences of this is that moving the UI pages to a different host when users already have a valid cached cookie may result in login failure. The only available workaround is to have users clear the offending cookie from their browser cache

• UNKNOWN

A large number of quarantined messages (50,000 or more) may cause the httpd process to consume excessive amounts of RAM that is not released until MaxRequestsPerChild has been exceeded. If this becomes a problem, the workaround is to lower the default value that causes the httpd process to recycle this memory more often

• UNKNOWN

Adjusting the font size setting in your browser may cause display problems in the PureMessage Groups Web Interface

• UNKNOWN

When searching the quarantine via the PureMessage Groups Manager, you can select the number of messages to be displayed per page. When selecting 500 or 1000 from the Results to Display drop-down list, the search results are not returned immediately. During the delay, PureMessage does not display a message indicating that results are being retrieved.

• v6.4.8

• Mail Logs

After upgrading to PMX 6.4.8 some configurations may experience Postfix rejecting mail with the following errors

Aug 22 11:12:36 hostname postfix/smtpd[80254]: warning: unknown smtpd restriction: "ignore_policy_error"
Aug 22 11:12:36 hostname postfix/smtpd[80254]: NOQUEUE: reject: RCPT from mail.domain.com[1.1.1.1]: 451 4.3.5 Server configuration error; from= to= proto=SMTP helo=

This is caused by the following configuration option being present in the _/opt/pmx/postfix/etc/main.cf_ file:

smtpd_client_restrictions = ignore_policy_error,check_policy_service inet:[127.0.0.1]:4466

To avoid this problem the above line should be replaced with the following 2 lines immediately after upgrade to 6.4.8:

smtpd_client_restrictions = check_policy_service inet:[127.0.0.1]:4466
smtpd_policy_service_default_action = DUNNO

This is caused by the following configuration option being present in the /opt/pmx/postfix/etc/main.cf file:

smtpd_client_restrictions = ignore_policy_error,check_policy_service inet:[127.0.0.1]:4466

To avoid this problem the above line should be replaced with the following 2 lines immediately after upgrade to 6.4.8:

smtpd_client_restrictions = check_policy_service inet:[127.0.0.1]:4466
smtpd_policy_service_default_action = DUNNO

• v6.4.6

• User Interface

When running PMX on RHEL7 large list files ( > 58215 entries) may not display in the management GUI

All the entries are still processed successfully by the mail filters however. 

Our recommendation is to always convert any lists that contain more than 5000 entries to a CDB file (rather than plain text list). Doing this will also resolve this issue and allow the list to display in the GUI

• v6.4.9

A user created in the Admin UI for the Admin UI can not be disabled.

Change the password so that the user cannot log in anymore

• v6.2.2

• UNKNOWN

Doing a search on a custom log reason containing an underscore in it, displays "no result".

This is by design as the underscore is the replacement character for the space. The system can not tell the difference between a natural underscore and a replaced space.

• v6.4.6

• UNKNOWN

The PMX_VERSION template is updated on an AntiSpam Database reload and a restart of the milter.
This results in the Antispam Version being current, and the AntiVirus version being that of the last restart of the milter.

• v6.4.5

Does PMX 6.x supports macros[1] in spf

For example this SPF: “v=spf1 include:domain.com._nspf.XXXX.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.xxxx.email ~all”

Would that be successfully interpreted and resolved on a standard PMX installation.

Yes anti-spam engine supports SPF macros

• v6.3.3

• Build

Milter rejects messages returning error 452 too many recipients when setting the _default_destination_recipient_limit to 1050

smtpd_recipient_limit
is the max number of recipients postfix accepts in an email

default_destination_recipient_limit
is the max number of recipients postfix will send a message to before splitting it

the milter accepts a maximum number of 100 recipients, so a message of 1000 recipients into postfix will be split into 20 messages before being forwarded to the milter.

Changing those values is dangerous as some sites will assume that a "properly configured postfix" will not send more than 50 recipients in one single mail.

Logging/File Details

Mar  8 18:15:49 scmx011cto postfix/smtp[31885]: 791723AA201: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=695, delays=695/0/0/0.59, dsn=4.0.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 452 too many recipients (in reply to RCPT TO command))

• v6.4.0

• User Interface

The status of the historian is not displayed on the Local services Page.

• UNKNOWN

Overriding log_to in a milter section of pmx.conf does not work. The top-level setting is always used

• UNKNOWN

Unless you have adjusted the settings of either pmx-qindex or pmx-queue-run, these scheduled jobs will no longer be displayed in the list of jobs on the Local Services tab upon upgrade to PureMessage 5.5 or later. They have been replaced by the Queue Runner service

• UNKNOWN

Per-recipient tests have significant overhead. Therefore, adding many per-recipient tests to the policy script may degrade performance. It is advisable to minimize the number of per-recipient tests to optimize throughput

• UNKNOWN

Template variables are not evaluated in tests that do matching. Any test that takes a MATCH-TYPE argument (such as, 'is', 'contains', 'matches', 'memberof') does not expand templates in the match expression, since this expression is compiled at startup time

• UNKNOWN

Certain operating systems, such Debian and SUSE, specify more than one "127" IP address in /etc/hosts (for example, 127.0.0.1., 127.0.1.1 and 127.0.0.2). Since some PureMessage functions depend on a certain internal host setting, you should make sure that _/etc/hosts _contains the same "127" addresses as /opt/pmx6/etc/internal-hosts

• UNKNOWN

Some PureMessage updates are extracted into your system's /tmp directory. It is therefore important to control the size of this directory through appropriate system maintenance to avoid consuming excessive disk space

• UNKNOWN

Shifting to and from Daylight Saving Time (DST) creates a gap in PureMessage reports and causes errors to be logged. For complete details on the impact of DST, see the Sophos Knowledgebase entry 23877:
https://www.sophos.com/en-us/support/knowledgebase/23877.aspx

• UNKNOWN

The pmx-quarantine reindex --forget-old command, which schedules cleanup of index entries that correspond to removed messages, does not operate properly. This command is not normally required, as the expired messages are automatically scheduled for removal. In cases when this functionality is needed, the workaround is to use the pmx-quarantine reindex --purge command, which purges the existing indexes and schedules existing messages for re-indexing. Note that the subsequent invocation of pmx-qmeta-index may result in re-indexing of the entire quarantine and may take a long time for large quarantines

• UNKNOWN

The pmx-qman utility currently does not enforce exclusive access to the message quarantine. This may result in errors when running multiple instances of this program on the same mail-processing host. For example, an attempt to approve messages by a second instance of pmx-qman may fail if the messages have been deleted by a first instance

• UNKNOWN

The pmx-quarantine count [folder] and pmx-quarantine list [folder] commands only work on the cur and trash folders. Use operating system commands to examine the contents of other quarantine folders

• UNKNOWN

The cantscan.tmpl and approve-failure.tmpl templates include technical reasons that have not been translated

• UNKNOWN

When using the --earliest option with pmx-qdigest, the timestamp option value must be enclosed in quotes. Otherwise, only the first part of the option value (the date) is used as the timestamp, instead of both the date and the time

• UNKNOWN

If a digest template file is missing during digest generation, subsequent digests may include messages that were included in previous digests. When a digest template is missing, the digest program does not save the identifiers of messages as they are scanned. Therefore, when the digest is re-run (after fixing the missing template), messages are re-scanned. Aside from the duplicate digest entries, there is no other operational impact

• UNKNOWN

If non-ASCII (specifically multi-byte UTF-8) characters are present in the digest, the digest fields may not be aligned correctly. This problem is only seen in the text/plain parts of the digests

• UNKNOWN

When pmx-qdigest is run in centralized mode, it only scans messages that have been indexed by pmx-qmeta-index. This is because the centralized digest works with metadata stored in the centralized (DBMS-based) quarantine; pmx-qmeta-index inserts this metadata into the centralized quarantine. This behavior varies from that of pmx-qdigest when run in local mode, which is able to scan all messages that have been processed by pmx-qindex (that is, those that exist in the filesystem-based quarantine on the server that's running the pmx-digest program)

• UNKNOWN

Memory usage is incorrectly reported by pmx status and ps. Memory used for blocklist data is no longer reported in vmsize of the parent pmx-milter process (which is correct), but the vsz for each individual pooled process includes memory that is actually shared between all pooled processes

• UNKNOWN

Big5-HKSCS is wrongly interpreted as Big5

• UNKNOWN

Adding a Japanese word to the suspect attachment list may not trigger when the word is in the body of the message. This is only the case if you use \b in the regular expression, as the UTF-8 support does not handle word boundaries well

• UNKNOWN

The 'Blocked' field in the table view of the 'Messages Blocked by the Policy' report does not display correctly if pmx_blocklist is not in the PureMessage policy

• UNKNOWN

MTA-level and Policy-level blocking reports display an invalid total count in multi-server deployments

• UNKNOWN

When creating a policy setting for the Groups Web Interface using the pmx-group-policy bcommand, the value specified with the --id option must contain all lowercase characters (for example --id policy_id and not --id Policy_ID). If the ID contains any uppercase characters, clicking the associated policy option check box in the Groups Web Interface results in an "invalid permission" message

• UNKNOWN

When you create a group list using the pmx-group-list command, the wrong list name is added to the lists selection drop-down in the Policy Constructor. The group-specific list should use the name specified with the --name option. Instead, it uses the text specified with the --description option

• UNKNOWN

Even if a group administrator has not been granted permission for the Save button in the Message Details dialog box, the button is always visible. If permission for this button has not been granted, clicking it will have no effect. The same is true of the Forward button that appears at the bottom of each Search Results page

• UNKNOWN

Under certain conditions, clicking the Delete All button on the quarantine Search Results page does not cause the status icon to immediately turn red. Refresh the page to update the status

• UNKNOWN

The page count displayed with the paging controls at the top right of the Search Results page (for example, 1 of 49) is only approximate. For instance, clicking the >> button may not display the last page of results, or it may display a blank page that is beyond what is actually the last page.

• UNKNOWN

Search strings entered in the Subject and Relay text boxes of the Search Parameters sidebar are case-sensitive

• UNKNOWN

When entering the hour portion of start or end time in the date range fields of the Report Parameters sidebar, you must add two zeros after the hour value in order to return the correct results. For example enter "23:00", not "23". Other irregularities with the date range fields have also been experienced

• UNKNOWN

Input validation is not strictly enforced for the text boxes on the Search Parameters and Report Parameters sidebars

• UNKNOWN

Pages in the Message Details dialog box may load slowly if the associated message has a large attachment

• UNKNOWN

The EUWI treats the quarantine reason as mixed case, while the manager and digest do not. For example, if you quarantine a message for the reason "MiXeDcAsE" it will show up in the manager UI and the digest as "mixedcase" and will not show up in the EUWI. To resolve this, change all End User Options "Quarantine Reasons" to lower case and restart the HTTPD process

• UNKNOWN

Messages deleted from the quarantine via the Manager or command line are still accessible via the EUWI

• UNKNOWN

When the EUWI is configured to display in French, the date order on the Options page is incorrect

• UNKNOWN

End users may experience an HTTPD error instead of a well-formatted error message when critical RPC errors occur. If this occurs, examine the rpc_error.log file to determine the root cause of the error and correct it.

• UNKNOWN

The EUWI pages sometimes display errors in English instead of in the localized language

• UNKNOWN

The user preference settings are currently not synchronized by default. The workaround is to use Server Groups to publish these settings.
The following steps enable publication of user preference settings from the primary server:

• Via PureMessage Manager, click the Server Groups tab.

• Click the User-Preferences publication and subscribe all auxiliary servers you want to receive this publication.

• Click the Local Services tab.

• Under Scheduled Services, click Add New.

• Fill in the following fields:
  Command: pmx-share sync -p User-Preferences >/dev/null
  Description: synchronize user preference settings
  Enabled: [checked]

Schedule
Hour: Any
Minutes: 05
Month: Any
Day: Any
Week Day: Any

Or:

• Via a login shell, login as the pmx user.

• Run the pmx-share command to add auxiliary servers to the User-Preferences publication:
  pmx-share add -p User-Preferences -h

• Add a configuration file to /opt/pmx/etc/scheduler.d called pmx-share.conf that contains the following lines:

Synchronize user preference settings

desc = "Sync user prefs"
type = exec
enabled = 1
action = 'pmx-share sync -p User-Preferences >/dev/null'

s = 0
m = 5
h = *
md = *
mo = *
wd = *

• UNKNOWN

Customers who have manually configured support for Chinese in the End User Web Interface (EUWI) may see a duplicate entry for Chinese in the Default Language drop list under Quarantine > Configure End User Features . To prevent this, remove the file named tw from the /opt/pmx/etc/manager/lang/installed/ directory, and change to the new Traditional Chinese language package with the following command:

pmx-config language cht

• UNKNOWN

pmx-policy inject fails with an error ("Queries using field 'm_pmx_test' for retrieval are not supported in pmdb message sets") when used with centralized quarantine. For testing the policy use the_ -dry-run_ option. This option uses an alternative message-store that does not interfere with the centralized quarantine

• UNKNOWN

The PureMessage-PostgreSQL install fails if another process has bound the port that PostgreSQL uses (TCP port 5432 by default). Either stop the other process or change the port PostgreSQL uses. The pg.log file in the _postgres/ _directory will contain either:

LOG: could not bind Unix socket: Address already in use
or
LOG: could not bind IPv4 socket: Address already in use

if PostgreSQL failed to bind to its port

• UNKNOWN

When upgrading a PostgreSQL-based quarantine server, make sure you have plenty of free hard drive space; the size of the quarantine database may double during the upgrade

• UNKNOWN

The /opt/pmx/postgres location must be on the same device as the base PureMessage installation, or the pmx-pg-switch command will fail

• UNKNOWN

Uninstall does not restore the old MTA if you let the PureMessage-Sendmail installer "override existing sendmail". The workaround is to delete the stale symlinks manually and move the *.save files back after uninstalling PureMessage. This should not be a problem on systems with update-alternatives

• UNKNOWN

Uninstall does not clean up the PureMessage user's mailbox on Solaris. The /var/spool/mail/ directories can be manually removed after uninstalling PureMessage-Sendmail

• UNKNOWN

If PureMessage-Sendmail is installed under /opt on Solaris it may display an error message when the /opt directory is group writable. The workaround is to add this line to the sendmail.mc file:

define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathSafe')

• UNKNOWN

Postfix and sendmail are not automatically shut down by pmx-setup. The MTA must be stopped manually before upgrading Postfix or sendmail components and restarted after the upgrade is complete

• UNKNOWN

Sendmail can cause errors with QueueRunner.pm if resolving the senders domain takes a long time. To resolve the issue, add the following to backend.mc

_define( confDONT_EXPAND_CNAMES', True')
FEATURE(nocanonify)
(SUG51169)._

• UNKNOWN

For systems using Oracle Communications Messaging Exchange Server, mail transfer agent upgrades must be performed as the root user from the command line. These packages cannot be upgraded from the Manager interface

• UNKNOWN

If logsearch recovery indexing is interrupted before completion and logsearch indexing restarts (pmx-logsearch-index start), indexing will skip archived logs if the daemon detects that it is more than 60 MB behind. Logsearch recovery must continue until done

• UNKNOWN

Although it is not recommended, it is possible to adjust the Scheduler so that PureMessage data updates from Sophos run less frequently than every five minutes. Furthermore, selecting only a single value in any of the scheduling scroll boxes causes the timing of the scheduled update job to be randomized.

The intervals set at the smallest increment take precedence over larger increments. So, for example, if you create intervals under Minutes but not under Seconds, the seconds are randomized.

This degree of randomization ensures that multiple processes do not start at the same time, reducing the chances of a load spike. It also reduces the likelihood of a network load spike caused by data downloads that occur at the same time

• UNKNOWN

The pmx-queue run scheduled job uses the same configuration file (/opt/pmx/etc/queuerunner.conf) as the Queue Runner background service. This could cause unexpected results when running pmx-queue run manually.

• UNKNOWN

If you are running PureMessage behind a proxy server, the pmx-mlog-stats scheduled job will not be able to send statistical feedback to Sophos

• UNKNOWN

The PureMessage Manager will allow you to create a scheduled job that is invalid without issuing a warning. For instance, if you were to create a scheduled job for pmx-release (which is invalid) instead of pmx-qrelease, there will be no warning in the Manager or in the logs.

• UNKNOWN

If there are no scheduled jobs on the system (this is very rare, since all of the PureMessage roles come with scheduled jobs), the Scheduler service will not start up; instead of starting, it will exit silently

• UNKNOWN

Text on the MTA IP Blocking page of the Local Services tab incorrectly instructs you to start the Blocker Service after enabling IP blocking. Instead, when prompted, you must restart both your mail transfer agent and the Scheduler Service

• UNKNOWN

In the Manager's Policy Constructor, clicking on Add main rule or Add rule anywhere adds a new rule, even if the user clicks Cancel. If this happens, the new rule can easily be deleted by clicking on the rule and then clicking Delete

• UNKNOWN

Characters outside the ASCII range are currently not considered to be "word" characters, which has significance when attempting to match the \w and \b escapes within regular expressions. This should be considered particularly carefully when writing regular expressions that may be used to match against data containing accented characters common in non-English languages

• UNKNOWN

An administrator must manually enter list/map IDs in the Policy Constructor for the pmx_notify and pmx_map_recipient actions

• UNKNOWN

Errors may occur when two or more administrators edit the policy file at the same time

• UNKNOWN

The Manager's Policy Constructor does not preserve comments in the policy script that are attached to commands; it only preserves comments attached to rules ('if' or 'elsif' statements). The workaround is to only attach comments to rules if you want to use the Policy Constructor.

Also, a command effectively becomes a rule when enclosed in an "if true" block:

if true {
command;
}

• UNKNOWN

The ordering of the policy actions can be misleading in the PureMessage Manager's Policy Constructor. New actions are added at the end of the rule, but the Policy Constructor always displays them before all nested rules. You can see the true order by viewing the source of the script

• UNKNOWN

Existing publications may no longer work after upgrading. The location of some support/configuration files are modified, but publications are not automatically migrated to use these new locations. The workaround is to delete and then recreate all affected publications

• UNKNOWN

PureMessage Manager user account names are limited to ASCII letters and numbers

• UNKNOWN

The "Send Support Request" page in PureMessage Manager generates messages that will be sent via the server configured by the mail_sender option. If that server runs PureMessage, the request is subject to spam checks and may be quarantined. One workaround for this is to configure the mail_sender option to point to an internal mail server that does not run PureMessage. Another is to add the sender address for such messages to the whitelist

• UNKNOWN

There is no way to select an LDAP list to be added to the policy publication. As a workaround, manually copy the lists.conf entry to each edge server

• UNKNOWN

When adding or editing custom anti-spam rules, the pop-up dialog that displays a description of the message parts does not paste the selected part into the Policy Constructor

• UNKNOWN

The PureMessage Manager reports that changes to CDB lists will take effect in 1 minute. These changes to not actually take effect until the pmx-makemap command is run

• UNKNOWN

The redirect policy action does not work with multiple recipients

• UNKNOWN

When modifying the PureMessage policy by editing the Sieve code directly, it is not recommended that the attachment-specific tests (pmx_attachment_name, pmx_attachment_size, pmx_attachment_type, and pmx_suspect_attachment) be combined using or , as these may produce unexpected results. This type of modification is not permitted via the Policy Constructor in the PureMessage Manager

• UNKNOWN

Non-ASCII characters are not permitted in the ID fields of lists, maps, and per-recipient lists

• UNKNOWN

The pmx_add_header and pmx_replace_header actions allow non-ASCII characters to be entered into header names, but doing so violates RFC 2822 (which prescribes internet message format), and could cause loss of data. The workaround is to not use non-ASCII characters in the header-name parameters passed to these actions

• UNKNOWN

If pmx_replace_body, pmx_notify and pmx_add_banner are passed verbatim data from the Sieve script (rather than being passed a filename), these actions add the data with non-ASCII characters encoded with UTF-8. The workaround is to always pass a filename to these actions - the contents of the file can be in any character set

• UNKNOWN

Non-ASCII custom marks (using the pmx_mark and_ pmx_mark1_ actions) are not supported in PureMessage. They will not show up in the PureMessage Manager Policy Hit Report

• UNKNOWN

Non-ASCII characters are not supported in the "Quarantine Reason" parameter passed to the pmx_quarantine and pmx_file actions.

• UNKNOWN

The pmx-policy inject and qinject commands cannot be used with the centralized quarantine. For the purpose of testing changes to the policy script, use the --dry-run option with pmx-policy inject, or use the 'Policy Test' interface in the Manager

• UNKNOWN

If a per-user list and a regular list have the same name, PureMessage will always quietly select the regular list rather than the per-user list with the same name

• UNKNOWN

The pmx_map_recipients policy action does not affect the per-user preferences applied to a message. The per-user preference for the original recipient is used, rather than the preferences for the mapped recipient. The workaround is to use the recipient-aliases map. The pmx_map_recipients action should only be used to change the message recipient

• UNKNOWN

The pmx-store-expire script does not remove stale mset/* files. These files can be manually removed if they have not been accessed for some days

• UNKNOWN

The quarantine report collector can take a long time on large quarantines. This can lead to missing data for some time periods because the execution of report collectors cannot overlap. It is possible to alter the report collector's scheduled job so that it runs less frequently (for example, every other hour) to keep the information gaps consistent. The report collector can also be configured to skip scanning the quarantine (thereby not generating quarantine reports) by setting the --collector command-line option to MessageLog

• UNKNOWN

PureMessage's Log Search Index service, which allows for faster log searches when using the search functionality in the Groups Web Interface, does not index messages that have been generated by the pmx-test command

• UNKNOWN

Test messages generated by the pmx-test program are included in reports. This can make the reports less useful, especially if load tests were performed (as they generate thousands of test messages)

• UNKNOWN

List IDs (such as the 'whitelisted-hosts' list) are limited to ASCII characters

• UNKNOWN

Links to pmx-queue-runner are incorrectly installed in the /opt/pmx/etc/init.d directory if you install only the EUWI role

• v6.3.0

• UNKNOWN

PureMessage Unix will not properly install if the locale is not set to english.

• UNKNOWN

When upgrading to the latest version of PureMessage, you may be prompted to retrieve the newest version of the PureMessage installation/upgrade program. This could result in the following error:
Error during ppm install of pmx-setup at\ /PerlApp/PureMessage/Install.pm line 1134.
If this occurs, run pmx-setup a second time, and choose "yes" again when prompted to upgrade pmx-setup itself.

• UNKNOWN

The PureMessage user needs to have the same username on each server in your deployment. If you need to support different usernames across servers, execute the following command on the machine that includes the Database Server role:
$ pmx installation/postgres/bin/createuser -a -d
You must do this on the Database Server for each PureMessage user with a username that is different from the pmx user's username on the database server.

• UNKNOWN

If the installer does not display properly, set the $PMX_TERM environment variable to 'xterm' and run the installer again. If 'xterm' does not work, try other values.

• UNKNOWN

If you have trouble viewing the curses interface, it is still possible to install a new license. To upgrade to a new PureMessage license, save the license to the PureMessage user's home directory and run the command:
pmx-setup --install-license new_license.sh

• UNKNOWN

Using the number pad on your keyboard causes values to be entered incorrectly in the fields of the PureMessage installer. When entering numeric values in the installer, use the row of number keys instead.

• UNKNOWN

When upgrading to PureMessage 6, any previous customizations to httpd2.conf will be lost. If you have made customizations to this file you will need to manually incorporate them into your PureMessage 6 installation.

• UNKNOWN

The installer may warn about an unsupported plattform. If you have the proper prerequisites and libraries installed you can proceed.

• WIFI Firmware 11.0.018

• Firmware

Roaming from one APX to another APX can cause 15 seconds of network disconnection for traffic between hosts connected to the same APX.
The issue happens if the source and destination devices are connected to the same APX.

• For example, if there is a VoIP connection being established between Notebook 1 and Notebook 2 at APX 1, traffic flow is normal.

• When Notebook 2 roams away from APX 1 and associates with APX 2, the VoIP connection will be disrupted for about 15 seconds.

• After 15 seconds have passed, the connection will work again.

Internet-bound connections and packets which need a next hop (XGS/XG) do not experience the same disruption in connectivity.

If both wireless clients connect to different Sophos APX access points this issue is not present.

• Sophos Connect 2.1

• Sophos Connect

There are two cases where the IPSec connection downloaded via the provisioning file might not be updated once a change is made on the XG

1) The Sophos Connect Client has an active connection

2) The Sophos Connect client is not connected to XG when the XG policy is modified.

When the Sophos Connect client will try to connect to XG,  the connection will fail due to a policy mismatch error. The client will not automatically trigger a update policy request. The user has to manually trigger a "Update policy" request from the settings menu.

 This might happen with a greater probability if the allowed networks are changed in the policy. Also this will happen if a policy is changed from tunnel all to split network and the network list is not identical on both ends.

Trigger a "Update policy" to re-synchronize the policy

• Sophos Connect 2.1

• Sophos Connect

This relates to Sophos Connect Client configuration of the SFOS appliance using 3rd party signed certificate.

When using 3rd party signed certificate on the “remote side” of the configuration, and "ApplianceCertificate" on the local side, the connection will import fine and connect the first time. After reboot of the workstation or restart of the services related to Sophos Connect, an error message will pop up stating "Failed to validate server certificate" when trying to connect again.

Use a self-signed certificate, signed by the SFOS appliance on the “remote” side.

Use PSK instead of certificates.

• Sophos Connect

Sophos Connect for the time being only supports Ascii characters, no umlauts or UTF-8 or UTF-16.

• Sophos Connect 1.1

• Sophos Connect

Sophos Connect Client uses Port 60110 on the local host to communicate with the local webserver. If this port is used by some other service before Sophos Connect Client starts, then Sophos Connect Client will fail to start.

• Sophos Connect 2.1

• Sophos Connect

When both the IPsec and SSL VPN policy is configured on XG, the connect client will connect to the user portal and download both the policies on the end user computer. But ONLY the SSL VPN policy will have the option of "Update policy" in the settings menu. In order to trigger a policy update for IPsec policy, the user will have to trigger the same via the SSL VPN policy.

• Sophos Connect 2.1

• Sophos Connect

SSL VPN is not supported for Windows 7/8 in Sophos connect.

You may get the error "Openvpn service is not available" while connecting SSL VPN from Sophos connect.

As a workaround, you may use a legacy SSL VPN client.

Use a legacy SSL VPN client.

• Sophos Connect

Issue:

After deploying the Sophos Connect provisioning file on SC 2.1 the first authentication always fails when OTP is enabled.

 *Behavior:* 

The Client will use the OTP the first to connect to the User Portal. Then it has to use a new OTP, but the OTP is generated by the Sophos Authenticator and the user has to enter the new OTP after the first one rotates. The client does not wait for that to happen. Instead, it uses the same OTP and that will fail and the user is prompted for authentication again. So the user has to enter the credentials again and they should be connected to VPN. This is a known issue. **

Enter the credential and OTP again.

• Sophos Connect 1.1

• Sophos Connect

Sophos Connect is unable to import files containing UTF-8 / UTF-16 characters e.g.

• Sophos Connect 1.3 GA (1.3.65)

• Sophos Connect

This issue is occasionally seen mainly when the computer wakes up from sleep and the connection is set for Auto-connect and user is not on the domain network. The system recovers automatically so user intervention is not necessary.

• Sophos Connect 3.0

• Sophos Connect

-> Go to About page on Sophos Connect UI

-> Click Generate TSR buttong

tsr.zip file is downloaded to the default download location. Tried to unzip the zip file but not able to unzip on 10.12.6 Mac OS version. Tried it on Mac 10.13, zip opens up. 

• Sophos Connect 1.0

• Sophos Connect

If the DNS servers in the Sophos Connect Client policy on the XG firewall are changed while there is a VPN connection established, then the DNS Servers display on the Network Monitor page are not updated to the changed DNS servers.

Disconnect the existing connection and then re-establish it.

• 2017.35

• Postfix

Sophos Email Security doesn't create non-delivery reports (NDR) for emails going to valid mailboxes that it can't deliver to their final internal destination.

• none

• smart banner

Scenario: Emails from the backup-generating system are received in unreadable format if a smart banner is on.

This issue can be observed if there is an issue with the email content via the sender’s system.

i) If the content is a UTF-16 HTML document that is base64 encoded. But the ‘charset’ field in the tag is saying ‘UTF-8’.

ii) As per standard (https://www.w3.org/International/questions/qa-html-encoding-declarations#utf16 ), if using a UTF-16 HTML document, the document should begin with the UTF-16 BOM. If this is missing in the email content, it will create such an issue.

This needs to be fixed from the originating system.

• none

• XGE

Scenario: An external domain emails a google group. The inbound email will be scanned and delivered to google. When email reaches the google group it will be forward to any external and internal email addresses. For the external email addresses that forward back to central as outbound email they will be block, because the sender of these emails is external.

Sophos Central email only supports the following

• We support: the sender is a customer address, the group contains internal and external recipients. The email is delivered to all group members.

• We don’t support: the sender is an external address, the group contains internal and external recipients. The email is only delivered to internal group members, not external ones.

• Policy configuration

In situations where customer has setup a Daily malware report to “Attach the report to the email” Sophos Central Email may detect the email as “Malicious URLs” cause the report contains Malicious URLs.

The work around is to configure the report to “Send a link to the report (secure)” instead of “Attach the report to the email”

The work around is to configure the report to “Send a link to the report (secure)” instead of “Attach the report to the email”

• Quarantine

Emails quarantined because of Data control violations can't be released because they don't appear in Quarantined Messages. You can see them in Message History, with the quarantine reason "Data control".

Please ask Sophos Support to release these emails.

• SPF_LOGS

Sophos Email Security only generates an SPF-Fail on a hard fail if the SPF-String is terminated with "-all".

SPF-Strings terminated with "~all" (note the tilde character) that don't match the senders IP address don't cause an SPF-Fail.

• Outbound Relay Control

Sophos Email Security doesn't send emails if there's an exclamation mark in the email address. It's rejected with "Relay access denied".

Remove the "

" character.

• Attachment Filtering

If an inbound email has attachments that use uuencoding, the attachments are removed. This is because messages with uuencoded attachments, and the attachments, are processed as text messages.

• Policy configuration

Emails with addresses containing the "!" character (exclamation mark) in the local part of the email address aren't supported, and are rejected.

For example: mailhost!username@example.org.

Remove the "

" character.

• 2019.15

• Self-Service Portal

A user has been given access to the Sophos Email SSP. They have mail in quarantine and the Emergency Inbox is turned on. But when using SSP the Quarantine and Emergency Inbox pages have no items.

This might happen when more than one user is assigned the same email address, and at least one of those users has no mailbox.

• In Sophos Central go to "People".

-Filter users by the email address of the affected user.

-Click each user to find the one that doesn't have a mailbox.

-Use "Delete User" to delete the user without a mailbox.

-Go to "People" and filter by the email address again.

-Select the user in question.

-Click "Email Setup Link" and select Sophos Central Self Service Welcome.

The user can then access the Self Service Portal using the instructions in their inbox.

• 2017.35

• Custom URL

The Sophos Email Security URL allow list can only contain up to 129 URLs.

• Quarantine

All mailboxes use the same language for the QS email. This can't be changed for individual mailboxes.

• 2020.32

• Outbound

The junk categorization isn't a result of the emails coming from Sophos Email Security, because other emails are succesfully delivered to inboxes of addresses on Microsoft-hosted domains, for example outlook.com.

Although Microsoft does not publicly share how it classifies email as junk, anecdotal evidence suggests that it learns from the recipient's actions. If customers' emails are repeatedly marked as junk by recipients in Microsoft-hosted email domains, then future customer emails might automatically be marked as junk.

Inform and educate customers sending emails to Microsoft-hosted domains to exercise caution with the type of emails they send, to prevent recipients from reporting emails as junk.

• 2020.38

• inbound

Reflexion has a Message Format Options feature which allows you to attach a control panel to the bottom of all incoming messages. This changes the content type of incoming emails to text/html and, if the control panel language is set to English, changes the character encoding to US-ASCII. If it's set to a different language, the character encoding used should match the selection.

Sophos Email Security doesn't have an equivalent feature so it doesn't change the content type and character encoding of incoming emails.

• Admin Quarantine

This happens if a user's account has been linked to a user without a mailbox.

Delete both the user account without a mailbox and the one with the mailbox. Then create a new user and mailbox.

If the email address was used under a different Sophos Central account, it should be removed there first. If you can't do this, raise a case with Sophos Support.

Note: Quarantine repositories and emergency inboxes are linked to user accounts via an ID. You can't remove an ID from these repositories and attach a different one.

• 2020.50

• Postfix

We constantly evaluate the TLS versions and ciphers we support. We accept versions and ciphers earlier than TLS 1.2 because a significant number of customers haven't upgraded.

We don't support PFS for TLS versions earlier than 1.2 because the ciphers available in TLS 1.0 and 1.1 that support PFS are unauthenticated. These ciphers use SHA1 on its own, or with MD5, and they're vulnerable to man-in-the-middle (MITM) attacks.

We recommend customers migrate to TLS v1.2 or later.

• 2021.13

• Quarantine

Sophos Email Security only sends quarantine summary emails to user mailboxes. We don't send them to mailboxes for distribution lists.

• 2021.19

• Quarantine

QS emails don't include messages quarantined because they failed impersonation or Date control rules.

• 2018.9

• Admin Quarantine

QS is empty, although a user received a quarantine summary email.

This can happen with Microsoft's Safe Links feature in Defender for Office 365. This feature clicks links in our notification emails to test them, which can remove the emails from quarantine.

• 2017.35

• Postfix

The "envelope from" and "data from" headers in outbound emails sent through Sophos Email Security must be in the same domain.

When using Google Workspace as an email service provider, if an outbound email is sent with an alias from a different domain, it won't be relayed outbound. This is because when sending as an alias in Google Workspace the "envelope from" header is the primary account.

For example domain1.com and domain2.com are both protected domains with valid mailboxes.

If the primary account email address is user@domain1.com and an email is sent from the alias alias@domain2.com, Google Workspace sends the email with the "envelope from" header as "user@domain1.com". But the "data from" header is alias@domain2.com.

This email is rejected as the "envelope from" and "data from" headers don't match.

Contact Google Workspace support to ask for the "envelope from" and "data from" headers to be matched for outbound emails, regardless of the alias used.

• DLP

If a Data control policy has the Certificates category selected, alerts are raised for .p7b files, even though the .p7b extension isn't in the Certificates category.

This is because Data control blocking uses True File Types and .p7b files share a file type with the .crt exception.

• 2020.05

• user level rate limit

If users send more emails than Sophos Email Security allows, emails are rejected. You see the following error:

NDR/bounce: 554 5.7.28 Mail flood detected.

Admin dashboard: Outbound sender rate limited for "user".

If senders regularly send high volumes of emails, for legitimate reasons, you can ask Sophos Support to classify the mailbox as a bulk sender.

Bulk senders have a higher sending limit than standard users.

• 2019.27

• Admin Quarantine

Quarantine message may display incorrect values at the bottom of the page. Eg Displaying 0 of 100 messages / 0 Selected.

There are no missing messages, this is a cosmetic issue with the widget displaying the correct information.

There are no missing messages, this is a cosmetic issue with the widget displaying the correct information.

• 2017.26

• Quarantine

The subject line of a message in the QS email is compressed to such a small column width, and the text is so small, that users can't easily read it.

Users should log into the Sophos Self Service Portal to check their quarantine summary messages.

• AD Sync

MSP customers can't use Azure AD Sync because of limitations with Azure AD Sync and non-email products. We'll try to resolve this.

• 2017.35

• Policy configuration

If an email arrives without an HTML body part, a smart banner isn't added.

Smart banners are applied if the following conditions are met:

Smart banners are turned on in the policy.

The email contains text/html content in the body.

• 2017.35

• DKIM

There is no industry standard for deciding if a DKIM (DomainKeys Identified Mail) check passes or fails.

To find out how Sophos applies DKIM checks, see Known Behavior of DKIM (DomainKeys Identified Mail).

• Milter

Quarantined messages do not get additional actions applied like adding banner to message.

This is because the rule copies the message to quarantine before preforms the additional actions on the original message.

Create duplicate rule before that does additional actions first and main action to continue
Then change the original rule to just quarantine without the additional actions

• v4.2.0.2

• UNKNOWN

When an outbound SPX encrypted mail is sent that contains a table, the formatting of the table is removed within the resultant PDF

This only applies to the mail content being viewed within the PDF file itself. If the option to attach the original email to the PDF is selected, the formatting within the attached mail will be correct

While creating outbound policy for SPX encrypted mail, select the option "Attach original email to PDF" from Main Action Tab.
Selecting this option will attach an original message (.eml) file to the encrypted PDF, the formatting of the mail within the .eml file will be correct

• v4.3.0.0

• UI

Mails shown in the quarantine digest mail and the quarantine portal are inconsistent in the following situation:

• Inbound Viruses To All policy is set to "Quarantine, drop file and continue"

• Inbound Spam rules are set to Quarantine (reason:spam)

• An inbound mail is received that triggers both rules

The attachment is stripped by the AV rule, the mail then hits the AS rule which puts it into quarantine. The mail then appears in the quarantine digest but not in the quarantine user portal.

• v4.4.1.1

• UNKNOWN

In the following rare situation the SEA may be unable to process mail:

• The appliance was at some point on a non-mainline repository

• The appliance has Auto-updates disabled

• Auto-updates remain off for greater than 3 months

The combination of the above results in the appliance being unable to detect the repository change when it is moved back to the mainline repository. This causes the AV Engine to be out of date which means the appliance is unable to scan mail and therefore quarantines all mail as 'cantscan'

Allowing the appliance to update AV engine without updating the software version could results in incompatibilities.

The workaround for this is to either enable auto-updates, or to temporarily turn on auto-updates periodically to ensure that the appliance adjusts it's repository

• v4.5.0.1

• Milter

When attempting to use policies to whitelist filetypes, unexpected behaviour may be observed when processing archive files. 

When archives (.zip, .docx etc) are being processed they will have multiple filetypes within that one attachment

SAVI does the filetype analysis on a given attachment and returns this to SEA. This will result in a true or false returned for each attachment. If the policy is being used to whitelist a filetype then True (allow action) will be returned as soon as ONE whitelisted filetype is found within an given archive

This will result in the archive being delivered even though it contains many other filetypes that are not on the whitelist

Ideally policy should be used to blacklist filetypes that you want to protect against.

Partial workaround would be to create a policy above the 'whitelsiting filetypes' policy that blocks common archive files. This doesn't completely solve the problem, but will reduce how frequently the scenario occurs.

• v4.5.2.1

• Milter

If the SEA is unable to deliver an outbound mail that is destined for multiple recipients NDRs will not be generated for individual recipients. The NDR will be sent back to the original sender indicating that the mail could not be delivered to one or more of the intended recipients.

• v4.2.1.1

• Milter

SPX Encrypted PDFs only supports plain text, html content such as images will be converted to plain text.

• UI

Search results are partial matches instead of exact

When doing a search example abc@domain in Quarantine queue it will show up all email that contain abc not all email that have abc@domain

example
searching for abc@domain could return the following

1234abc123@domain
testabctest@domain

instead of just all emails for abc@domain

• v4.5.0.0

• Milter

DMARC reports are not signed by DKIM as the reports are system generated (same as SPX and other system generated mails).

• v4.5.0.1

On very rare occasions SEA may not record the subject of an outbound mail in the UI. This occurs if there is a property of the mail causes a delay in it's processing, the logging daemon is then unable to update the message details and add the subject information

This has no impact on message is processing or mail delivery

• v4.0.0.0

• Milter

When encrypting E-Mails with SPX, they will not be DKIM-signed,

• v3.9.1.0

• Milter

Times for login and logout in /var/log/audit.log are inconsistently logged.

Sometimes they show UTC and others they show local time.

The issue is known, but will not be fixed.

• v4.4.0.0

• Milter

When emailing attachments with '-' # like test-1 SPX encryption will change the name of the file.

Example:

When sending attachments named e.g. : test-1, test-2, test-3, test-4

The recipient would get the following attachment names in the encrypted email:

test, test-1, test-2, test-3

Do to not send any files with '-'# as the file name.

• v4.3.0.0
• v4.3.1.0

• Milter

Hi Team,

We have a case, in which customer is trying to customize Block / Warning Page for Time-of-Click Protection from “SampleTemplates.zip”. However, when customer is trying to modify template with German characters, and found he is getting error as
“*Blocked Page: HTML file does not contain valid syntax.(Falling back to previous settings)*”
when he hit “Apply”.

For test, customer tried to add the below line:
Sophos Dies ist eine verschlüsselte Nachricht!

Before “Sophos Time-of-Click Protection reports that….” And save the sample template. We tried to perform as well and found we can reproduce the scenario at local appliance by adding “Sophos Dies ist eine verschlüsselte Nachricht!” line in our template.

If we replace “ü” with “u” in “verschlüsselte”, then appliance accept the template and we able to get updated template in “Preview”.

Customer gave another word to get test “Привет”, which is causing same behavior and throwing error to us.

I only get below logs during that time from admin_access.log

==> /opt/pmx/var/log/apache2/admin_access.log <==
172.16.32.2 - admin [02/Jul/2018:11:12:07 +0000] "POST /component/Popup/ConfigureBlockedUrlPage.html?/Config/Policy/FilteringOptions HTTP/1.0" 200 3318 57295µs
172.16.32.2 - admin [02/Jul/2018:11:12:10 +0000] "POST /ajax/Widget/LogStatus/GetLogStatus HTTP/1.0" 200 505 122549µs


172.16.32.2 - admin [02/Jul/2018:11:12:18 +0000] "POST /cgi-bin/fileadd_blocked.cgi HTTP/1.0" 302 - 163641µs
172.16.32.2 - admin [02/Jul/2018:11:12:18 +0000] "GET /Config/Policy/FilteringOptions HTTP/1.0" 200 21744 202710µs


172.16.32.2 - admin [02/Jul/2018:11:12:26 +0000] "POST /ajax/Page/FilteringOptions/SaveData HTTP/1.0" 200 349 53232µs
172.16.32.2 - admin [02/Jul/2018:11:12:29 +0000] "POST /ajax/Widget/LogStatus/GetLogStatus HTTP/1.0" 200 505 97308µs

I tried to collect the logs for same, but couldn’t find any logs during time of error occur. How, we can fix this and customer can use non-English characters in template?

• v4.3.0.0

• UI
• User Interface

Dmarc report mails those are sent by SEA to domain owners will be displayed in log search UI. But the client and subject column will be "-".

• v4.2.1.0

• UNKNOWN

Mac OS Sierra can not print SPX encryted E-Mails using the preview app

Use Adobe Acrobat Reader to open and print the message

• v4.2.0.3

• User Interface

The connectiontest currently checks a different part of the contentdeliverynetwork then the appliance retrieves its updates from.

Allow the Email Appliance to connect to any HTTP/S destination on the internet.

• v4.2.0.3

• Milter

The secure copy option from the SPX portal reply page sends the copy as the email address of the sender. (the person doing the reply). When that message leaves the email appliance to the receiving server on the internet it may reject the message because the email appliance is not the owner of that domain. 

Detailed explanation
We have a Sender from Domain A who sends encrypted message to Domain B.
The message is processed by email appliance and an encrypted message is sent to Domain B
The user in Domain B opens the encrypted message with password and clicks on reply. They are directed to the reply page on the email appliance.
On this web page the users types there reply and selects "Secure Copy"
This generates an email which forks. One is sent to Domain A person the another is sent to Domain B person. The from address in this message is Domain B person's address
The email appliance tries to send this email outbound to person B address. At this point the message could be block by spf or RDNS as the email appliance is not the owner of Domain B and should not be send as Domain B. This could also lead to Domain A being blacklisted.

Client is requesting that the secure reply (secure copy) FROM header is configurable or written with "@yourdomain.com" instead of using the repliers address to avoid rejects due to spoofing OR completely remove the option Send me a secure copy.

Also note that the secure reply (copy) is not encrypted when sent back to client (person doing reply from portal) This would possibly mean that the original message that they wanted encrypted could be in the reply. 

The copy should be encrypted. One option to resolve this is spx encrypt the secure copy and have the from address the postmaster address or an address that can be set.

Issue Reproduction
Your domain behind the SEA is abc.com
The recipient is outside.com
For outside.com MTA try to turn on SPF or RDNS checks

1. Turn on SPX encryption and ensure that you allow a "Include Reply All button in encrypted messages" is checked and allowed (enable the Secure reply portal in the SPX template).
2. Send an email from test@abc.com to ext@outside.com and make sure it is SPX encrypted
3. ext@outside.com will receive email and open the SPX encrypted email
4. Hit the Reply button in the email
5. This will take you to the reply portal
6. Put in any characters in the email and make sure "Send me a secure copy" is selected at the bottom of the page.
7. The email will be received by test@abc.com BUT the secure copy sent to ext@outside.com will be likely rejected due to spoofing.

• v4.1.1.0

• Reporting

The Bulk Mail check is performed before the Time-of-Click check.

During the processing of the message the Rule-variable is first set by the Bulk-Check and later overwritten by the Time-of-Click check.

• v4.1.0.0

• User Interface

In a clustered environment while connected to Admin UI with Remote Assistance enabled, the Admin clicks the Dashboard button and sees "Remote assistance CONNECTED" at the top of the page - but then after clicking on the Configuration button it shows "Remote assistance FAILED"

In a clustered environment the Admin UI correctly shows the Remote Assistance status at the top of the page.
The config page always shows the result of the Remote Assistance of the master.

If the Remote Assistance fails on the master, but succeeded on the slave, the slave will display the correct status at the top of the page, and "failed" on the configuration page.

• v3.8.0.3

• v3.9.0.0

• Milter

Email addresses that start with "#" will be rejected by ldap recipient validation, because they are interpreted as comments.

• v3.7.8.0

• Milter

If an outbound policy has been configured with a main action of "reject", a non-delivery report (NDR) message will be generated, but the NDR will not be delivered to the original sender. You should instead configure your outbound policy with a main action of "discard", then configure an additional action to notify the sender that the message was not delivered

.

• v4.0.0.0

• UNKNOWN

Adobe Acrobat will truncate URLs in SPX-encryped E-Mails after the first ';'-character.

• v3.7.8.0

• UNKNOWN

Double-byte messages forwarded from quarantine may not be displayed correctly in Microsoft Outlook

• v3.7.8.0

• User Interface

After forwarding a message on the Search In page ( Search > Quarantine ), and then performing a new search, the status bar does not indicate the updated number of search results.

• v3.7.8.0

• User Interface

When configuring the Users & Groups page in the Policy Wizard, it is possible to add an Available group to the list of Selected groups on either the Include Recipient or Exclude Recipient tab. If this group is not explicitly removed from the Selected list, it will not become available in the other tab when the user selects the Custom Groups option. This behavior also occurs with the Include Sender and Exclude Sender tabs in the same section.

• v3.7.8.0

• User Interface

An error is displayed if the Port field is cleared when trying to remove a previously configured outbound mail proxy ( Configuration > Routing > Internal Mail Hosts ). However, clearing the Hostname field, but leaving the Port field filled results in the outbound mail proxy being cleared

• v3.7.8.0

• User Interface

When the maximum number of rules (20 for anti-spam and anti-virus and 40 for content) has been exceeded, the Add button is disabled. Then, if a rule is deleted, the Add button is not re-enabled.

• v3.7.8.0

• User Interface

If you enter an invalid static IP address when using the Install Wizard, it is not possible to continue to the next page of the wizard.

• v3.7.8.0

• Reporting

When a message has multiple recipients, duplicate Scanned lines may appear when performing a mail log search.

• v3.7.8.0

• Reporting

Some thirteen-week reports do not return accurate results for timezones other than GMT.

• v3.7.8.0

• User Interface

When there are several pages of entries in a list editor, navigating to a different page of entries may work inconsistently.

• v3.7.8.0

• User Interface

If a community string contains one or more space characters, the multiple space characters are displayed as single spaces in the user interface. The correct string is displayed in the mouseover popup.

• v3.7.8.0

• UNKNOWN

Certain keyword entries may occasionally cause slow processing of large attachments

• v3.7.8.0

• Reporting

In some instances, a message with multiple recipients may have end-user specific settings. Such messages are split and sent to several destinations. In this case, a mail log search only displays the last triggered policy rule triggered; this may not be accurate.

• v3.7.8.0

• Reporting

If a policy rule description is changed, the description is not updated retroactively for previously logged data, which displays the original rule description.

• v3.7.8.0

• UNKNOWN

No alerts are sent and LDAP synchronization fails when an appliance drops out of a cluster. The alert is only sent when the missing appliance rejoins the cluster, but LDAP synchronization continues to fail.

• v3.7.8.0

• UNKNOWN

Microsoft Outlook Express cannot view messages which contain attached messages, forwarded from the quarantine.

• v3.7.8.0

• User Interface

If the system timezone and the admin timezone are different, and the difference of hours is not a whole number, administrators may be unable to change time and date settings.

• v3.7.8.0

• Reporting

When using certain special characters in quarantine search fields, the characters will match anything in the quarantine, resulting in searches that return all messages in the quarantine. The special characters include, but are not limited to: !@#$%^() .

• v3.7.8.0

• UNKNOWN

Quarantined email messages that contain & in the local part of the recipient email address will not be processed correctly if they are released from the quarantine. Instead, the part of the address preceding the & will be truncated.

• v3.7.8.0

• Milter

For the purposes of SPX secure reply, the appliance determines whether a message is inbound or outbound by comparing whether the recipient's domain appears in the list of incoming mail domains. A message to an external recipient may be considered inbound if you have configured your appliance to use an incoming mail domain that is the same as the recipient's domain name. This in turn may affect any policy rules that are configured to use SPX encryption only for outbound messages.

• v4.0.0.0

• UNKNOWN

If you need to remove or replace a hard drive in the ES4000, ES5000 or ES8000, the hard drive must be replaced with a new, formatted hard drive.
Installing an unformatted hard drive (even if it has not failed) causes these models of the Email Appliance to lock up.
Notice: After you install the replacement hard drive, the Email Appliance mirrors and integrates the drive in the background. This process may continue for a few hours, depending on system load.

• Authentication Clients

An issue was found where the existing version of the Sophos Network Agent is using an older version of the Google API’s. This prevents the Sophos Network Agent from being downloadable for devices running the latest version of the Android OS. The Sophos Network Agent will continue to function on devices running the older version of Android OS.

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]
• SFOS 19.0.2 MR2-Build472 (19.0.2.472) [Kamaka]

• SFOS 20.0.0 EAP0 -BuildXYZ(Build Number) [Taravai]
• SFOS 19.5.1 MR1-Build278 (19.5.1.278) [Hatutu]

• Web

In 19.0 MR2 and 19.5 GA there is an update to an underlying library (called redis) that causes a node synchronization problem with the Web Policy Quota feature for customers who are using High Availability in Active/Active mode.

Customers who are using HA A/A, and who use the Web Policy Quota feature are recommended to not upgrade to 19.0 MR2 or 19.5 GA. Customers can upgrade up to 19.0 MR1. They can upgrade to 19.5 MR1 when it becomes available.

Customers with HA in A/A who have already upgraded to 19.0 MR2 or 19.5 GA and are experiencing a problem with Web Quota are recommended to change their configuration to use Warn policy instead. They should upgrade to 19.5 MR1 when available, which again supports Web Quota.

Customers who are using HA A/A in an affected version may see this in the debug logs (/log/redis/quota.log):

3708:S 09 Jan 2023 22:46:39.746Z * Non blocking connect for SYNC fired the event.
3708:S 09 Jan 2023 22:46:39.746Z # Error reply to PING from master: '-DENIED Redis is running in protected mode because protected mode is enabled and no password is set for the default user. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you m'
3708:S 09 Jan 2023 22:46:40.749Z * Connecting to MASTER 192.168.1.3:6379


This issue affect 19.0 MR2 and 19.5 GA only. It does not affect any other release.

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• SFOS 19.5.2 MR2-Build624 (19.5.2.624) [Hitra]

• Wireless

There is an issue reported by customers that after upgrading to V19.5 GA separate zone wireless network stopped working and wireless clients are unable to access the Internet. In this case, the wireless interface shows unplugged.

Workaround 1.

Remove and re-add the affected separate zone SSID from AP/APX.

Workaround 2.

Restart the awed(This will disconnect all connected AP/APX(s) and connect back).

service service awed:restart -ds nosync

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]
• SFOS 19.0.0 EAP2-Build271 (19.0.0.271) [BoraBora]

• SFOS 19.5.0 EAP0-Build93 (19.5.0.93) [Taha]
• SFOS 19.0.1 MR1-Build350 (19.0.1.350) [Akamaru]

• Firmware Management

Var partition is created with 3.7G size in a freshly installed version of v19 GA.
Migrated versions are not affected.

There are two workaround solutions for this issue.
1. Reinstall with v19MR1 Build 350 or higher to fix this issue
2. Please contact Sophos support to apply the workaround for the affected appliance in v19 GA.

• SF 17.5 MR5 (17.5.5.433)

• Reporting

In an HA configuration pair, with a scheduled report configured, the auxiliary unit will also generate a report containing data about emails being sent from the unit. These emails being sent as per the attached report, from the auxiliary unit is the report itself.

There is no workaround.

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• NoRelease

• Clientless Access

Starting with version 19, Sophos Firewall includes several security improvements to prevent attackers from accessing sensitive information. One of these changes is an upgrade to the RDP component to the latest version, which helps to improve overall security. However, this new component library does have a minor behavior difference: in versions 19 and later, the cursor is displayed as a cross instead of an arrow.

• SFOS 19.0.2 MR2-Build472 (19.0.2.472) [Kamaka]
• SFOS 19.5.1 MR1-Build278 (19.5.1.278) [Hatutu]

• SFOS 19.0.3 MR3-BuildXYZ (19.0.3.XYZ) [branch code]
• SFOS 20.0.0 EAP0 -BuildXYZ(Build Number) [Taravai]
• SFOS 19.5.2 MR2-Build624 (19.5.2.624) [Hitra]

• HA

Admin is unable to update or create HA when the bridge interface is configured in the Peer Administrator setting.

Need to remove the bridge interface from the Peer Administrator setting in the HA config.

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• Logging Framework

Once we tick select “All” option , tick mark will be disappeared and all individual modules / components will be enabled.

Current behaviour of “All” button is since inception as short cut to select all the relevant component. The result of actions is transferred to individual buttons and stored in backend as separate status for each component. As it is only UI action button and not the summary of status all button - it is expected behaviour.

• SF 18.0 MR5-Build586 (18.0.5.586) [Samal]

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• CM

When a scheduled firmware upgrade from Central Management is run, both devices are rebooted at the same time in case of an HA setup.

Use the firewall WebAdmin to run an HA zero downtime upgrade.

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]
• SFOS 19.0.2 MR2-Build472 (19.0.2.472) [Kamaka]
• SFOS 18.5.5 MR5-Build509 (18.5.5.509) [Haiti]

• DNS

When using Wildcard or Multiple IP address FQDN hosts in firewall rules, it might occur that they are properly resolved to the corresponding IP addresses on the Sophos Firewall GUI, but the corresponding traffic is dropped. This behavior applies to Sophos Firewall 18.5.4 MR4, 19.0 GA and 19.0.1 MR1.

Enable IP-eviction on SFOS . Once it is enabled , on re-learning of FQDN/wildcard FQDN will solve the problem.

• SF 18.0 MR5-Build586 (18.0.5.586) [Samal]

• Email

Issue:

When the blocked senders list get large it can fail to add new entries. The exact number of entries will very as it depends on the length of each email address. We have seen issues when lists get over 2400.

Users will see warning message saying The operation will take time to complete. The status can be viewed from the "Log viewer" page

Checking csc.log will show a line like this

“2021-06-02 11:40:21,411:ERROR:CSC - Exception in getStatusFromResponse() :java.lang.NumberFormatException: For input string: ""java.lang.NumberFormatException: For input string: ""

Replace duplicate entries with wild cards to reduce the number on the blocklist where possible. Entries like smith@domain1 and joe@domain1 can be reduced to entries like *@domain1, which will cover a wider range of addresses anyway.

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• Firewall

The NAT information for Source NAT gets updated for existing connection (re-route) when the failover occurs on IPsec tunnel.

Currently for re-route of existing connection Source NAT information isn’t updated as NAT occurs only when new connection is initiated. ( Known behaviour ) NAT id and Source NAT information doesn’t change when re-route occurs.

For ICMP traffic, the ongoing traffic should be terminated first then wait for 30 seconds to delete/destroy the ICMP conntrack. New ICMP traffic will be forwarded via updated NAT ID.

NAT ID will not be changed for on-going connection during the re-routing.

For TCP: NAT ID will be applied on new connection
For ICMP: Need to terminate the ongoing requests, wait till 30 seconds and reinitiate the ICMP traffic

• SF 18.0 MR1-1 (18.0.1.396)

• WAF

If a file is uploaded which is larger then the limit then message similar to this is visible in the log: 

[Fri Aug 14 15:41:22.414802 2020] [security2:error] [pid 14238:tid 140229323249408] [client 109.91.34.26:44831] [client 109.91.34.26] ModSecurity: Request body no files data length is larger than the configured limit (q).. Deny with code (413) ….

For a workaround please contact support.

• SF 17.5 MR9 (17.5.9.577)

• Firewall

When utilizing the XG Email protection module in MTA mode, this creates an automatic firewall rule for the SMTP traffic at the top of the policy list. If additional rules are created above this rule, this can result in the XG accepting SMTP traffic but then being unable to deliver the mail onto the next hop. This can be seen by the mail queuing on the appliance and time out errors in the /log/smtpd_main.log:

2369   == john.doe@example.com R=default_mx_router T=remote_smtp defer (110): Connection timed out
2020-02-07 10:57:39.081 [2369] xPlIal-cb3y0D-DL == john.doe@example.de R=default_mx_router T=remote_smtp defer (110): Connection timed out

This can occur with:

• Manually configured firewall rules that include the SMTP service

• Automatically created firewall rules when configuring a VPN tunnel

 We plan to improve on this behaviour in an upcoming software release

Ensure that any manually created firewall rules are created below the automatic MTA rule
Ensure that any subsequent automatically created rules are moved below the automatic MTA rule

In the event that mail has already become queued on the appliance prior to the moving of the above rules, contact support for assistance in utilizing the /scripts/mail/replace_firewall_id.pl script to rectify the issue.

• SFOS 19.0.1 MR1-Rebuild-Build365 (19.0.1.365) [Akamaru]

• Authentication

The accounting of processed traffic is run every three minutes. A user may exceed his quota by using more bandwidth than his quota allows between accounting runs.

There is no workaround

• SFOS 19.5.0 EAP0-Build93 (19.5.0.93) [Taha]

• SFOS 19.5.1 MR1-Build278 (19.5.1.278) [Hatutu]

• SDWAN Routing

Traffic does not pass to the correct gateway if a combination with SDWAN Profile and Gateway based SDWAN routes are being used.

Update the affected SDWAN route to solve this issue
Or
Use only the Gateway based SDWAN route

• SFOS 19.0.2 MR2-Build472 (19.0.2.472) [Kamaka]

• IPsec

The traffic fails when compression is enabled for v4inv6 IPSec tunnel. The issue is seen on all XGS platforms and is consistently reproducible.

With ipsec-acceleration disabled on both the DUTs, traffic runs fine with compression enabled, in v4inv4 IPSec tunnel.

STEPS TO REPRODUCE-

Disable ipsec-acceleration, traffic runs fine with compression enabled in v4inv4 IPSec tunnel.

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• HA

Steps To Recreate:

Not able to establish Quick HA if one of the appliances has a bridge interface as an admin port

If both the appliance have the same logical interface which is selected as "Peer administration settings" then it will work

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• Dynamic Routing (OSPF)

OSPF does not propagate /32 network configuration of P-t-P interfaces e.g. PPTP, L2TP, PPPoE and GRE.

1. Redistribute Connected
2. Add static route for tunnel/desired interface network and redistribute static route in ospf

• SF 17.5 GA (17.5.0.310)

• SNMP

SNMP query for supportSubStatus and appExpiryDate return unexpected values. 

MIB indicates that supportsubstatus should be 1 or 2, but 3 is returned.
MIB indicates that  appExpiryDate should be a date but the value returned is invalid

This will be resolved in the upcoming XG v18 release

• SF 17.5 MR8 (17.5.8.539)

• Hardware

Sophos 40Gbit QSFP+ Flexiport module is not recognized at all in SG/XG 430/450 due to power sequence issues. A fix is in progress.

No Workaround

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• NoRelease

• XGS BSP

Issue: XGS 10G interface is not working when interface speed is set to Auto-negotiation (Physical or LAG)

Affected Product: Only XGS hardware with 10G interface

Set interface speed to Manual 10000 Mbps - Full-Duplex (Applicable for Physical, LAG interfaces).

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• Logging Framework

If your device is using a configuration previously restored from a Cyberoam backup, and you have NOT regenerated the appliance certificate on SFOS, upgrading to SFOS v19 will result in operation in fail safe mode.

The appliance certificate generated in cyberoam devices uses a weak signature algorithm (MD5) that is NOT supported for appliance certificates in SFOS v19.

How to verify before upgrading:

Check the Signature Algorithm of the Appliance certificate by running the following command on the advanced shell:

              “openssl x509 -in /conf/certificate/ApplianceCertificate.pem -text -noout” 

If the output shows the signature algorithm as "md5WithRSAEncryption", DO NOT upgrade to v19.

Please refer the KBA: https://support.sophos.com/support/s/article/KB-000044122?language=en_US

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• Reporting

If you have changed SSL/TLS Inspection Log retention period (Monitor & Analyze > Reports > Show Report Settings > Data management > Retain SSL/TLS inspection logs of the past) from the default value of 1 month, Upgrade to SFOS v19 will result into factory reset default.

Change SSL/TLS Inspection Log retention period under Reports > Show Report Settings > Data management > Retain SSL/TLS inspection logs back to the default value of 1 month before upgrading and then after upgrading to SFOS v19, you can change the setting back to the desired value.

• SF 18.0 MR5-Build586 (18.0.5.586) [Samal]

• Firewall

Situation:

The traffic from the terminal Server is not being marked by the User ID as a result that the correct firewall rule is not being applied.

Customer need to join the EAP for New Server Protection Features and confirm the machine is added to the EAP.

Details here: https://support.sophos.com/support/s/article/KB-000038634?language=en_US

Customer need to join the EAP for New Server Protection Features and confirm the machine is add to the EAP

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• WWAN

WWAN - Export/Import is failed to import the WWAN configuration even though import event was successful.

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• Core Utils

UTF-8 character in backup file name causes issue of user unable to download the backup file.

Nothing happens when the user tries to download the backup file with file name contain UTF8 characters.

We do not have any workaround or solution at the moment, Please do not use UTF-8 characters for the backup filename.

• Core Utils

There is an issue with XGS 116 r1, 116Wr1, 116r2 & 116Wr2 units related to default power settings for the PoE Port.

The default PoE power setting on this models should be AT(30W). But instead the units in the field are running with default PoE power setting as AF(15W). Also there is no mechanism right now in xgs-poe utility for this models to increase the power setting from AF to AT.

This issue is being fixed in SFOS 19.0.2 MR2, 19.5 MR1. Customer when upgrading the units to this version, its default PoE power setting will be set to AT(30). Then customer can also change PoE power from AF to AT & vice-versa using the xgs-poe utility.

• SFOS 19.0.1 MR1-Rebuild-Build365 (19.0.1.365) [Akamaru]

• Logging Framework

/conf partition on the appliance gradually filling up if On box reports of appliance is disabled/off. While conf partition gets 100% unable to login to GUI.

Issue will be resolved in 19.0.2 MR 2 and 19.5 GA

If on box reports are off, Need to turn on On-box reporting from console.

console> set on-box-reports on

• SFOS 18.5.0 GA-Build264 (18.5.0.264) [Antigua]

• SFOS 19.5.0 GA-Build197 (19.5.0.197) [Anaa]

• Licensing

Situation:

•  Partner/customer is unable to activate any evaluation license by initiating it from the XGS unit under “System” → ”Administration” → “Licensing” → “Activate evaluations”

Activate eval license in "My Sophos" portal

• SFOS 19.0.0 EAP0-Build190 (19.0.0.190) [Tahiti]

• NoRelease

• Clientless Access

In v19 and later, there have been several security improvements in Sophos Firewall to prevent attackers from getting hold of sensitive information. One of the changes we did was upgrading the RDP component to the latest version to improve the overall security posture. The clipboard functionality is not directly compatible with the latest RDP components making it non-supported with versions 19 and later. 

• SF 17.5 MR16-Build830 (17.5.16.830) [Timor]

• Web

Issue:
When using the Web Proxy, there are files that are stored in /tmp as they are virus scanned. If Web Caching is turned on (Webadmin → Web → General settings → Enable web content cache) the /tmp directory might run out of space.

Determining if the system is affected by this issue:
df -h /tmp
If the availble space is 0MB

du -c /tmp/0x1*
Non-zero length files can take up a significant portion of the partition.
Note: large numbers of files that are zero length are not an issue.

Impact:
When the /tmp partition is full several parts of the system suffer, webadmin is no longer accessible, and the box needs to be rebooted to recover.

Either disable web content caching: Go to Web > General settings > Enable web content. Disable the option. Note that this option is disabled by default.
or reboot the system

• SFOS 19.0.1 MR1-1-Build384 (19.0.1.384) [Aukena]

To enable NAT or WAF through web admin, you must specify an Original Destination Port (NAT) or Hosted Address (WAF). This is normally set to the IP addressed associated with ‘Port B’ which is the WAN Port.

For CM managed autoscaling instances, there’s no way to identify the original destination as each firewall will have it’s own IP address for the WAN port. This makes it impossible to setup DNAT for a CM managed instance. Even if someone creates a “Dynamic Interface”, it is not available during the “Public IP Address” step.

The "Server access assistant (DNAT)" cannot be used to configure DNAT but the manual method of creating a "New NAT rule" can still work. As the WAN Interface isn't available, you can create an IP range that will be translated to the private IP of the private Server. To setup DNAT:

1. Navigate to "Firewalls" under "Manage Firewalls" in the left sidebar
2. Select the three dots for the firewall group and click "Manage Policy".
3. On the left sidebar, select "Rules and Policies" and go to the NAT sub page
4. Click on the "Add NAT Rule" button and select "New NAT Rule"
5. Enter appropriate settings for your application. Ensure the "Original Destination" is set to "Any" and "Inbound Interface" to "Any" as well.
6. For the "Translated Source", set it to MASQ.
7. Change the "Translated Destination (DNAT)" to the private IPs of private server/load balancer by clicking "Create new" at top of drop down menu and creating appropriate destination.
8. Click Save.
9. Wait for configuration to be distributed to all XG's in group. This can be monitored from the "Firewalls" page

• SFOS 19.0.2 MR2-Build472 (19.0.2.472) [Kamaka]
• SFOS 19.5.0 EAP1-Build144 (19.5.0.144) [Maiao]

• DDNS

MyFirewall.co Sophos DDNS cannot be deleted.

The Sophos owned DDNS Provider is End of Life and cannot be deleted by the administrator.

• DHCP

Configuring multiple DHCP Relays where the 'listening' interface in one corresponds to the interface that the DHCP server is connected to in another of the configured relays will cause one of the relays to cease to function.

This is not a supported scenario and is expected behaviour. A DHCP Relay should not be setup on an interface that hosts a DHCP server.

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• Wireless

When using RadiusSSO and roaming between APX’s the client has to reauthenticate in order to connect again.

This is a limitation with the current deployment. RadiusSSO currently cannot handle roaming between access points

• SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]

• IPsec

The issue is happening when Sophos Firewall is configured Sophos IPsec connect with Local ID. This configuration is not supported by IOS.

The IOS profile does not support any parameters with Local ID/Remote ID and which causes a failure to authenticate the connection.

Clear the Local ID value/Field and re-download the configuration file.

• SFOS 19.0.0 EAP0-Build190 (19.0.0.190) [Tahiti]

• SFOS 19.0.0 EAP1-Build244 (19.0.0.244) [Tahiti]

• Email

If a customer restores a Cyberoam backup which does not have Default CA certificate generated or configured, then after restoring the backup in v19 EAP0 or later, awarrensmtp & warren services will be found DEAD.

After restoring the cyberoam backup, regenerate the Default CA certificate

• Login to UI and go to System -->Certificates -->Certificate Authorities --> Edit Default CA

• Reboot the device

• SFOS 18.5.3 MR3-Build408 (18.5.3.408) [Martinique]

• SFOS 18.5.4 MR4-Build418 (18.5.4.418) [Hispaniola]
• SFOS 19.5.0 EAP0-Build93 (19.5.0.93) [Taha]
• SFOS 19.0.1 MR1-Build350 (19.0.1.350) [Akamaru]

• Email

SASI engine can appear to fail if the returned value from the engine is too larger for the buffer. This returned value includes the spam rule hits that were detected on the message itself.

If there are too many returned hits if can be greater then the buffer and cause the “spam scanning failed”

smtp_main.log will show this error if this is the case “ng_buffer_read: reach buffer limit 2048” You will then see “spam scanning failed, unable to connect local antispam:”

The result of this issue is that message that were spam would be delivered when they should have been blocked/quarantined.

Please contact Sophos Support.

• SF 16.05 MR8 (16.05.8.320)
• SF 17.0 MR1 (17.0.1.98)

• Date/Time Zone

GUI time differs from the CLI time

The files /conf/TZ and /etc/zoneinfo/ are not in sync.

1. Copied content from /etc/zoneinfo/ to /conf/TZ
2. Restart the appliance to take change into effect

• SF 17.5 MR5 (17.5.5.433)

When scanning an encrypted split archive with Avira, there is the following limitation:

1) If an encrypted split file was scanned, only the first part contains all information about the archive (includes also the encrypted flag)
2) That's the reason why SAVAPI returns only by scanning the first part, that the file is encrypted. Because the engine/avpack can "unpack" the file, but a password is needed to extract it. So the archive was valid.
3) If the following parts (except the last one) are scanned, then the encrypted flag is missing, that's the reason why SAVAPI returns clean for that part of multipart file.
4) If the last part of the archive was scanned, then Archive is corrupt for SAVAPI, because the other parts are missing.

Additional information: Also a unpacker will not ask for a password when try to extract an encrypted split file not by using the first part of that file. The unpacker will return, its not a archive.

Use Sophos AV

• SF 17.5 MR3 (17.5.3.372)

• Hardware

When the user configures HA on XG105r3, XG115r3, XG106r1 shared port (Port4), the HA pair becomes unstable. After the enablement of HA service, Auxilary rebooted first as usual. But the Primary appliance goes in the rebooting phase because of the shared port which takes more time to wake up.

Do not to use the shared port (Port 4) as HA dedicated link.

• SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]

• SecurityHeartbeat

The backup will not be restored if there is an error with the database tblappstoeps as it may contain invalid byte sequence for encoding "UTF8"

Logs will be seen in Postgres.log

772 2022-01-08 03:01:18.064 GMTERROR:  invalid byte sequence for encoding "UTF8": 0xb1
6772 2022-01-08 03:01:18.064 GMTCONTEXT:  COPY tblappstoeps, line 23612
6772 2022-01-08 03:01:18.064 GMTSTATEMENT:  COPY tblappstoeps (app_id, uuid, app_path, occurrence, last_seen) FROM stdin;

Please contact Support for a workaround.

• SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]
• SFOS 19.0.0 EAP2-Build271 (19.0.0.271) [BoraBora]

• Network Utils

• The interface display name starting from “port” or “eth” or “ge“ are not allowed.

• The restriction was added for add/edit interface only.  

This is an intentional change and customers will not be able to edit/change interface names starting with “port”, “eth” and “ge”.

• SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]

• API Framework

If no , or tag is used after no status will be there in response.

Always use one of these tags after the to get detailed status code messages.

• NoRelease

The LogViewer can’t log values where bytes values are greater than 32 bit. and reporting is unable to store value, due to which there is a drastic difference between SF reports and CFR reports. In case the number of bytes transferred exceeds the limit which can be accommodated in U32, then it shows the truncated value in the log viewer.

• SFOS 18.5.1 MR1-GA-Build326 (18.5.1.326) [Cuba]

• SecurityHeartbeat

Customers may face an issue related to the Sophos central registration due to an Amazon certificate not being present in /conf/ directory and gets an error similar to this-

32021-11-25 17:28:36 WARN API.pm[13476]:119 SFOS::Common::Central::API::send_request - 500 Can't connect to dzr-utm-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com:443 (certificate verify failed)

Details here: https://support.sophos.com/support/s/article/KB-000043494?language=en_US

Check if an amazon cert is present. Use this command-

openssl crl2pkcs7 -nocrl -certfile /conf/certificate/internalcas/cloud-ca.crt | openssl pkcs7 -print_certs -text -noout | grep Issuer
If Amazon CA not existing do the following-

mount -o rw,remount /
cp "/conf/certificate/internalcas/cloud-ca.crt" "/conf/certificate/internalcas/cloud-ca.crt.org"
cp "/_conf/certificate/internalcas/cloud-ca.crt" "/conf/certificate/internalcas/cloud-ca.crt"
mount -o remount,ro /

Note: No downtime is required for any of the above steps.

• SFOS 18.5.2 MR2-Build380 (18.5.2.380) [Dominica.NFM]

• L2TP

We can not connect multiple L2TP connections behind the same NAT'd device.

Example:-
There are 2 Windows clients behind a NAT'ed device over which the clients are connecting to XG using L2TPoIPSec. The tunnels are established fine, but there is an issue with the traffic. Say ping traffic from Windows1 is working for some seconds and then dropped and Windows2 will not see ping response while ping is working from Windows1 and vice-versa.

• SFOS 18.5.1 MR1-GA-Build326 (18.5.1.326) [Cuba]

• Licensing

Behavior observed:

SFOS gets stuck after a reboot as hyperthreading enabled on hardware blocked the kernel to boot

The issue will only happen when the SFOS RAM/CPUs are lesser than purchased in the license and hyperthreading is enabled on Dell hardware. SFOS was not able to apply RAM and CPU limit on that hardware if hyperthreading is enabled.

This will block the kernel to boot.

The issue is observed on SFOS v18.5 MR1 Build 326 installed on Dell R330 hardware.

Disable hyperthreading on the server.

• SFOS 18.5.1 MR1-1-Build365 (18.5.1.365) [Cuba.ODM]

• Config Migration Framework

*Reported Issue:*Upgrading from v18MR6 to v18.5MR1 results in factory default configuration being applied to the device.
Workaround: Downgrade back to previous firmware and upgrade to v18.5MR2. Alternatively you can upgrade to v18.5GA and then v18.5MR1.

Downgrade back to previous firmware and upgrade to v18.5MR2. Alternatively you can upgrade to v18.5GA and then v18.5MR1.

• SF 15.01.0 MR3 (15.01.0.447)

• Reporting

In Auxiliary appliance if the report don't contain any data then we don't send any report notification to customer. This is intended behavior.

• SF 16.05 GA (16.05.0.117)

• Reporting

Only displayed result will be included while exporting data into HTML/ PDF / CSV

We can download current page records which is displayed on page through HTML/ PDF/CSV.

Example : Web report total pages 20. If current page 3 then we can download page 3 records through HTML /PDF /CSV.

We can download report which display on current page.

• SecurityHeartbeat

In 18.5 MR2 we have introduced key encryption for the certificate on FW used by endpoints to heartbeat with firewall. During the upgrade to 18.5 MR2 a certificate refresh has to be done as key has to be encrypted. And this certificate need to be made available to endpoints. If endpoints are unable to get the new certificate from Central, then heartbeat will start failing. This might happen when private DNS Servers are being used.

To avoid this ensure that the endpoints have network connectivity during the upgrade. Also disable the checkbox “Block clients with no heartbeat" in the firewall rule in case endpoints need access to the internal DNS server to get updates (new certificate) from Central.

If the system is showing missing heartbeat after the upgrade:
Ensure endpoints has network connectivity so that endpoints can fetch new certifcate from Central. Also disable the checkbox "Block clients with no heartbeat" in the firewall rule in case internal DNS resolution fails.

• SF 18.0 MR5-Build586 (18.0.5.586) [Samal]

• Hotspot

Situation:

When downloading the voucher from the user portal, then the WLAN password is not printed on hotspot vouchers for the types: bridge to AP LAN and bridge to AP VLAN.

The wireless password is only printed on hotspot vouchers for the interface link of "Separate Zone interface(bridge) of Wireless Protection." 

It is known behavior that a hotspot voucher doesn't contain the WLAN password for Bridge to AP LAN and bridge to AP VLAN.

Configure Hotspot voucher for interface link type 21 i.e. "Separate Zone interface(bridge) of Wireless Protection".

• SF 17.5 MR16-Build830 (17.5.16.830) [Timor]

• SF 17.5 MR17-Build837 (17.5.17.837) [Timor.Frag]

• Authentication

Sophos CAA client though seems connected to XG , repeatedly sends "Administrator disconnected you" messages and the CAA agent is grayed out.

The user still shows under live users on the firewall, and is able to access the internet. 

This is only happening for customers who upgraded to 17.5 MR16.

Workaround for 17.5 MR16:
Use "username@domainname" instead of the only username for remote users to authenticate via CAA.
for example:
testuesr@mydomain.com

• SF 17.5 MR16-Build830 (17.5.16.830) [Timor]

• SF 17.5 MR17-Build837 (17.5.17.837) [Timor.Frag]

• Authentication

Sophos CAA client though seems connected to XG , repeatedly sends "Administrator disconnected you" messages.
Once admin upgrades the firewall to 17.5 MR16 and users get connected over the CAA, but gets repeated pop up "Administrator disconnected you" and CAA agent is grayed out.
At the time, the user still shows under live users on the firewall, and is able to access the internet.
This issue is not present in v18 firmware onwards.

Workaround for 17.5 MR16:
Use "username@domainname" instead of the only username for remote users to authenticate via CAA.
for example:
testuesr@mydomain.com

• Auth Client macOS 2.1.0

• Authentication Clients

Issue description :

When MAC books comes up from the Sleep mode its takes 2-3 minutes for the user to be able to browse the internet .

This happens only incase we have a User based firewall rule . It takes CAA around 2-3 minutes to authenticate the user .

Workaround :

The user can disconnect and reconnect the client .

Disconnect the CAA , Reconnect

• SF 17.5 MR14-1 (17.5.14.714)
• SF 18.0 MR4-KONICA (18.0.4.519) [Palawan]

• Hardware

Issue :

The 4x10G FlexiPort Modules are not being recognized on Sophos Firewall, the interfaces are being detected as "eth0,eth3"
The 4x10G Flexi modules are not being recognized correctly, the interfaces are being detected as "eth0,eth3".
The modules cannot be detected correctly and hence making them unusable with the Sophos Firewall.

Only SFOS (Sophos Firewall is affected )

Affected Sophos Part Number – “XGMOD410PUR”
Description: 4 ports 10G SFP+ without bypass
Affected Part S/N Prefix – “M2400XXXXXXXXXX” (with NVM FW 7.20)
Note: Module with same prefix “M2400” with NVM 5.05 doesn’t have this issue.
To Identify the affected module NVM FW 7.20: Run ethtool -I

• SF 18.0 MR1-1 (18.0.1.396)

• VFP-Firewall

If the firewall-acceleration is changed on the cli the link state of the affected ports will bounce.

• SF 15.01.0 MR1.1 (15.01.0.407)

• Firewall

STAS is not working if the AD server is only reachable over a WAN conneciton.

• SF 18.0 EAP3-refresh1 (18.0.0.285)

• NoRelease

• Logging Framework

LogViewer shows twice DDNS events for Success/Failure.

• SF 18.0 MR3 (18.0.3.457) [Mindoro]

• Authentication

*Issue:* 

If there is a high number of Radius SSO users logging in at the same time and the firewall reboots then sometimes this may result in web admin is not being reachable after the reboot.
LAN users can connect and the device is accessible via ssh.

• SF 18.0 MR1-1 (18.0.1.396)

• DHCP

Description:

There is a requirement in certain case's where a multiple IP addresses would need to be assigned for a MAC address from different scopes .

One of the use case is that or the captive portal to work over the bridged interface with a vlan , the AP creates a virtual interface and needs an IP address from the VLAN .
When captive portal , a virtual interface is created on the AP , which asks for an IP over a vlan , since this is a briged to vlan set-up , and the discover request come's with the MAC address of the interface .

If one scope is set to static and other to dynamic , the IP assignment doesn't work .

Solution :

Set both the scopes to dynamic .

Set both the scopes to Static .

• SF 17.5 MR8 (17.5.8.539)

• Web

Web policy rules do not support users with a backslash in the name.

Example:  in webadmin -> Authentication -> users :

Creating a user with username a\b and saving it will succeed.

Using this user in a web policy wont work.

Create a username without backslash or single quote

• STAS

*Question:*  

Do we support Secure LDAP port 636 in the Novel eDirectory configuration of STAS?

Answer:

Secure LDAP port 636 is not supported in the Novel eDirectory configuration of STAS.

• SF 18.0 MR4 (18.0.4.506) [Palawan]

• CM (Join to Cloud)

Registering XG with Central Manager for remote management functionality fails with error "Temporary error while accessing Sophos Central, please try again".

Root Cause:
This error could occur due to many reasons, however for this particular issue, the email address being used for registration is longer than 50 characters.

Shorten email address and try again. If you have tried more than 5 times in the last 1hr, the account will be blocked for up to 5 hours. Please wait and try again.

• STAS 2.5.1.0

• STAS

STAS Users are getting disconnected frequently if dead entry timeout configured other than zero.

Dead Entry Timeout does not work and it MUST be set to zero. If the value for the dead entry timeout is configured anything other than zero then such behavior encountered and users may get disconnected randomly.

Need to set the dead entry timeout to zero to avoid user disconnection due to dead entry timeout. It is recommended to use the WMI mechanism in STAS for log-off detection.

• SF 17.0 GA (17.0.0.80)

• Licensing

Unable to activate or register the XG Firewall device with v17.0 MR-10 EAL4+ certified firmware 

1. Customer needs to upgrade the XG Firewall firmware to SF v17.5.MR7 or later and activate the appliance.
2. Customer can then switch back to SF v17.0 MR-10 EAL firmware and continue using it.

• SF 16.01 StagedRelease (16.01.0.190)
• SF 16.01 StagedRelease3 (16.01.1.202)

• Authentication

STAS users with special characters (' , / ") in their name do not show up on XG. 

SFOS doesn't support a username containing special characters.

The user needs to remove the special characters in the username to make it work.

• SF 17.5 GA (17.5.0.310)
• SF 18.0 MR1-1 (18.0.1.396)

• Web

The policy tester is just showing Matched firewall rule ID, matched source, and destination zone. It does not return the webfilter id. 

• SF 17.5 MR9 (17.5.9.577)

• Email

A user interface issue exists in SFOS, reported in v17.5MR9 but also exists in later versions. 

If an Admin adds a wildcard SMTP exception for an FQDN host (Email->Policies and exceptions->Exceptions), the FQDN wildcard entry is accepted and is visible in the UI,  Email -> Policies, and exceptions. However, if the Admin attempts to edit this exception the added wildcard entry will not be visible.

This is confirmed as a UI issue and we are currently investigating. We have no fixed date or version at this time.

NA

• SF 18.0 MR3 (18.0.3.457) [Mindoro]
• SF 17.5 MR14-1 (17.5.14.714)

• Dynamic Routing (OSPF)

Issue description : Auto Cost Calculation does not work for OSPF
This is configurable under advanced settings of OSPF .

Workaround :
Uncheck the Auto Interface Cost and Manually Configure the Cost .

• SATC 2.2.0.0

• SATC

In July 2020, Google Chrome, the new Microsoft Edge, and other Chromium-based browsers moved to version 84. This version removed support for the ForceNetworkInProcess feature used as a workaround for previous versions as per NCL-1114.

Workaround is described here (public link):

https://support.sophos.com/support/s/article/KB-000038634?language=en_US

Downgrade to version below 84 and apply workaround or move to Firefox.

• SATC 2.2.0.0

• SATC

SATC installed on a server having Sophos InterceptX, installed reports wrong port information in new session details to the XG. 

Impact :
If an user attempts to open a TCP connection ,SATC will detect that TCP connection and send an UDP packet containing Login Code, Session ID, Source Port, Destination Port, Destination IP and Username before the TCP connect is completed, SFOS will add a expect based on the information received in that UDP packet.
SATC is unable to detect that TCP connect request thereby not sending any packet to SFOS which results in no expect being added at SFOS side and traffic being dropped. 
SATC is not sending any information on port 6060 which is used by Sophos Firewall to create an Expect Contrack .

https://support.sophos.com/support/s/article/KB-000036880?language=en_US

• SF 17.5 MR9 (17.5.9.577)

• SFOS 19.0.0 GA-Build317 (19.0.0.317) [Tupai]

• Hardware

XG 115 rev3 models will show no HDMI output unless a monitor is connected before boot up.

• SF 18.0 MR3 (18.0.3.457) [Mindoro]
• SF 18.0 MR4 (18.0.4.506) [Palawan]

• HA

With 18.0 MR1 there was a case where a backup contained redundant information increasing the size of the backup.

This was fixed with 18.0 MR3 in all cases.

There was no functional impact for this.

If a larger backup was taken and restored then /conf might be larger then expected.

In such cases please use the described workaround.

Backups after 18.0 MR 3 are not facing this.

Run commands:
rm -rf /conf/httpclient/httpclient
rm -rf /conf/iview_images/iview_images/
Re-run backup.

• SF 18.0 MR3 (18.0.3.457) [Mindoro]

• Web

Log viewer for 'Firewall' & 'Web filter' component shows 'Allowed' in logging for all the port 80/443 traffic, initiated from WAN to WAN/LAN zone. The user (client) who has initiated traffic from the WAN side will be displayed a 'blocked' page.

Note: The actual traffic is being blocked and not forwarded by XG.

• SF 16.01 StagedRelease3 (16.01.1.202)

• Authentication

Using SATC with IE11 in protective mode is not supported.

• SF 18.0 MR3 (18.0.3.457) [Mindoro]

• SSLVPN

OpenSSL limits the CN to be 64. OpenVPN limits the size of the CN to 63 + 1 (null character).

This limits the @ length to 51 characters because 12 characters random string appended to CN.

Only use usernames + domain with max 51 characters

• SF 18.0 MR1-1 (18.0.1.396)

• Email

If the user tries to add any domain or email address on the Page 'Email>> general setting>> block senders', then he'll get the error "Request could not be completed" and the domain or email address would not be added.

 The best possible way to avoid/resolve this is to remove any one of the domain/email address from the block senders list and re-add them again. This resolves the issue.

• SF 17.5 MR9 (17.5.9.577)

• IPS Policy

When the XG device is set to  FETCH mode in SFM and user changes the  "Advanced Threat" setting with template, though setting was applied correctly in XG Firewall, SFM event log show failure message

This is known issue for FETCH mode configured devices in SFM only.

In PUSH mode config XG Firewall devices, this issue is not observed.  

• SF 17.5 MR7 (17.5.7.511)

• Authentication

When using the Sophos Network Agent (iOS or Android) logout could take up to 2h. The APP itself gets disconnected immediately but on the UTM the user is still live which actually means he can still access network resources which should be blocked.

• Login to appliance with SSH

• echo 0 > /content/caaios

• echo 0 > /content/caaand

• restart access_server

Workaround is update and reboot safe

• SF 18.0 GA-SR3 (18.0.0.354)
• SF 17.5 MR9 (17.5.9.577)

• Firewall

**This scenario is observed when the DHCP request comes via a bridge interface and Heartbeat is set to block endpoint communication with RED heartbeat status on the firewall rule with inter-zone communication rule i.e. rule configured for Bridge interface. The MAC address is blocked this would also include the DHCP traffic for affected client machines.

When packets enter into the bridge interface, we are entering into Netfilter stack from L2 and all the decisions related to packet/connection taken at Layer 2. Now here, what happened is that Packet dropped by Firewall when it enters from the L2 stage. So traffic never submits to L3 (bridge interface) where the DHCP server is listening and DHCP will never get the packet. This issue will only for the client behind the bridge and will not happen for any other interface.

Create a Firewall rule which is positioned on top with Service: DHCP and with no heartbeat settings applied.

• SF 17.5 MR10 (17.5.10.620)

• Firewall

Description:

Live connections shown in the live view would not show a connection table entry for DNAT rules. 

Reason: While handling the connection table the connection to ZoneID 4 would not be considered in the live connection table. But this would show in Log Viewer and Reporting.

The issue was sorted out due to architecture changes in V18. 

• SF 18.0 GA-SR3 (18.0.0.354)

• CM (Join to Cloud)

If the Firewall is registered and central services are accepted by the Central Admin and somehow firewall lost its Central Registration information due to Factory-Reset/Firmware Downgrade.
On Re-registration and Enable Central Management, Endpoint already known to the Central and Central Management API considers this as a Bad request as Central Services already approved.

Work-Around 1:
Deregister the XG Firewall(If on HA Remove both the Firewalls) from the Central if already registered (XG Local UI-> Central Synchronization -> Deregister)
Remove the Firewall from the Central.
Login to central.sophos.com
Navigate to Firewall Management.
Choose Firewall row and click on "Remove from Central"

Workaround 2:
The following can be run via the advanced shell:
/bin/central-register --register -u -p -s
Once registration passes you can proceed to unregister from Sophos Central GUI

• SF 17.5 MR8 (17.5.8.539)

• Firewall

When checking email logs for bounced emails in the UI, IP addresses might be shown as source address which are not configured in the UI. 

The log entry is generated for connection table entries, not from the actual routing.
At point of time of conntrack creation SFOS uses any gateway IP as original source address ( example: Port4: 10.24.255.254) When routing is done on L3 , the decision might be to route that connection via Port 2 - but the original source is unchanged.

That means the original source is not necessarily used for routing.

• SF 15.01.0 GA (15.01.0.376)

• Framework part of Base (deprecated)

Sophos XG does only support the following authentication methods. 

PLAIN

Digest MD5

CRAM MD5

To authenticate agains Microsoft Office 365, one of these authentications methods need to be configured on both ends.

• SF 17.0 MR3 (17.0.3.131)

• WAF

We don't have protocol support for Microsoft's RDG  protocol suite which they added with Windows Server 2012 (we only support the "old" MSRPC suite). Whenever such a RDG (2012) connection fails the log contains line stating
method="RDG_IN_DATA"
or
method="RDG_OUT_DATA"
it's a strong indication the lack of protocol support is causing the connection to fail. Currently, this cannot be mitigated using the WAF.

WAF only supports RPC_IN_DATA and RPC_OUT_DATA, these are the only types enabled when Pass Outlook Anywhere is turned on. All other methods are unsupported

• SF 18.0 GA-SR3 (18.0.0.354)

• Firmware Management

XG would take more time (approximately 50 minutes) to upgrade the firmware from v17.5.x to v18 Build_354. This because v18 Build_354 is doing additional checks for file system correction, which would take more time based on the hard disk size and state.

• SF 15.01.0 MR3 (15.01.0.447)

• RED

It is not possible to do offline provisioning for RED50 devices using an USB device without doing an online provisioning first. RED50 keeps on rebooting continuously.

Do an online provisioning somewhere central. After first online provisioning is done offline provisioning is possible.

• SF 17.1 MR1 (17.1.1.175)

• Authentication Clients

We currently don't support SATC with the Edge browser.

• SF 16.05 MR5 (16.05.5.233)
• SF 17.1 MR1 (17.1.1.175)

• Network Services (deprecated)
• PPPoE

+Behavior:+ 

There will be difference in Data Transfer Traffic usages between WAN Link Manager and WAN Zone report.

WAN Link Manager: Go to Network > WAN Link Manager and click the Manage icon next to the IPv4 or IPv6 Gateway to view data transfer graphs related to that Gateway.
*WAN Zone reports:* Generated under Monitor & Analyze - Application & Web - Show:User App risks & Usage.

**

• Data Transfer usages In WAN Link Manager shows Layer 1/ Physical level stats and can be compared against ISP data transfer. 

• WAN Zone is the logical entity that works at Layer 3. Based on the traffic passed from specific firewall rule, the WAN zone graph is generated from the connection. 

Below statistics of WAN Link Manager and WAN Zone reports explain reason about different Data Transfer traffic usages.

1) WAN Link Manager statistics:

This is the statistics of data transfer at interface level – that is per physical or virtual gateway
This also includes device traffic – pattern and firmware download, license sync. And unknown traffic/ ping that is handled at that interface by the device
Device can have multiple interfaces as WAN links and all of them could be in WAN zone. Users can see WAN Link Manager stats per interface, not by zone.

2) WAN Zone Report statistics:

This is the statistics of traffic passed through Firewall rules per Zone
Traffic destined towards WAN zone can take one of the multiple WAN Links as defined by load balancing configuration and WAN Link weights/ active-backup configuration.

The attached logical diagram would also explain difference between WAN Link Manager and WAN Zone reports.

• Data Transfer usages In WAN Link Manager shows Layer 1/ Physical level stats and can be compared against ISP data transfer. 

• ISP Data Transfer traffic usages report can be compared with WAN link manager. WAN Zone data transfer report is not meant for that. 
      

• SF 17.0 MR6 (17.0.6.181)

• Authentication

Setup sso client agent following KB 123159

log into a machine and it works correctly. When they try and login to the same machine through RDP they get a popup windows that just say default

Logs will show the following
C:\Users\admin1\AppData\Roaming\Sophos\admin1.log

05/08/18 17:23:17 Return Message Code From Server Is -- > 5
05/08/18 17:24:35 Console has been disconnected. Switch user detected. logging out user 
05/08/18 17:24:35 Posting End Session....

Using the SSO client agent with RDP is not supported

• SF 18.0 EAP1 (18.0.0.102)

• NoRelease

• Firewall

The UI in v18 shows a wrong negotiation speed for virtual machines using the PCnet32 driver. This is only a UI issue.

• SF 17.0 GA (17.0.0.80)
• SF 17.0 MR1 (17.0.1.98)

• IPsec

You can not find/select an IPsec Profile from within an IPsec connection when this IPsec Profile has Aggressive mode enabled and the Connection is using PSK after you upgrade from any version to V17

VPN > IPsec connections> select an upgraded vpn connection> Under Encryption > click on Policy, the old custom policy used for this connection is not listed

Reason: Strongswan is not supporting PSK and Aggressive mode for security reason.

Either disable Aggressive mode on the IPsec Profile or Use RSA/Cert for Authentication instead of PSK.

• SF 17.0 GA (17.0.0.80)

• IPsec

IPSec v16 to v17 update does not set SHA2 truncation on custom policy.
This will mostly affect tunnels between v16.5 and v17 .

Impact
The customers migrating from v16 to v17 with IPSEC tunnels configured with the Encryption AES256 and Authentication SHA2 256 on custom policy in Phase-1 and Phase-2 will be affected.
The SA will be established however the traffic will not flow through the tunnel.

*How to Identify the issue *

The tunnel status could be verified from the GUI , The Status and Connection will be Green .
This could be verified from the Advanced shell with uptime .

#ipsec statusall
Output:
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.14.22-Aum, x86_64):
uptime: 68 minutes, since Nov 20 18:02:23 2017

The workaround is to enable the SHA2 with 96-bit truncation on v17 policy.
Go to Configure > VPN > IPSec Profiles.
Under General Settings, select SHA2 with 96 bit truncation.
Click Save.

• SF 17.5 MR5 (17.5.5.433)

• NoRelease

• L2TP

Username with backslash "\" character are unable to authenticate when logging with domain via L2TP

The character "\" is not supported as part of the username in XG Firewall.

User can simply check this by creating new user manually having "\" character in username, XG firewall will not allow you to create such user.

XG Firewall supports authentication with the sAMAccountName username (i.e. asystest) or with the fully qualified username (i.e. asystest@xyz.local)  which works, but not with the NETBIOS format, indifferent of the server.

• SF 17.0 MR6 (17.0.6.181)

• SSLVPN

Self Signed certificates are not supported as SSL server certificate in SSL VPN . You cannot issue the certificate for yourself but requires a CA to sign / approve server certificate. 

A certificate signed by local CA i.e.  issued by default certificate authority (CA)is supported i.e. certificate "ApplianceCertificate" shown in below screenshot is supported. 

• SF 17.5 MR7 (17.5.7.511)

• Authentication

XG firewall supports a maximum of 3042 Corporate Authentication Agent connections at the same time.

If the number of users is exceeding this then logs like "Failed to establish connection! Too many open files" will appear in access server log file.
This number is only for users using Corporate Authentication Agent, Live user count for other authentication mechanism are not included in this limit.

• SF 17.5 MR8 (17.5.8.539)

• IPS Policy

The "show ips-settings" command in the console only displays 8 firewall rules in case you have configured more.
The related database entry contains all configured firewall rules.
This is only a display issue.

• SF 17.0 MR6 (17.0.6.181)

• Web

When a file is scanned by sandstorm, Admin get a cannot reach page after scanning (throw by Sophos XG captive portal).

This is observed When Any to Any firewall rule is configure as DROP.

Create Specific LAN/WAN zone instead of Any zone for DROP firewall rule

• SF 17.5 MR8 (17.5.8.539)

• RED

When multiple WAN gateways are configured on the XG, any action that causes the backup gateway or the gateway not being used by the RED tunnel to reconnect will cause all RED tunnels to reconnect.

None

• SF 17.5 GA (17.5.0.310)

• Firewall

There might be a delay before an SSH session is shown in the LogViewer.

• SF 17.1 MR1 (17.1.1.175)

• WAF
• Web

When LAN users want to use a webserver protected by a WAF in the LAN zone than those requests don't work. Reason is that requests from the LAN zone will reach the webserver(s) directly without passing the XG.

• SF 17.1 MR2 (17.1.2.225)

• NoRelease

• RED

*ISSUE -* Trying to start the RED results in unknown internal error:

*BACKGROUND -* The customer upgraded the XG 135 to v17.1.2 MR2 and thereafter out of 2 red tunnels only one was showing up on the GUI.
So they tried to restart the RED service by toggling the RED status but since they turn of the RED configurations on XG, it is not getting enabled back again.
Error message: [Unknown Internal Error occurred]

INVESTIGATION:

Following rebind issue logs were found

Mon Sep 17 04:02:36 2018 REDD ERROR: Rebind of RED devices failed: Failed to get config of all devices: Expected reply from get_object_by_hash() with status
 200 but got 500 without error message. $VAR1 = {
          'status' => 500,
          'Records' => []
        };

REDD: Red::Backend->enable_feature_event failed; result 520

Browser debug shows the following:

{transactionID: "5690", status: 520, message: "", opcodeMessage: "Enabling RED feature failed",…}
entity
:
{map: {country: "AU", Entity: "redconfiguration", ___serverport: 65003, ___component: "GUI",…}}
map
:
{country: "AU", Entity: "redconfiguration", ___serverport: 65003, ___component: "GUI",…}
APIVersion
:
"1701.1"
Entity
:
"redconfiguration"
Event
:
"UPDATE"
city
:
"Narangba"
country
:
"AU"
currentlyloggedinuserid
:
4
currentlyloggedinuserip
:
"127.0.0.1"
email
:
"licensing@ahe1.com.au"
mode
:
1320
organization
:
"Atlas Heavy Engineering"
status
:
"1"
transactionid
:
"5690"
___component
:
"GUI"
___serverip
:
"127.0.0.1"
___serverport
:
65003
___serverprotocol
:
"HTTP"
___username
:
"support"
message
:
""
opcodeMessage
:
"Enabling RED feature failed"
redirectionURL
:
""
status
:
520
transactionID
:
"5690"

Looks quite similar to the JIRA NC-27578
I am attaching the combined logs

 for the following :
CSC DEBUG
RED
TOMCAT DEBUG
APPLOG
APACHE

and CSCHELPER 

Backup of the unit - 

ACCESS ID

05894141-f8b9-3615-ba4d-cb876759c539

• SF 17.1 MR4 (17.1.4.254)

• NoRelease

• Email

Chinese characters in the subject of quarantined mail are not displayed correctly within the quarantine digest mail. The display in the GUI itself is correct, but appears garbled in the quarantine digest email only.

Changing the encoding used in the end user's mail client to encoding to UTF-8 acts as a workaround for this issue. We also have plans to resolve this in a future software update but no timelines on this currently.

• NoRelease

• Hardware

XG125/135 Rev.3 does not work with Halfduplex in any setting on Port 1,2,3,4.
Port 5,6,7,8 will work with halfduplex.

• SF 16.05 GA (16.05.0.117)
• SF 17.0 GA (17.0.0.80)
• SF 17.1 GA (17.1.0.152)
• SF 17.5 GA (17.5.0.310)

• Networking (deprecated)

We do not support Policy Based Routing (PBR )on return traffic on any version prior to v18

• SF 17.5 GA2 (17.5.0.321)

• Email

Any manual change to the disable_offline_relate is lost during a firmware upgrade.

If, prior to an upgrade, the /static/proxy/smtp/scanner.conf file has been changed to set the disable_offline_relate setting to 'no' this will be lost during a firmware update and will need setting again.

We plan to introduce a GUI option to set this option that will persist through a firmware upgrade in a future release

Once firmware upgrade is complete edit /static/proxy/smtp/scanner.conf and update the disable_offline_relate again

• SF 17.5 GA (17.5.0.310)

• Networking (deprecated)

System route_precedence is configured to give VPN Routes a higher priority than Static Routes however the XG firewall is not sending the expected traffic over the IPSEC tunnel and instead routing it via a matching static route.

This occurs if there is a static or local route that directs this traffic to a non-WAN zone. The route precedence command only applies to traffic that is destined for a WAN zone 

In this scenario manually creating an IPSEC route for the remote subnet will resolve the issue.

E.g
console> system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname

Hitting tab twice after tunnelname will show a list of available tunnels.

• SF 16.01 StagedRelease (16.01.0.190)

• Routing (deprecated)

Policy based routes for RED interfaces are not working.

• SF 15.01.0 MR2 (15.01.0.418)

• Clientless Access(HTTP/HTTPS)

Clientless Access feature requires rewrites HTML links within the response document, to ensure that links work for users outside the proxy. If website contains URL links with UTF-16 encoded special characters like example below, then site will not open properly using Clientless Access(HTTP/HTTPs) feature

Example:. http:\u002f\u002fportal.example.com  -> contains character encoded in UTF-16 format

• SF 17.1 GA (17.1.0.152)

• ATP Framework

Let us know if there is any limit on adding Threat Exceptions under Protect - Advanced Threat - Advanced Threat Protection.

*Web Admin:* _Protect - Advanced Threat - Advanced Threat Protection_

• There are no limitations to add Threat exceptions.

• However there is a limit of 128 characters for the "length" of Threat exception.

• SF 17.1 GA (17.1.0.152)

• Wireless

Limit on adding number of wireless networks.

Web Admin: Protect - Wireless - Wireless Networks

• There are no limitations on creating Wireless Networks.  

• However there is a limit of "8 SSIDs/Networks" that can be assigned to a Single Access Point. 

• SF 16.01 Beta3 (16.01.0.144)

• SecurityHeartbeat

On ATP flipside, host information for blocked sources is displayed. This information is not updated, the flipside needs to be manually reloaded/re-opened to see changes (e.g. host states green, red, missing)

• CaptivePortal

Local user with names that contains umlauts (ööööööö) cannot login (if the login is happening via AD / STAS then a login is possible.)
Local user with with special characters ( UTF-8) could not becreated , even existing AD user with those name cannot login.

• SF 15.01.0 MR1.1 (15.01.0.407)

• Clientless Access(HTTP/HTTPS)

Access of HTTTP/s bookmark to web servers which contains JavaScript based dynamically generated URLs is not possible.

• Hardware

a small percentage of SG and XG 430/450 Rev.1 appliances not being accessible  anymore except via serial. This is caused by a SSD software/firmware issue. The serial console output shows the errors:

• Reboot and Select proper Boot device

• Insert Boot Media in selected Boot device and press a key

• I/O error on SDA

• SQUASHFS error

This issue is based on problems with the Solid State Disk (SSD) firmware. 

If you have an SG or XG 430/450 Rev.1 that is experiencing issues like those shown above, please contact Sophos Support for further instructions. If possible go ahead and make a backup with one of the KBA's mentioned below:

• Sophos XG Firewall:
  How to backup and restore a configuration:https://community.sophos.com/kb/en-us/123145|

• Sophos UTM:
  How to backup and restore a configuration: https://community.sophos.com/kb/en-us/115187

• VPN (deprecated)

No L2TP connection is possible to mobile phone with Android (5.0.1 on Samsung S4) or iOS (10).
Both negotiated successfully IPsec phase 1 (main mode) but fail negotiating phase2 (quick mode).
Log excerpt from /log/ipsec.log, valid both for Android and iPhone connection attempts:

Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: Main mode peer ID is ID_IPV4_ADDR: '10.147.34.103'
Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: I did not send a certificate because I do not have one.
Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: Dead Peer Detection (RFC 3706): enabled
Oct 06 10:46:33 "l2tps"[1] 10.147.34.103 #15: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Oct 06 10:46:33 "l2tp"[1] 10.147.34.103 #15: received and ignored informational message
Oct 06 10:46:34 "l2tp"[1] 10.147.34.103 #15: cannot respond to IPsec SA request because no connection is known for 10.8.18.51:17/1701...10.147.34.103:17/%any
Oct 06 10:46:34 "l2tp"[1] 10.147.34.103 #15: sending encrypted notification INVALID_ID_INFORMATION to 10.147.34.103:500
Oct 06 10:46:37 "l2tp"[1] 10.147.34.103 #15: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x635c829e (perhaps this is a duplicated packet)

• WAF

After the successful form-based authentication the user is always redirected to the defined path in the corresponding site path routing profile and not to the original requested path of the user.

• SF 16.05 MR1 (16.05.1.139)

• Clientless Access(HTTP/HTTPS)

Website which strictly require the destination domain in the URL host part could not be accessed through Clientless Access.  An example for this is CNN.com

• SF 15.01.0 MR1.1 (15.01.0.407)

• Clientless Access(HTTP/HTTPS)

Webadmin access through an clientless access VPN bookmark on the same appliance is not possible.

• SF 15.01.0 MR2 (15.01.0.418)

• WAF

Outlook Anywhere is not working when CTF (Common Threat Filter) is enabled in Business Application Rule.

Disable CTF (Common Threat Filter) in *Web App Protection Policies

• SF 15.01.0 MR1.1 (15.01.0.407)

• WAF

WebSockets is an advanced technology that makes it possible to open an interactive communication session between the user's browser and a server. Sophos XG Firewall only supports WebSocket passthrough starting from version 17.0, in earlier versions this functionality of Webserver Protection is not availableos XG.

• SF 15.01.0 MR1 (15.01.0.398)

• Hotspot

A Custom logo is not displayed if the Hotspot name is including a whitespace.

Dont use whitespaces in Hotspotnames

• SF 15.01.0 GA (15.01.0.376)

• Firewall

Its not possible to create a Hotspot with an HTML file name through SFM which contains a space.

-------------------------------------------------------------------------------------------------------------------------------------

Dont use spaces in file names.

• SF 15.01.0 GA (15.01.0.376)

• VPN (deprecated)

IPSec Site-to-Site VPN with SonicWall is not supported with Aggressive mode

Use Main Mode

• SF 15.01.0 MR3 (15.01.0.447)

• Firewall

– After installation of SFOS v15 MR3 on Super Micro X10SDV-TP8F, the Dual 10G SFP+ Network cards from D-1500 SoC are not recognized anymore.
– Issue is also reproducible in SFOS v16

More about device specifications can be found here :

https://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-TP8F.cfm

– Output of Dmesg related to Ethernet is shown below
– Output of lspci is needed by developers to analyse further

[    6.505941] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
[    6.512798] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    6.523049] e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-k
[    6.538388] i40e: Intel(R) Ethernet Connection XL710 Network Driver - version 1.1.23
[    6.547374] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.0.5-k
[    6.587508] igb 0000:07:00.0: Intel(R) Gigabit Ethernet Network Connection
[    6.634442] igb 0000:08:00.0: Intel(R) Gigabit Ethernet Network Connection
[    6.819952] igb 0000:0b:00.0: Intel(R) Gigabit Ethernet Network Connection
[    7.002801] igb 0000:0b:00.1: Intel(R) Gigabit Ethernet Network Connection
[    7.190630] igb 0000:0b:00.2: Intel(R) Gigabit Ethernet Network Connection
[    7.378468] igb 0000:0b:00.3: Intel(R) Gigabit Ethernet Network Connection
[    7.380785] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.0.2-k
[    7.386529] ixgb: Intel(R) PRO/10GbE Network Driver - version 1.0.135-k2-NAPI
[    7.397845] Intel(R) 10 Gigabit PCI Express Network Driver - version 3.17.3
[    7.399517] ixgbevf: Intel(R) 10 Gigabit PCI Express Virtual Function Network Driver - version 2.12.1-k
[    7.481665] QLogic/NetXen Network Driver v4.0.82
[    7.586272] tehuti: Tehuti Networks(R) Network Driver, 7.29.3

No workaround available

• SF 16.01 StagedRelease3 (16.01.1.202)

• Web

– Safe search is enforced globally and on all the policies without any exception once it is enabled.

Issue reproduction :
– Use the default 'Allow All' policy from the Web Protection policies
– Enforce the policy in a firewall rule and enforce safe search
– Try to search a word which shows explicit results, you would see that explicit results will be filtered even though safe search ins disabled
– Even youtube would enforce safesearch in this case

Now disable 'Enforce Safesearch' option and do the same search with caution. You will see all the related results which is explicit in content.

• SF 16.05 MR1 (16.05.1.139)

• Networking (deprecated)

The username field for PPPOE interface configuration is limited to 50 characters.

If the username is more than 50 characters for eg: john.doe0123456789012345678901234567890123456789@example.com

Use the workaround described below

Insert any dummy username in the GUI PPPOE interface config where username is less than 50 characters

Goto the advanced shell and enter:=> psql -U nobody -d corporate (Go to corporate DB)
=> corporate=>update tblpppoeconf set "user"='john.doe@example.com';

After applying the above command do disconnect the pppoe connection and reconnect again to bring the changes into effect.

• SF 16.05 GA (16.05.0.117)

• Email

• In Legacy Mode, Configure a policy with Action : Prefix Subject with Umlaut (Ü,Ä,Ö) in the prefix. The email prefix subject is incorrectly decoded.

• SF 16.05 MR5 (16.05.5.233)

• Clientless Access(HTTP/HTTPS)

Bookmark of websites  that requires NTLM  authentication in clientless access will not work.

• SF 16.05 MR7 (16.05.7.305)

• Email

When using IMAP, prefix subject (Spam) is not visible in many e-mail clients unless specifically selecting the message.

Some of the Mail Clients download only root header's from Server before downloading full Mail. SFOS IMAP proxy doesn't scan headers for spam checking as headers are not enough information to detect spam. IMAP proxy scan Mail for spam when mail client download full Mail.

• SF 16.05 MR6 (16.05.6.266)

• Web

Issue: Citrix Base Web Application (www.bimco.org) is not working with Allow ALL Web Policy

In transparent mode, Citrix clients are not aware of the fact that there is an http/https proxy in between, thus it starts talking a proprietary protocol (not http/https) using http/https ports which is not understood by the proxy, which in turn results in a kind of stalemate (proxy is waiting for client request, while Citrix client is expecting something from server first).

Due to the above behavior, launching an .ica file with any Citrix web or application based will fail.

For workaround, user must have a hole punched in firewall to the bimco.org ip address(es) to launch the ica file..

1: Allow none web policy in LAN-WAN for destination addresses associated with www.bimco.org and launching the ica file.
2: Allow all web policy in LAN-> WAN

• SF 17.0 MR3 (17.0.3.131)

• Email

If greylisting is enabled on server side all subsequent mails are getting rejected. This is because Legacy Mode doesn't support retry of E-Mail. If E-Mail fails to send, Legacy Mode Proxy generates Notification and inform Sender. So, as per greylisting, failed E-Mail should retried but this is rejected with Log entry "451 Temporary local problem, please try again!"

https://community.sophos.com/kb/en-us/131686

• SF 16.01 MR1 (16.01.2.222)
• SF 16.05 RC1 (16.05.0.098)

• NoRelease

• Hardware

Issue : The device doesnt boot up after HA takeover when the unit is equipped with 4x10GE SFP+ flexi modules

How to identify :

• After a HA takeover the following BIOS error appears 'PXE-E01: PCI Vendor and Device IDs do not match' 

• This is resolved after removing 4x10GE SFP+ flexi modules everything works fine.

• This could be noticed only sporadically after 4-5 reboots

Root cause and Fix :

This is caused due to old BIOS versions. The latest BIOS version of XG devices is R1.02, this is not affected by this issue. This can be verified during the startup or by interrupting the startup by pressing TAB or DEL. For older devices we have the steps to upgrade BIOS manually. Please contact Sophos support.

• SF 17.0 MR3 (17.0.3.131)

• Firewall

SSL VPN user can ping to LAN but LAN can not ping to SSL VPN.

If both SSL VPN and Policyrouting is configured for a destination network then by default policyrouting is enabled That is because routing precende by default is doing policyrouting first. To change this routing precendence needs to be changed.

This could be done via console:

console> system route_precedence set static policyroute vpn

 To reach the destination through SSL VPN the static route precendence has to be the firste entry in the routing precendence table.

Checking the actual status could be done via console :

console> system route_precedence show

Routing Precedence:

1. Static routes

2. Policy routes

3. VPN routes

• SF 15.01.0 MR1.1 (15.01.0.407)

VPN Authentication for IPSec / L2TP / PPTP is not working with AD.

Use Authentication method PAP instead

For XG85/w and 125/135/w Port 3 and Port4 Link/Act LEDs are glowing without the port being enabled and configured.

• SF 17.0 MR3 (17.0.3.131)

• Networking (deprecated)

A static route cannot apply to the system for the connected network i.e. any static route cannot be configured for connected networks. 

Ex:-

Any interface configured with IP 192.168.115.115/24 then system kernel will not add the route for static route
'192.168.115.0/24 via 10.250.41.21'.

• SF 17.0 MR6 (17.0.6.181)

• SF 17.1 Beta3 (17.1.0.147)

• VirtualAppliance

Due to a VMware Issue on vSphere a random network interface mapping occurs with more than 3 network interfaces on SFOS. This happens only on vmxnet3 and e1000e NIC driver.

Use e1000 or flexible (pcnet32) NIC driver

• SFM 15.01.0 MR-1 (15.01.0.425)

• Base System

• HA is only supported for Hardware SFM devices

• HA is not supported in Virtual SFM

No Workaround

• SFOS Compatibility in SFM

• SF Compatibility

Device is shown as unsynced for upto 5 minutes after changing/adding an IPS rule in SFM at device level.

Note: Device comes in sync after few minutes and configuration is applied.

• SFM 17.1 MR2 (17.1.2.300)
• SFM 17.1 MR3 (17.1.3.200)

• SFM-SCFM

You are unable to upload v18 firmware to SFM devices to deploy to XGs running v17.5.x devices.

Trying to upload the file gets to 97% and then nothing happens.

This is a known issue.

Load firmware manually to XG

• CFM 17.1 MR3 (17.1.3.xxx)

• SCFM

When applying RED configuration from CFM group level in the System services module the configuration will fail with the error message: _Data is invalid and cannot be synchronized on the device._ 

This issue is observed for SF 17.5.MR11 onwards because of UI for SF 17.5.MR11 onwards for RED configurations has been changed.

Use single device management by selecting device from Select devices and then applying configuration for RED

• SFOS Compatibility in SFM

• SF Compatibility

SFM has default IPS signature set and XG appliance supports signature set based on RAM size.

If Admin pushes signatures from SFM then signature will be displayed on XG based on RAM size and other signatures wouldn't be display even Admin see the success message on SFM UI. 

• CCC-10.6.5

• CCC-CCMS

User unable to download and upgrade Cyberoam firmware from CCC

User can upgrade the Cyberoam firmware from Cyberoam UI.

• CFM 17.1 GA (17.1.0.132)

• SCFM

CCL not being populated with changes applied to CCL enabled device in SCFM

Example: 

XG has CCL enabled on it,

• Created a test object called "asdf3_delete" with IP "7.7.7.7" on SCFM and pushed it to the device.

• The XG received the object and created it successfully.

• But no CCL log has been generated in SCFM.

• CROS Compatibility in CCC

• SCFM

CCC Import Template is not working with 10.6.6 MR-5. 

Template is imported successfully but it is imported without any configuration Data.

• CFM 17.1 GA (17.1.0.132)

• SCFM

SCFM connection tracking gets full which results in XGs working with syslog port/protocol from being able to sync fully or templates to be pushed.
There are no plans to fix this issue and as such we recommend using HTTPs instead.

Use https instead of syslog

• CFM 17.0 GA (17.0.0.101)

• SCFM

In some cases it seems like SCFM can't push the template to the device. In fact it just takes a very long time to do this ( could be a few hours).

• VFM 17.0 VarioSecure GA (17.0.0.111)
• SFOS Compatibility in SFM

• SF Compatibility

In SFM/CFM import template support for Web Proxy Configuration General setting is not supported for SFOS v17.5.

 Web Proxy Configuration import template does not support for Web - General Settings - HTTPS Decryption and Scanning and Web-General Settings for SFOS v17.5.

• SFM 16.05 GA (16.05.0.157)

• SFM-SCFM

There's no option to 'Create' a network for Local or Remote S2S VPN, only choosing from the one manually created before, same behavior also in the Firewall rule.

• Android

The “Security & Antivirus Guard” app is not available anymore on devices running Android 10 or higher.

After recent changes made by Google apps that haven’t been updated for a while cannot be installed anymore.

There have been several changes to the Android operating system and the Intercept X app, reducing the need for the Security & Antivirus Guard app.
The app will remain unavailable for devices running Android 10 or later. It will be completely removed in the near future.

• Android

For some Android versions and devices, Gmail doesn’t attach log and trace files to the email you send to Sophos support.

Send log and trace files with a different email app than Gmail.