Skip to content

Sophos UTM Advantage (9.3) is now available – find out what’s new!

UTM Advantage IconWe’re pleased to announce the GA and continued roll-out of our latest major UTM software update: UTM Advantage (9.3).

More and more organizations are switching to Sophos UTM for their next firewall to take advantage of our all-in-one protection with on-box reporting, simplicity and performance. This release continues to add even more value and protection while making things easier for everyone.

UTM Advantage (9.3) brings dozens of new features including:

  • Stronger protection for web, email and WAF
  • Smarter Wi-Fi performance and hotspot management
  • Better everywhere-deployment flexibility

 

And, if you haven’t already seen it, you should check out our new and improved UTM product page.  It’s packed with tons of new useful information and videos.

How to update your UTM

There are two ways you can update your UTM to the latest release:

  • Automatically:  All customer UTMs will see the 9.3 update appear automatically in their UTM over the next few weeks.  You can simply wait for the update to become available in your WebAdmin console and apply it at that time.
  • Manually:  You can download the required 9.3 Up2Date packages needed to transition from your current version (from the link below) and apply them manually via WebAdmin by navigating to Management >> Up2Date >> Advanced
The latest Up2Date package is available here:
The full set of incremental Up2Date packages are here:
The full ISO installer for the latest version can be accessed here:

 

Release Notes for UTM 9.300

Major New Features:

  • Live AV Look-ups in Email Protection
    Introduced previously in UTM 9.2 for Web Protection, Live AV look-ups now come to UTM Email Protection. This option will improve the malware detection rates by consulting the cloud infrastructure from SophosLabs in real-time for possible threat matches. Look-ups that fail will still be scanned by the AV engine, and as part of our global feedback network unknown files will be sampled for execution and deep analysis by SophosLabs to benefit the global community while allowing you to tap the knowledge gained by these events worldwide.
  • SPX Email Encryption – Self-Registration
    With the self-registration feature, recipients of our unique SPX encrypted email now have the option to register themselves through an online portal where they will be able to create and reset passwords to access their encrypted emails. This eliminates the need to manually communicate passwords to recipients of encrypted emails, and allows them to use the same password (which they will remember) for all encrypted emails. It makes SPX Email Encryption simpler for everyone.
  • SPX Email Encryption – Support for Attachments on Reply Portal
    SPX encrypted email recipients are now able to add attachments when securely replying to the sender using the SPX online portal. This allows for full encryption of all communications both ways.
  • URL Tagging
    With UTM 9.2 we introduced the Website List feature where customers can add URLs and override the site category. URL tagging extends this feature by allowing customers to apply custom tags, or labels to URLs, in effect creating their own custom site categories. They can then use these tags in Web Policy just like regular system categories. For example, if a customer has a restrictive policy but needs to access customer websites that would otherwise be blocked, they can add their customer sites to the Website List, tag them as ‘Customer Sites’ and then modify the policy to enable access to the ‘Customer Sites’ tag.
  • Browsing Time Quotas
    Many organizations want to allow users a limited amount of personal browsing time during the day. In many situations, limiting this to specific times of day does is too restrictive. With this new feature in Web Protection, administrators can allocate time quotas to specific sets of sites or categories for specific users or groups. Users can choose when to consume their time quota throughout the day. When they browse to a quota site, they will be warned that they’re about to use their quota. When a quota expires, they’ll be informed accordingly. Administrators can reset quota if necessary through the Web Protection Helpdesk area of the UTM.
  • Selective HTTPS Scanning
    To allow more flexibility and provide better performance we have implemented an option to allow selective HTTPS filtering. This allows organizations to balance the need for security or visibility into some encrypted traffic, with the privacy and performance concerns that come with decrypting all HTTPS content. For example, customers can focus on performing important scans in HTTPS like (a) the ability to detect malicious content in uncategorized sites, (b) the ability to identify search terms and enforce safe search for Google and other search engines, and (c) the scanning webmail traffic for DLP only for specific sites. Previously, HTTPS decryption had to be enabled for all traffic, with exclusions being set up for individual sites where necessary.
  • Support for SG1xx Wireless Hardware
    This release will add support for new SG 1xx wireless models we are going to introduce later this year.
  • Hotspot Improvements
    This release improves our hotspot capabilities with a few new features: First, we built an interface to communicate with Micros Fidelio hotel management software via its FIAS protocol. Second, we have implemented HTTPS support for hotspot login pages. And finally, hotspots can now be configured in a more multi-tenant-like fashion by restricting the “Allowed Users” option on a per-hotspot basis.
  • Multiple Bridge Support
    Many more advanced firewall configurations can be solved by allowing more then one network bridge. With this release we added support for multiple bridges. With introduction of this feature we at the same time cleaned up the configuration options in the UTM WebAdmin by moving the bridge configuration directly into the interfaces pane to allow you user-friendly and simple control over all aspects of your interface configuration.

Other New Features:

  • VLAN DHCP & Tagging
    We removed some restrictions around VLANs to make them easier to administer: you can now allow DHCP on VLAN interfaces and you can now tag and untag interfaces on the same hardware.
  • True-File-Type Detection
    In our web and mail proxy we now traverse archive files (zip, rar, etc.) to detect the types of files inside. This allows granular policy enforcement based on file types included in an archive rather than blocking archive files in general.
  • One-Click Secure Sophos Customer Support Access to UTM
    With an ever increasing number of Sophos global support sites with different IP ranges, it can often be challenging to enable Sophos Support access to the UTM via WebAdmin and SSH . As a result, we’ve implemented a feature that enables administrators to easily enable access to the UTM by Sophos Support upon request with just a single-click.
  • WAF Allow/Block Lists
    For the Web Application Firewall we’ve now added support of lists to allow and block IP ranges. This is configured in the site paths settings.
  • WAF Wildcard Extension
    Exceptions for internal servers now allow wildcards also in the middle of the server path. This allows administrators to easily add exceptions for multiple servers effectively eliminating the need to maintain long lists in WebAdmin.
  • WAF Prefix/Suffix Option
    Some environments, most notably Microsoft servers like Exchange and Sharepoint, require UPN/domain-style user names for log in. By adding an option to append a prefix or suffix to user-names customers now are able to add a default domain (for example) to facilitate this in order to streamline the user experience.
  • HyperV 3.5 Support
    The UTM 9.3 now fully supports Microsoft Hyper-V Server 2012 R2. We’ve also incorporated MS Integration Tools v3.5 for Hyper-V which include the latest drivers and additional capabilities like high availability and load balancing.
  • Improved performance for URL categorization
    In version 9.2 we introduced Live URL Filtering, a new way of doing URL categorization lookups to our cloud data services that offers better performance than the existing CFFS system. On the UTM it provides better local caching of commonly-visited site data. In the cloud, it provides greater responsiveness and automated scaling. With version 9.3 we are enabling this feature by default. Although the URL data used has not changed, this new system will only return one category for each site. This may impact the operation of policy for a small number of sites that previously had more than one category.

Other Enhancements:

[Web] We have enhanced the HTTPS performance with several proxy improvements.
[Mail] Added fonts for Greek, Japanese, Chinese, and Cyrillic for PDF documents generated by SPX-encrypted emails.
[Mail] Added header manipulation possibilities for email in order to give customers the option to add/delete multiple headers to the message envelope.
[WiFi] Added Automatic Channel Selection (ACS), utilizing background scanning.
[AppCtrl] Updated Application Control Engine adding better support for ATP and broader application coverage as well as IPv6 support.
[WAF] Added a setting to change WAF performance parameters.
[WAF] Introduced an ability to upload custom rules (backend enablement required).
[WAF] Added a scan size limit configuration option.

Bugfixes

  • 22468 HTML5 iptables rule doesn’t match for IPSec-routed hosts
  • 27257 RED50 frequently reconnecting because configuring an Additional Address as UTM-Hostname is not supported
  • 27588 Unable to fetch POP3 accounts on iOS devices via POP3 Proxy
  • 27750 IPv6: Add support for DynDNS (Dyn & FreeDNS)
  • 27905 [BETA] log the mac addresses human readable with leading zeros in the packetfilter log
  • 28056 it’s not possible to view or download large log files in the webadmin because root partition is too small
  • 28164 OSPF and default route priority issues
  • 28400 Syslog not started after ipsbundle pattern installation
  • 28842 HA takeover if master reboots takes too much time
  • 28966 exceptions for Common Threat Filters do not work individually
  • 29095 [BETA] improve reporting filter naming for ATP
  • 29412 Wireless Security Manager Role can’t accept new AP’s
  • 29963 profile mode ‘monitor’ does not work for Cookie signing
  • 30008 Problem with Remote IPsec access in case of ID type is ASN1 Distinguished Name and using static RAS IP
  • 30254 Import of non UTF-8 certificate breaks Webadmin access
  • 30504 Sometimes the sender_confd_profile is undefined in the profile object
  • 30800 [BETA] Some double byte characters aren’t filtered by DLP custom rule and AntiSpam Expressions filter.
  • 30825 IPv6: Add support for DHCPv6 ‘rapid commit’
  • 30851 emailpki_generate_user fails if pkcs12 file contains a cert twice
  • 31083 Remote SSL VPN view is empty in printable configuration
  • 31105 DynDNS: Add support for interface strategy for FreeDNS
  • 31116 Performance and scalability improvements of HTTP proxy
  • 31164 [BETA] Routing domain wildcards aren’t working for SMTP profiles.
  • 31337 Too long hostname will break layout in dashboard
  • 31340 rsyncd not started after switching to master mode (slave node hangs in syncing state)
  • 31373 Form hardening exception match but doesn’t work
  • 31387 ad-sid-sync.pl is executed even if AD sync is disabled
  • 31581 Up2date pattern rpm’s fails to install if hostname contains ‘/’ character.
  • 31814 nextgen-agent restarting permanently
  • 31859 Make http proxy handle uncompressed DNS responses
  • 31992 network range in network group shouldnt be allowed in allowed networks as per 21588
  • 32012 Postgres startup problem because pg_xlog files are missing
  • 32034 Full transparent AD SSO redirect URL request gets dropped by packetfilter
  • 32079 UMTS modem device hanging
  • 32097 High load after pattern installation [9.2]
  • 32190 Policy tester always returns “allowed” if warn page is proceeded once
  • 32237 Release of IPsec Pool IPs not working
  • 32286 Sorting of APs in Webadmin
  • 32391 UTM interface doesn’t come up again after the speed changed from 4G to 3G
  • 32433 Not possible to delete VPN tunnel managed by SUM after use “cleanup object”
  • 32537 Guest login fails in transparent browser auth mode if “terms of use” confirmation is required
  • 32571 [V9] Blocked HTTPS-Sites in Filter Action Mode ‘Blacklist’ doesn’t match if Exception is matching on Categories
  • 32588 Can’t restore backup beacause of an undefined value
  • 32602 Web control policy not applying to endpoints
  • 32604 Special characters like umlauts didn’t work in passwords with reverse authentication for the WAF
  • 32607 Not possible to use virtual mac on lag interfaces
  • 32683 Can’t send a VPN Profile to the SMC if the Organization Name includes a umlaut
  • 32690 It’s not possible to use Subfolders for Remote Log File Archives over SMB on CIFS share
  • 32696 Hotspot: only one login possible per username for backend authentication hotspot
  • 32703 Multicast traffic problems after upgrading to SG430 and 9.204
  • 32711 Mail preview should display kyrilic or chinese chars too.
  • 32713 Console keyboard doesn’t work
  • 32726 Dashboard does not show Antivirus active protocols for HTTP/S
  • 32794 vpn-reporter.pl segfault in get_amazonvpc
  • 32805 NETDEV WATCHDOG: eth0 (tg3): transmit queue 0 timed out
  • 32832 Remote Syslog Server IPv6 support
  • 32837 vpn-reporter.pl segfaults, error 4 in libc-2.11.3.so
  • 32851 Device auth reports wrong client information
  • 32852 Any SSL traffic through HTTP proxy gets classified as “Sophos Portal” if a “Sophos Portal” AppCtrl rule exists
  • 32870 ad-sid-sync.pl fails to lookup trusted domains groups
  • 32940 SG550: Licensing does not work if module is relocated after installation
  • 32950 Configuring a whitelist in webfilter filter action appears in blacklist on UTM
  • 32957 winbindd died in kernel_vsyscall
  • 32969 Coredumps from reverseproxy after update to v9.206
  • 32972 IPS exception does not work for SID 18575
  • 32980 Remove RC4 from TLS ciphers in Exim
  • 33019 After upgrading to iOS 8 UTM does not recognize iOS anymore (Device-specific Authentication)
  • 33095 RED50 frequently reconnecting because configuring an Additional Address as UTM-Hostname is not supported [9.3]
  • 33111 Group matching incorrect if user belongs to static and backend groups
  • 33277 [9.2] Add support for passthrough NTLM connection
  • 33307 Not possible to change TLS certificate
  • 33323 Using @ in hostname results in corrupt /etc/syslog-ng.conf
  • 33382 Config changes in IPsec remote access sometime causing a drop of established connections
  • 33429 AP100: Unable to authenticate with an SSID using a PSK with a dollar character
  • 33515 SMTP Vulnerability in SSL v3.0
  • 33613 OS X HTTPS traffic identified as iOS

Remarks

  • System will be rebooted
  • Configuration will be upgraded
  • Connected RED devices will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

UTM 9.301002

News

  • Bugfix Update

Remarks

  • System will be rebooted
  • Configuration will be upgraded
  • Connected Wifi APs will perform firmware upgrade

Bugfixes

  • 33743 Wifi: after upgrade from 9.2 -> 9.3 awe_status is 0
  • 33746 psk and ssid with a \ are wrong in confd
  • 33751 Bridge without Address lost after Upgrade from 9.2x to 9.300
  • 33760 ipsec: dying Middleware with Bridge configured

UTM 9.302002

News

  • Bugfix Update

Remarks

  • System will be rebooted
  • Configuration will be upgraded
  • Connected Wifi APs will perform firmware upgrade

Bugfixes

  • 33655 Special characters in SSID lead to an awed crash [9.3]
  • 33766 Slave stays in “syncing” state after update to 9.300
  • 33824 Wifi: rt2x00queue_write_tx_frame: Error – Dropping frame due to full tx queue 2

 

Sophos UTM 9.303 – Details

News

  • Bugfix Update

Remarks

  • System will be rebooted
  • Configuration will be upgraded

Bugfixes

  • 30142 [BETA] SPX: spx encryption can not handle some greek characters
  • 33258 Cluster smtpd restarting permanently (segfaults and core dumps)
  • 33662 Quota Status page does not work when ha->status set to ‘zeroconf’
  • 33812 Quota proceed on a url with ‘&’ will not work
  • 33911 Up2Date not possible with essential license

 

Up2Date Installation

Sophos Up2Date technology makes it easy to upgrade your Sophos UTM to the latest version. To ensure you are aware of any possible known issue that might affect your environment please check out our Knowledge Base Article.

Once you have received an Up2Date notification (or you see availability on the UTM dashboard), log on to WebAdmin, navigate to Management >> Up2Date >> Overview and use “Update to latest version now” to install the Firmware Up2Date.

Click on the “Watch Up2Date Progress in new window” and an extra browser window will show the progress of the Up2Date installation. (The System administrator will receive a notification email once the Up2Date process has finished.)

Feedback

  • If you want to provide feedback or want to discuss any of the UTM V9 features you should post it on our User Bulletin Board. Please indicate the version you are using to help us (and everyone helping you).
  • If you have any feedback on our help, manuals, or any documentation (Online Help) please send it to nsg-documentations@sophos.com.
  • You are free to use our new demo server environment without hassle, nags, or registration. Enjoy!

5 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!