Sophos released UTM Update 9.404-5

Sophos released a new maintenance release for the UTM. REDs and Wifi APs will perform firmware upgrade
Fixes:

NUTM-1775 [Access & Identity] 35668: DHCP Broadcast over all RED LAN ports causing wrong IP address assignment
NUTM-1784 [Access & Identity] implement “TLS 1.2 only” switch for RED to UTM communication
NUTM-2404 [Access & Identity] 36172: RED15 has loaded fallback network config
NUTM-2841 [Access & Identity] 36224: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_expect.c:51 nf_ct_unlink_expect_report+0x5e/0xd1 [nf_conntrack]()
NUTM-3415 [Access & Identity] PPTP VPN with an IP Pool 172.16.0.0/20 doesn’t work correctly
NUTM-3439 [Access & Identity] After upgrade to 9.4 and using SSL VPN the IPv4 traffic is not going over the full tunnel
NUTM-3536 [Access & Identity] RED15 traffic not possible, red_server reports “Unable to get proc entry”
NUTM-3719 [Access & Identity] mdw errors when configuring a RED device
NUTM-3735 [Access & Identity] SSL VPN IP pool should not be usable without IPv4
NUTM-3757 [Access & Identity] SSL VPN: don’t push IPv6 interface address if no IPv6 route is pushed
NUTM-3763 [Access & Identity] SSL VPN client cannot be downloaded from userportal with IE
NUTM-3843 [Access & Identity] SSL VPN route injection into OSPF not working properly after update to 9.4
NUTM-3867 [Access & Identity] SMC: WEP passwords are not pushed correctly
NUTM-3924 [Access & Identity] PPTP and iOS with config from userportal doesn’t work properly
NUTM-3934 [Access & Identity] RED: CON_CLOSE provide information to UTM if peer is not stable enough
NUTM-3962 [Access & Identity] IPsec doesn’t work with SHA2
NUTM-4173 [Access & Identity] Since Update to 9.4 IPsec site-to-site connections won’t work after pppoe reconnect
NUTM-3982 [Basesystem] Errors in Notifications Database
NUTM-2677 [HA/Cluster] 36293: The Slave node in HA doesn’t show any resource usage
NUTM-2235 [Network] 35662: Additional adresses of a PPPoE interface are not reachable after takeover
NUTM-3684 [Network] APN can’t be changed if LTE is selected as network
NUTM-3061 [Reporting] Remote Access filtering is not working correctly if the username contains a “\” sign
NUTM-3662 [Reporting] wrong descriptions for CRIT-065 and INFO-007 in MIB file
NUTM-3753 [Reporting] Remote Access Accounting not recording L2TP sessions
NUTM-4306 [Reporting] postgres[xxxxx]: [x-x] STATEMENT: select src_ip, virt_ip, virt_ip6, logintime, service from vpn where status = 0 and logintime = logouttime LIMIT 1000
NUTM-3689 [SUM] device agent claims SUM objects
NUTM-3028 [Virtualization] HyperV interface handling (9.4)
NUTM-3482 [WAF] form template unchanged with update from 9.355 to 9.4
NUTM-3694 [WAF] Customized mod_security rule didn’t work correctly
NUTM-3748 [WAF] Content length and content get lost when using form-harding
NUTM-4119 [WAF] SSL is not used to transfer sticky session cookies
NUTM-3172 [WebAdmin] Support tools – PPPoE shows itfhw instead of vlantag
NUTM-3113 [Web] Proxy freeze after Savi update
NUTM-3118 [Web] “Remove embedded objects” / “Disable JavaScript” shows script code
NUTM-3367 [Web] “Unblock URL” button is displayed even when “Users/Groups Allowed to Bypass Blocking” is empty
NUTM-3485 [Web] HTTP Proxy profile matching doesn’t work for DNS groups which contain IPv6 addresses
NUTM-3550 [Web] frox segfaults/core dumps while uploading files
NUTM-3554 [Web] Error returned from samba command on AD sync
NUTM-3617 [Web] Sandstorm Database Error
NUTM-3710 [Web] New exception regex for Chrome Update
NUTM-3844 [Web] If using a ‘ character in file name, postgres is not able to insert this to the TransactionLog (Sandbox)
NUTM-3920 [Web] Sandbox: cleaning up old data in TransactionLog on slave nodes raises postgres errors
NUTM-4055 [Web] HTTP Proxy causing weird log entries in uma.log
NUTM-3039 [WiFi] RADIUS authentication failover via Availability Group not working correctly
NUTM-3072 [WiFi] Hotspot: race condition if multiple logins per MAC
NUTM-3472 [WiFi] wireless.log – download_ca: CA fingerprint overwritten by TA / No trusted fingerprint found in certificate chain HUB.
NUTM-3760 [WiFi] WIFI profile pushed to SMC using same name
NUTM-4117 [WiFi] Mesh AP’s all go down and do not come back up
NUTM-4151 [WiFi] AP30 (possibly other models) not becoming active anymore after update to >= 9.400
NUTM-4126 [[Backend/Devel] Confd] Clean up of duplicate Domain-Regex
NUTM-4142 [[Backend/Devel] Confd] Remote Access Manager can’t deactivate a VPN profile with groups
NUTM-4158 [[Backend/Devel] Confd] confd[xxx]: parse_formats: unrecognized tag format: FUNC__XXX
NUTM-4160 [[Backend/Devel] Confd] Accessing WebAdmin as non-superuser repeatedly raises “NODE_READ_DENIED” error on confd node “migration->tab_visibility”

 

Download (FTP): u2d-sys-9.403004-404005.tgz.gpg

Download (HTTP): u2d-sys-9.403004-404005.tgz.gpg

A documentation of the different Sophos UTM layers

Sophos UTM has many open source services. Each service is for another function. The Web Protection is a squid proxy which can be used via Proxy-IP or via transparent mode. The VPN service “pluto” is an implemenation of strongSwan, etc. A data-packet runs trough many layers. I tried to figure out in which order it happens. I hope they are correct :->

utm-layer

feel free to correct me with your comment. I will be on vacation in Las Vegas, I will answer after my holiday. I wish you a nice weekend! See you!

Sophos released Update 9.402-7

  • Maintenance Release
  • System will be rebooted
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Changelog:

NUTM-1955 [Access & Identity] 35658: VLAN Interface on top of a bridge disappears from Slave after Reboot
NUTM-1958 [Access & Identity] 34242: Communication error with Amazon AWS server
NUTM-2129 [Access & Identity] 36050: File Copy from network share over RED50 does not work in one direction
NUTM-2234 [Access & Identity] 35592: Backup from 220 to 230 caused eth3 to exist two times
NUTM-2449 [Access & Identity] 36228: RED Server sends more peers as peers are configured
NUTM-2706 [Access & Identity] Still coredumps from argos after installing the new fix from mantis 35353
NUTM-2842 [Access & Identity] 35423: irqd: Support more than 32 cpus
NUTM-2844 [Access & Identity] 36028: 82546GB Gigabit Ethernet Controller: Reset adapter / Detected Tx Unit Hang
NUTM-2950 [Access & Identity] RED15: fix dnsmasq for transparent/split
NUTM-3049 [Access & Identity] 36382: reds-interface does not get IP after re-activating RED device
NUTM-3083 [Access & Identity] IPv6 address in log line shortened
NUTM-3190 [Access & Identity] IPsec site-to-site: Limit of listening interfaces of 300
NUTM-3252 [Access & Identity] High disk I/O during pattern update on smaller UTM appliances
NUTM-3522 [Access & Identity] RED15 with static uplink and dns name as utm hostname doesn’t work correctly
NUTM-3661 [Access & Identity] After deleting red15w mdw crashes
NUTM-1371 [Basesystem] 35523: adbs-maintenance.plx – ERROR: canceling autovacuum task – waits for ShareUpdateExclusiveLock/AccessExclusiveLock
NUTM-1798 [Basesystem] 35862: Confd doesn’t check for valid local time which can lead to dashboard error
NUTM-2804 [Basesystem] 36226: Network Utillization on HW LCD doesn’t match iftop and webadmin values
NUTM-3325 [Email] Bug on Malware scanning UI Text
NUTM-3558 [Email] Sandbox result shows up in messages
NUTM-3575 [Email] Detailed view defective for Sandstorm pending mails
NUTM-3582 [Email] smtpd sometimes gets stuck when creating a cluster
NUTM-3620 [Email] Add capabilities to Quarantine manager’s spool tab to handle multiple items for the same massage
NUTM-2015 [HA/Cluster] Prevent users from changing postgres_secret
NUTM-2290 [HA/Cluster] Prevent backup import from changing postgres_secret
NUTM-2677 [HA/Cluster] 36293: The Slave node in HA doesn’t show any resource usage
NUTM-1956 [Network] 35582: flow monitor invents traffic on wlan1 interface
NUTM-2236 [Network] 34828: don’t start dhclient without interface
NUTM-3156 [Network] Slave interface IP where WAF is listen to get lost after a while
NUTM-3304 [Network] nic-naming: Provide a fix for delayed 210r2 software support
NUTM-3176 [Reporting] In web usage reporting some domains show up as only the suffix
NUTM-2779 [WAF] WAF – Slow HTTP error messages do not match the description
NUTM-3175 [WebAdmin] It is not possible to select a vlan interface for the “Ping Check”
NUTM-3177 [WebAdmin] Sort function in EPP manage computer didn’t work correctly
NUTM-3184 [WebAdmin] Etc\Greenwich set as timezone causes error on dashboard
NUTM-3185 [WebAdmin] Issues while using the “Search Log Files” tab in the “View Log Files” part of webadmin
NUTM-3311 [WebAdmin] Remove Support for TLS v1.0 from Apache Configuration
NUTM-3109 [Web] Proxy stops working without segfault or hint in the logs
NUTM-3114 [Web] ADSSO join didn’t work with special characters like \xF6
NUTM-3123 [Web] HTTP Log is flooded with “Server delivered only 0 of X bytes” messages
NUTM-3124 [Web] HTTP proxy intermittently stuck in ‘recv: Input/output error’
NUTM-3577 [Web] High CPU Load after update to 9.4
NUTM-3076 [WiFi] Split network modes do not work with RED15w
NUTM-3418 [WiFi] RED15w forgets its wireless encryption key after reboot
NUTM-3188 [[Backend/Devel] Confd] Domain-Regex object deployed from SUM will be created more than once
NUTM-3189 [[Backend/Devel] Confd] Auto packetfilter rule is not updated if the destination service object of a NAT will be changed

FTP Link: ftp://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.401011-402007.tgz.gpg

HTTP Link: http://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.401011-402007.tgz.gpg

Sophos UTM IPSec Fallback with different vendor

During a firewall migration at one of my customers, the IT director asks me If we can configure IPsec fallback for the branch offices. The remote devices are all from Bintec and there are over 30 branch offices out there. First, correct the NAT settings on all devices with this tutorial. I blogged it last year.

Now we will configure the remote Bintec device. Go to VPN/IPsec. This is an example, you can choose whatever you want:

bintec-phase1

bintec-phase2

bintec-sa-status

This is the main vpn setting:

bintec-vpn1

this is the backup vpn setting:

bintec-vpn2

this is the configuration of the Sophos UTM:

IPsec Policy:

ipsec-policy

Remote gateway:

remote-gateway

Main VPN over Unitymedia line:

ipsec1

Backup VPN over Versatel line:

ipsec2

it’s important that you activate “Bind tunnel to local interface” because we will work now with multipath rules. Go to Interfaces & Routing / Interfaces / Multipath Rules and add two rules:

multipath-rules

So the remote network 192.168.22.0 /24 is available over both WAN interfaces (by binding it to the interfaces):

ipsec-view

If you disconnect the main line (in this example Unitymedia), the VPN stays active for over a minute. Have patient when you ping your remote device. After about a minute, your ping is getting back because both recognize that the main VPN tunnel is down and the multipath rule leads to the second line (Versatel). If the main line is back again, the first multipath rule gets active immediately.

 

 

Sophos UTM Update 9.401-11 is available!

You can download the new version directly from the FTP server:

u2d-sys-9.355001-401011.tgz.gpg (from 9.3 to 9.4)

u2d-sys-9.400009-401011.tgz.gpg (for already installed 9.4 update)

News:

  • Features
  • Clientless SSO (STAS)
  • IPv6 Support for SSL VPN
  • Sandboxing for SMTP and Web
  • Support for new RED15w
  • Support for new SG Appliances SG85 and SG85w
  • Support for new 4x10G FP 1U network module
  • WAF persistent session cookies

Info:

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Bugfixes:

NUTM-1764 [Access & Identity] 35675: First time connection always fails with ssl remote access vpn and remote auth
NUTM-1768 [Access & Identity] 35689: RED50: Loadbalancing does not work
NUTM-1771 [Access & Identity] 35809: Group membership is not updated when prefetching backend users
NUTM-1772 [Access & Identity] 35859: Some users are removed from all groups during update_ad_bg_members
NUTM-1927 [Access & Identity] 35957: ERROR: netlink response for Increase seq numbers HA SYSTEM included errno 3: No such process
NUTM-1928 [Access & Identity] 35446: Problems with OpenVPN v2.3.0 and Win8 when client awake from sleep or hibernation mode
NUTM-1941 [Access & Identity] 35474: AD group cache still contains obsolete group information after update_ad_bg_members.plx is executed
NUTM-1942 [Access & Identity] 35279: Option “Drop packets from blocked hosts” does not work correctly
NUTM-1943 [Access & Identity] 35269: Random auth-pop ups in with eDir SSO
NUTM-1944 [Access & Identity] 35459: Site2Site SSLVPN client fails to add routes after server restart
NUTM-1945 [Access & Identity] 35778: Sometimes SAA connection disconnect for 3 minutes
NUTM-1947 [Access & Identity] 35926: VPN Signing CA using encryption of 1024bit
NUTM-1949 [Access & Identity] 35353: Intermittend authentication failed messages during unstable SAA connection
NUTM-1950 [Access & Identity] 35606: French keyboard layout not detected in HTML5 portal RDP connections
NUTM-1951 [Access & Identity] 35602: Outdated perl-ldap -0.39 causing errors in Intermediate.pm
NUTM-1953 [Access & Identity] 35143: LT2P remote access – client get assigned an IP from the pool which is already in use
NUTM-1961 [Access & Identity] 35791: QoS not working with more than 600 applications in a traffic selector definition
NUTM-1964 [Access & Identity] 33657: Bridge: Error messages when you enable / disable an additional address on a bridge
NUTM-1965 [Access & Identity] 34496: Bridge + QoS: Bandwidth pools does not work
NUTM-2080 [Access & Identity] 36079: RED Management can’t be enabled if the organisation name includes umlauts
NUTM-2082 [Access & Identity] 36025: Cisco VPN remote access: XAUTH credentials and Certificate can be from different users
NUTM-2132 [Access & Identity] 36064: Regeneration of VPN Signing CA doesn’t work
NUTM-2451 [Access & Identity] 36225: HTML5 portal RDP session to Windows 8.1 doesn’t work
NUTM-2715 [Access & Identity] 36312: RED15 responds to public DNS requests
NUTM-2817 [Access & Identity] [BETA] Site2Site SSLVPN routes not used if more than 1 connection is up
NUTM-2850 [Access & Identity] [BETA] Site2Site Problem – more connections
NUTM-896 [Access & Identity] 34886: filter:FORWARD:rule will cause a conntrack entry without SYN
NUTM-501 [Basesystem] 33039: SNMPd reports wrong mac address
NUTM-2746 [Email] sandbox module generated many error log messages
NUTM-3038 [Email] [BETA] Rescanning a mail after releasing from quarantine does not work
NUTM-3484 [Email] SMTP Proxy does not start after update to 9.4 after takeover
NUTM-1170 [HA/Cluster] 35285: repctl fails to start on slave node – can’t use string (“reporting”) as a HASH ref
NUTM-1737 [HA/Cluster] 35814: UTM doesn’t respond to arp requests after HA gets disabled
NUTM-3340 [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)
NUTM-1770 [RED] 35855: RED: Kernel crash – decompression failed: -22
NUTM-1952 [RED] 25775: RED: add message to warn users if they add a MAC to the list which is used by RED
NUTM-2365 [RED] 36159: High CPU load from confd caused by overflow on RED devices
NUTM-2676 [RED] 36303: USB deployed RED10 devices loose their static wan config
NUTM-1067 [WAF] 34447: Issue with WAF Rev. Auth. and OTP
NUTM-2368 [WAF] 36061: Unable to upload attachements with IE to backend server via WAF
NUTM-2555 [WAF] 36251: XSS vulnerability in mod_url_hardening
NUTM-2556 [WAF] 36272: XSS vulnerability in mod_avscan
NUTM-2689 [WAF] 36190: High swap usage caused by reverse proxy
NUTM-2809 [WAF] 36373: Reverse authentication: AH01627: AuthType configured with no corresponding authorization directives
NUTM-3027 [WAF] Random Confd message “Undefined subroutine register_logout_urls”
NUTM-3365 [Web] Filename is not preserved for sandboxed file if Content-Disposition header is missing
NUTM-2141 [WiFi] 35969: Sometimes inconsistent logging if a user is connected via hotspot
NUTM-2591 [WiFi] 36278: Increase maximum number of access points (APs)
NUTM-3066 [WiFi] AP10/30/50 reboot loop
NUTM-3355 [WiFi] VLAN Fallback mechanism broken since 9.4
NUTM-3437 [WiFi] Mesh broken on AP50 after upgrade to 9.4 SR

this update solves my problem with RED15 devices: Device was online (green status in the WebAdmin) but no traffic between branch office and headquarter).

Sophos UTM elevated 9.4 soft-release

Sophos released the UTM update 9.4. You can upload the file via WebAdmin or via shell

cd /var/up2date/sys

wget http://ftp.astaro.com/UTM/v9/up2date/http://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.355001-400009.tgz.gpg

auisys.plx –showdesc

Changelogs

  • Clientless SSO (STAS)
  • IPv6 Support for SSL VPN
  • Sandboxing for SMTP and Web
  • Support for new RED15w
  • Support for new SG Appliances SG85 and SG85w
  • Support for new 4x10G FP 1U network module
  • WAF persistent session cookies

Infos

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Bugfixes

NUTM-1764 [Access & Identity] 35675: First time connection always fails with ssl remote access vpn and remote auth
NUTM-1768 [Access & Identity] 35689: RED50: Loadbalancing does not work
NUTM-1771 [Access & Identity] 35809: Group membership is not updated when prefetching backend users
NUTM-1772 [Access & Identity] 35859: Some users are removed from all groups during update_ad_bg_members
NUTM-1927 [Access & Identity] 35957: ERROR: netlink response for Increase seq numbers HA SYSTEM included errno 3: No such process
NUTM-1928 [Access & Identity] 35446: Problems with OpenVPN v2.3.0 and Win8 when client awake from sleep or hibernation mode
NUTM-1941 [Access & Identity] 35474: AD group cache still contains obsolete group information after update_ad_bg_members.plx is executed
NUTM-1942 [Access & Identity] 35279: Option “Drop packets from blocked hosts” does not work correctly
NUTM-1943 [Access & Identity] 35269: Random auth-pop ups in with eDir SSO
NUTM-1944 [Access & Identity] 35459: Site2Site SSLVPN client fails to add routes after server restart
NUTM-1945 [Access & Identity] 35778: Sometimes SAA connection disconnect for 3 minutes
NUTM-1947 [Access & Identity] 35926: VPN Signing CA using encryption of 1024bit
NUTM-1949 [Access & Identity] 35353: Intermittend authentication failed messages during unstable SAA connection
NUTM-1950 [Access & Identity] 35606: French keyboard layout not detected in HTML5 portal RDP connections
NUTM-1951 [Access & Identity] 35602: Outdated perl-ldap -0.39 causing errors in Intermediate.pm
NUTM-1953 [Access & Identity] 35143: LT2P remote access – client get assigned an IP from the pool which is already in use
NUTM-1961 [Access & Identity] 35791: QoS not working with more than 600 applications in a traffic selector definition
NUTM-1964 [Access & Identity] 33657: Bridge: Error messages when you enable / disable an additional address on a bridge
NUTM-1965 [Access & Identity] 34496: Bridge + QoS: Bandwidth pools does not work
NUTM-2080 [Access & Identity] 36079: RED Management can’t be enabled if the organisation name includes umlauts
NUTM-2082 [Access & Identity] 36025: Cisco VPN remote access: XAUTH credentials and Certificate can be from different users
NUTM-2132 [Access & Identity] 36064: Regeneration of VPN Signing CA doesn’t work
NUTM-2451 [Access & Identity] 36225: HTML5 portal RDP session to Windows 8.1 doesn’t work
NUTM-2715 [Access & Identity] 36312: RED15 responds to public DNS requests
NUTM-2817 [Access & Identity] [BETA] Site2Site SSLVPN routes not used if more than 1 connection is up
NUTM-2850 [Access & Identity] [BETA] Site2Site Problem – more connections
NUTM-896 [Access & Identity] 34886: filter:FORWARD:rule will cause a conntrack entry without SYN
NUTM-501 [Basesystem] 33039: SNMPd reports wrong mac address
NUTM-2746 [Email] sandbox module generated many error log messages
NUTM-3038 [Email] [BETA] Rescanning a mail after releasing from quarantine does not work
NUTM-1170 [HA/Cluster] 35285: repctl fails to start on slave node – can’t use string (“reporting”) as a HASH ref
NUTM-1737 [HA/Cluster] 35814: UTM doesn’t respond to arp requests after HA gets disabled
NUTM-1770 [RED] 35855: RED: Kernel crash – decompression failed: -22
NUTM-1952 [RED] 25775: RED: add message to warn users if they add a MAC to the list which is used by RED
NUTM-2365 [RED] 36159: High CPU load from confd caused by overflow on RED devices
NUTM-2676 [RED] 36303: USB deployed RED10 devices loose their static wan config
NUTM-1067 [WAF] 34447: Issue with WAF Rev. Auth. and OTP
NUTM-2368 [WAF] 36061: Unable to upload attachements with IE to backend server via WAF
NUTM-2555 [WAF] 36251: XSS vulnerability in mod_url_hardening
NUTM-2556 [WAF] 36272: XSS vulnerability in mod_avscan
NUTM-2689 [WAF] 36190: High swap usage caused by reverse proxy
NUTM-2809 [WAF] 36373: Reverse authentication: AH01627: AuthType configured with no corresponding authorization directives
NUTM-3027 [WAF] Random Confd message “Undefined subroutine register_logout_urls”
NUTM-2141 [WiFi] 35969: Sometimes inconsistent logging if a user is connected via hotspot
NUTM-2591 [WiFi] 36278: Increase maximum number of access points (APs)
NUTM-3066 [WiFi] AP10/30/50 reboot loop

 

The files are available on the FTP server:

FTP Download

HTTP Download

Ekahau Site Survey 8.5.1 released

The software that I’m using for WiFi Site Surveys is Ekahau Site Survey. Version 8.5.1 was released yesterday. What is Ekahau? Over 12 years in the making, ESSTM maintains its reputation as the easiest to use, enterprise-grade Wi-Fi design and maintenance tool for Wi-Fi professionals. With crystal clear heat maps and easy-to-use reports, ESS makes it simple to optimize Wi-Fi. ESS allows you to plan and create Wi-Fi networks according to your performance and capacity requirements—taking into consideration the increasing amount of wireless clients and applications such as VoIP, HD video streaming and web browsing.

Version 8.5.1 highlights:

  • Improved support for dual-5 GHz access points – especially for scenarios where switching between 2.4+5GHz and 2 x 5GHz modes
    • Also added Cisco 2802 and 3802 APs that support dual-5 GHz
  • The super-annoying tooltip behavior switched to less-annoying (disclaimer: that’s hopefully less annoying, for most users, most of the time)
  • Easier moving of access points (no more pixel-perfect alignment of mouse cursor)
  • Improvements to network adapter behavior (more stable, more robust in VHD environments)
  • Support for older, v2 model of Ekahau Spectrum Analyzer (does not show overly-high noise floor anymore on 5GHz band)
  • Added antennas from Aruba, Terrawave, Samsung
  • Added Xirrus APs XD4, X2, XR-320
  • Small improvements, such as a fix for Cisco prime map import

Full release notes here!

Sophos Hardware Refresh Program

The upgrade paths for the hardware refresh programs are not public. I want to show you what paths you can go. Here are some facts:

  • The Hardware Refresh Program is for customers who want to change from UTM/ASG to SG hardware or want to buy a higher SG model
  • SG  and XG hardware are identical. SG has “Sophos UTM 9” preinstalled, XG has SFOS (Sophos Firewall Operating System) preinstalled
  • SG license can be convert to XG license without any costs

You receive a discount if you migrate to newer hardware. It is also possible to buy a new SG and convert to XG:

utm-to-xg

Next month I need to migrate from a Sophos UTM 320 to a SG 450. This is not a “normal” migration because we go to a higher model cause of the big growth of the customer. The “normal” hardware refresh would be to the “Sophos SG330”. If you change the hardware to this, you have no further license costs. You buy only the new hardware. The license can be convert in your myUTM account. In this specific project, we buy two new SG450, convert the license from UTM320 to SG330, to SG430 and than to SG450. In this case, we are loosing license time by a factor that Sophos defines:

upgrade-paths

Example: We have 12 month left for our Full Guard subscription. 12 divided by 1,5 results 8. 8 divided by 1,5 results 5,33. So we have 5 month and 10 days left. After this we buy a new full guard subscription for three years.

When you want to go the same way, tell your dealer all informations about it (upgrading to higher hardware model and buying directly another full guard subscription). You will get more discount with that! For more information visit www.sophos.de/refresh 🙂

Running USB NICs with Sophos UTM

Today I saw an USB 3.0 Gigabit Ethernet Adapter at my company and I wanted to know if it’s working on a Sophos UTM. The USB NIC adapter is a Digitus DN-3023 Gigabit Ethernet Adapter (RJ-45 to USB 3.0):

digitus-usb-nic

So I installed a new Sophos UTM on a barebone PC. I used an old 9.312-81 software appliance ISO. After the installation and initial setup, I couldn’t see the nic at the linux shell. I found an old Feature Request where a product manager said, that the AX88179 chip will be supported at 9.317:

usbnicfeaturerequest

So i updated the UTM to 9.355-1. After a reboot I still couldn’t choose this adapter in the WebAdmin. So I went to the linux shell to check if the hardware was found:

utm:/root # lsusb
Bus 001 Device 002: ID 045b:0209 Hitachi, Ltd
Bus 002 Device 002: ID 045b:0210 Hitachi, Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 058f:9254 Alcor Micro Corp. Hub
Bus 002 Device 003: ID 0b95:1790 ASIX Electronics Corp.
Bus 001 Device 004: ID 03f0:0024 Hewlett-Packard KU-0316 Keyboard
Bus 001 Device 005: ID 046d:c018 Logitech, Inc. Optical Wheel Mouse
Bus 001 Device 006: ID 10d5:55a4 Uni Class Technology Co., Ltd

as you can see, the hardware “ASIX Electronics Corp.” USB NIC adapter was found. OK let’s try to install the hardware as a NIC:

utm:/root # lshw -c network
*-network
description: Ethernet interface
product: RTL8111/8168 PCI Express Gigabit Ethernet controller
vendor: Realtek Semiconductor Co., Ltd.
physical id: 0
bus info: pci@0000:01:00.0
logical name: eth0
version: 06
serial: fc:aa:14:e3:38:49
size: 1Gbit/s
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.3LK-NAPI duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=192.168.0.1 latency=0 link=yes multicast=yes port=MII speed=1Gbit/s
resources: irq:105 ioport:e000(size=256) memory:d0704000-d0704fff memory:d0700000-d0703fff
*-network
description: Ethernet interface
product: RTL8111/8168 PCI Express Gigabit Ethernet controller
vendor: Realtek Semiconductor Co., Ltd.
physical id: 0
bus info: pci@0000:02:00.0
logical name: eth1
version: 06
serial: fc:aa:14:e3:38:47
size: 1Gbit/s
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.3LK-NAPI duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=10.192.227.96 latency=0 link=yes multicast=yes port=MII speed=1Gbit/s
resources: irq:106 ioport:d000(size=256) memory:d0604000-d0604fff memory:d0600000-d0603fff
*-network DISABLED
description: Ethernet interface
physical id: 1
bus info: usb@2:1.3
logical name: eth2
serial: 00:24:9b:0c:28:76
size: 10Mbit/s
capacity: 1Gbit/s
capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=off broadcast=yes driver=ax88179_178a duplex=half link=no multicast=yes port=MII speed=10Mbit/s

the bold text contains the USB NIC adapter information. The device is still disabled. Reboot to activate it. Now you can see the NIC adapter in the WebAdmin:

usb-asix

Ok, but how is the performance of such a NIC? The barebone PC has USB 2.0 and 3.0 ports. I tested both ports and have the same bandwidth results:

usbnic-speed

The provider delivers an 100Mbit synchronous internet line. So I can say happily that the USB NIC runs very nice! Here are shell commands to check wether the adapter is connected to an USB 2.0 or 3.0 port:

USB 2.0:

utm:/root # lsusb -t
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/1p, 5000M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 5000M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 480M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 480M
|__ Port 3: Dev 3, If 0, Class=vend., Driver=ax88179_178a, 480M

USB 3.0:

utm:/root # lsusb -t
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/1p, 5000M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 5000M
|__ Port 3: Dev 3, If 0, Class=vend., Driver=ax88179_178a, 5000M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 480M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 480M

USB 2.0 has a gross datarate of 480 MBit/Sec (recognizable at “480M” at the end of the line) and USB 3.0 has a gross datarate of 4,000 MBit/Sec (“5000M” at the end of the line).

Currently I’m working for a future project for a tiny UTM. I will use this adapter for this, keep in touch 😉

 

Advertisment ad adsense adlogger