Lately I have more and more customers who have an update problem to version 9.712-13. This only affects customers who operate a HA.
The update stops at version 9.712-12 for the master and the slave does not want to update any further.

how do I recognise the error

The dashboard reports a pending update

The master hangs during the update 9.712-12 and the slave has the status UP2DATE all the time.

And the HA log says that the slave cannot download the update 9.712-12.

How does the error occur?

Sophos had released the 9.712-13 update a few weeks ago and had withdrawn the 9.712-12 update. Now we have the problem with the master that it had already downloaded the 9.712-12 update. And 9.712-12 was then also installed during the update process to 9.712-13. For the Slave, however, the updates are not downloaded in advance. And because the 9.712-12 update was withdrawn, the slave can no longer install the update.

How to fix it?

You have 2 options.

You have to shut down the slave node and update the master to version 9.712-13. The slave is then booted up again and can then download the appropriate update from the Sophos file server. The problem here is that someone has to be present to start up the slave node again.

Or you can install the Udpate 9.712-13 on the master via CLI. During the update there is a downtime of about 5 minutes because the slave node does not take over the services from the master due to the UPDATE status.

This command installs any updates that Sophos has already downloaded. The HA status is ignored.

auisys.plx --verbose --level d

The result

After the reboot, the master installed the update 9.712-13. The slave is still set to UP2DATE. To speed up the update of the slave, it can be restarted. Otherwise it may take a few hours until the slave installs the update by itself. If the slave is rebooted manually, however, the database may be damaged. In this case, you simply have to restore it via CLI.

After rebooting the slave

Have a nice day!

The post Sophos UTM 9.712-13 HA update problem appeared first on Network Guy.

• Maintenance Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-13215 [AWS] AWS Pay-As-You-Go license expires on C5/M5 instances
• NUTM-12872 [Basesystem] LibXML vulnerability – CVE-2021-3541
• NUTM-13227 [Basesystem] uriparser vulnerabilities
• NUTM-13376 [Basesystem] DHCP Relay not working after upgrade to 9.704
• NUTM-13496 [Basesystem] Openssl vulnerability – CVE-2022-1292
• NUTM-13504 [WAF] Enforce usage of valid Let’s Encrypt root CA

Download

https://ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.711005-712012.tgz.gpg

The post Sophos UTM 9.712-12 update released appeared first on Network Guy.

As usual, the release will be rolled out in phases:

• In phase 1 you can download the update package from our download server. Click the link and navigate to the folder UTM / v9 / up2date.
  • Up2date package – 9.710 to 9.711 : https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.710001-711005.tgz.gpg
  • md5sum is 8eede813596e78a58a52f492adcd52c4 : https://download.astaro.com/UTM/v9/up2date/ u2d-sys-9.710001-711005.tgz.gpg.md5
• During phase 2 we will make it available via our Up2Date servers in several stages.
• In phase 3 we will make it available via our Up2Date servers to all remaining installations.

This version addresses the recent highly-publicised vulnerability in OpenSSL, CVE-2022-0778. It also addresses a vulnerability recently discovered in Apache, CVE-2022-22720. Apache is used in WAF and for the WebAdmin and user interfaces.

The new Wireless Access Point firmware included with this release is essential for anyone adding new APX access points. Due to supply chain issues we have made some hardware changes in the most recent revisions of our APX models that require this latest firmware version 11.0.109. This version also addresses the recent certificate-parsing vulnerability discovered in OpenSSL so it is worth applying even if you don’t have any new access points.

Finally, you may notice a small change in the format of the firmware version when you’re using WebAdmin – we’ve added an identifier to make it clear whether you’re using the 32-bit or 64-bit version of the UTM operating system.

Other news

• Maintenance Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-13334 [Basesystem] PowerShell / Putty – Default SSH client options result in failed connection
• NUTM-13394 [Basesystem] Openssl Vulnerability – CVE-2022-0778
• NUTM-13421 [Basesystem] Upgrade Apache to 2.4.53 (UI) – CVE-2022-22720
• NUTM-13326 [UI Framework] Identify 32-bit or 64-bit build in WebAdmin footer
• NUTM-13419 [WAF] Upgrade Apache to 2.4.53 (WAF) – CVE-2022-22720
• NUTM-13363 [Wireless] Integrate updated APX firmware version 11.0.019
• NUTM-13433 [Wireless] AP/APX : Openssl Vulnerability – CVE-2022-0778

The post Sophos UTM 9.711-5 update released appeared first on Network Guy.

This update removes the end-of-life SSLVPN client. It is no longer available to download from the User Portal. For more information see this end-of-life notice and this vulnerability disclosure.

With the standalone IPSec client also reaching end-of-sale on 30 March 2022, we have refreshed the remote access page of the User Portal to better support Sophos Connect. Sophos Connect is the recommended alternative to the old SSLVPN and IPSec clients. Download links on the User Portal now direct users to the Sophos Connect section on our downloads page. Configuration links have been updated to provide certificate packages and settings that can be imported by Sophos Connect to get users up and running quickly.

Sophos Connect client should be able to work with any IPSec or SSLVPN configuration you already have set up. Here are some additional links to help understand how it works.

• Sophos UTM: Install and configure Sophos Connect for remote access SSL VPN
• Sophos UTM: Install and configure Sophos Connect for remote access IPsec

Other news

• Maintenance release
• Security release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12592 [Basesystem] Use Only Secure Ciphers for UTM SSH Server
• NUTM-12784 [Basesystem] Patch BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, CVE-2021-25219)
• NUTM-13101 [Basesystem] Patch Strongswan Vulnerability (CVE-2021-41991)
• NUTM-13119 [Basesystem] Patch Binutils Vulnerability (CVE-2021-3487)
• NUTM-13144 [Basesystem] Remove SSLVPN client downloader from UTM
• NUTM-13192 [Basesystem] Use Secure Key Exchange Algorithms for SSH
• NUTM-13203 [Basesystem] snmpd high memory for snmpwalk v3
• NUTM-12615 [Configuration Management] Root password hash exposed via confd*.log (CVE-2022-0652)
• NUTM-13013 [Email] Upgrade Exim to v4.95
• NUTM-13200 [Email] OAEP RSA padding mode still uses SHA-1 in S/MIME
• NUTM-13267 [Email] SQLi in the Mail Manager (CVE-2022-0386)
• NUTM-13071 [Logging] IPFIX reporting transferred data on wrong direction
• NUTM-12885 [Network] IPS exceptions issue
• NUTM-12987 [RED] Issue with RED tunnel on BO after disconnecting PPPoE
• NUTM-12936 [Web] Add configuration for overriding warn page to proceed link protocol (Standard Mode SSO)

Download

https://ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.709003-710001.tgz.gpg

The post Sophos UTM 9.710-1 update released appeared first on Network Guy.

• Maintenance Release
• Security Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12868 [Email] It is not possible to permanently block an IP from the SMTP-Proxy if authentication is enabled
• NUTM-13008 [Email] Public DNS causing blocked connection with RBL
• NUTM-13193 [Email] SPX portal 404 NO SUCH USER after upgrading to 9.708
• NUTM-12791 [Wireless] Address the Frag Attack vulnerabilities for Local Wifi and connected AP devices (see this article for more details)
• NUTM-13263 [Wireless] Integrate updated AP firmware (v. 11.0.017) to address FragAttack issues
• NUTM-12971 [WAF] Update Apache Runtime Library (APR) to address CVE-2021-35940
• NUTM-12861 [WAF] Upgrade Apache to address CVE-2020-13950, CVE-2021-26690, CVE-2021-26691, CVE-2021-34798, CVE-2021-39275, CVE-2021-40438

Download

https://ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.708006-709003.tgz.gpg

The post Sophos UTM 9.709-3 update released appeared first on Network Guy.

today I want to show you how to find out the PPPoE password on a Sophos SG/XG if you don’t have it documented.

This only works if the SG/XG itself establishes the connection.

Start a TCPDump on the hardware interface via the shell. In this example eth1.

tcpdump -i eth1

Then press the reconnect button in the webgui.

Now you just have to look in the dump for the line that contains your PPPoE username. And directly behind it is the password in plain text. :D

08:49:12.384612 PPPoE [ses 0xdc82] PAP, Auth-Req (0x01), id 1, Peer networkguy0001@telekom.de, Name Password123

Have a nice day!

The post Sophos SG/XG How to find the PPPoE password appeared first on Network Guy.

• Maintenance Release/ Security Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12780 Upgrade Exim to v4.94.2 – 9.706

Download

https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.706008-706009.tgz.gpg

The post Sophos UTM 9.706-9 update released appeared first on Network Guy.

• Maintenance Release
• Strict TCP Session Handling enabled by defaultNew installations of UTM 9.706 have strict TCP session handling enabled by default.
  When updating to 9.706 and strict TCP session handling is not enabled, admins can enable it under Network Protection > Firewall > Advanced.
• Secure Up2DateUp2Date updates will be downloaded via HTTPS connections. In cases where UTM 9 is being used with an upstream proxy or behind a different firewall, it may be necessary to change the configuration on these devices to allow UTM 9 to retrieve Up2Date information via HTTPS.
• Email Protection anti-spam engine changed to Sophos Anti-Spam Interface (SASI)Starting with this release, E-Mail Protection will use the Sophos Anti-Spam Interface (SASI) for anti-spam scanning. SASI is already being used as part of Sophos Email and will replace the currently used anti-spam engine in UTM 9.
  In case of false positive or false negative detections, please follow the instructions in this support article on how to submit a sample.

How to activate Strict TCP Session Handling

Remarks

• System will be rebooted
• Configuration will be upgraded
• Connected REDs will perform firmware upgrade
• Connected Wifi APs will perform firmware upgrade

Issues Resolved

• NUTM-12050 [Access & Identity] IPv6 auto-firewall rules missing with IPsec S2S respond only
• NUTM-12062 [Access & Identity] AD Group object not updated when user with an Umlaut in the username logs in
• NUTM-12188 [Access & Identity] openl2tp service is dead and unable to start
• NUTM-12198 [Basesystem, UI Framework] Webadmin host injection reported
• NUTM-11753 [Basesystem] SG450 RAID status not alerting
• NUTM-11988 [Basesystem] Interface goes down after re-assigning the hardware of an interface
• NUTM-11989 [Basesystem] BGP issue causes long delay in UTM startup
• NUTM-12064 [Basesystem] Perl – Vulnerabilities
• NUTM-12112 [Basesystem] Libc Vulnerabilities
• NUTM-12122 [Basesystem] net-snmp Vulnerability CVE-2019-20892
• NUTM-12354 [Basesystem] Patch BIND (CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624)
• NUTM-12471 [Basesystem] OpenSSL: CVE-2020-1971 – DoS
• NUTM-11941 [Email] unnecessary SMTP restarts due to a SSL VPN login
• NUTM-12286 [Email] ECC Ciphers ECDH-ECDSA not supported by Exim SMTP
• NUTM-12542 [Email] Arbitrary Config Object Deletion via User Portal</Fix>
• NUTM-11915 [Network] Ipsec routes will be removed if a wifi network will be added and the ipsec local networks overlap with an existing wifi network
• NUTM-12045 [Network] INFO-122 Dhcpd not running
• NUTM-12280 [RED] RED site-to-site tunnels reconnecting at random intervals (utm to tum)
• NUTM-12253 [RED_Firmware] Split DNS doesn’t work with SD-RED
• NUTM-12379 [RED_Firmware] RED doesn’t reboot after reconnect doesn’t work properly
• NUTM-12098 [UI Framework] Remote crash of User Portal index.plx
• NUTM-11950 [WAF] AH00051 child pid XXXX exit signal Segmentation fault (11), possible coredump in /tmp
• NUTM-12148 [WAF] WAF not always sending SNI to backend
• NUTM-12029 [Web] AWS https scanning connect timeout on some sites with chrome
• NUTM-12204[Web] High CPU with http proxy coredumps.
• NUTM-12032 [Wireless] “&” sign in PSK cause issues after config change
• NUTM-12127 [Wireless] wireless client list empty
• NUTM-12254 [Wireless] Website not loading for wireless user due to large packets whose size is larger than the MTU of the link
• NUTM-12362 [Wireless] AP55/55C/100X/320X : Communication issue for Clients which are connected to the same SSID but at different APs
• NUTM-12383 All SSIDs disappears from AP and disconnects all connected clients

Download

https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.705003-706008.tgz.gpg

The post Sophos UTM 9.706 update released appeared first on Network Guy.

today I will talk about how to configuring a guest Wifi with a Aruba Mobility Controller and the Sophos hotspot solution.

In this example I will using the Sophos SG hotspot solution. With Sophos XG, it’s basically the same.

Sophos SG

Create a new Interface

It’s recommandet, to use a own interface for the guests. If you use a hardware interface or a VLAN interface, it’s your choice. I using VLAN interfaces.

Create a firewall rule for the web access 

To avoid problems with VIP visitors, I recommend allowing any service to access the internet. I will come to the topic of proxy in a moment.

masquerading rule

Without it, the package also gets on the internet, but not back :D

The DHCP 

Do not use your AD DHCP server. If you still have a server at all thanks to Azure. Always keep guest solutions as far away as possible from your infrastructure. That’s why I use the DHCP server from the Sophos SG and also send DNS queries directly to google DNS. Do not use the SG as DNS server for guest solutions. Because most UTMs have a query route to their own domain and the guest user can query your SG/XG via DNS queries about your environment.

hotspot portal

Here you have to put in the new interface and activate the hotspot type of your choice. I prefer the voucher solution.

And finally the proxy

For the guests, only the transparent proxy comes into consideration. No guest user wants to enter a static proxy into the system first. You should also only activate URL filtering, because no one wants to import the proxy CA. Now you have to define the policy and that’s it for the UTM configuration.

What web categories you allow via policy, you have to decide yourself.

Aruba Mobility Controller

My recommendation, configure everything under Mobility Controller level and not on the individual controller.

Add a new VLAN interface

We only need a VLAN interface with the same VLAN ID as the guest interface on the Sophos SG. No IP configuration is required on the mobility controller.

Create the SSID

I recommend using the tunnel mode. This way I don’t have to maintain all VLANs at the access points. Instead, I let the traffic first break out at the Mobility Controller.

We need a simple open WLAN.
Because we are using the Sophos SG guest solution in this example, I won’t go into detail about the possible Aruba solutions.

Now we have to remember the name of the default role. Because we have to edit these right away.

Edit  the role

For simplicity, we could write an Any rule because the Sophos SG takes care of security. But for the good feeling, we restrict the traffic a bit.

Because it’s a bit hard to read, here’s the content: We only allow the client to talk to the Sophos SG on the guest interface. Forbid the rest of the private IP address ranges and then allow Any for the Internet access.

Have a nice day!

The post Aruba Mobility Controller with Sophos SG/XG hotspot Portal appeared first on Network Guy.

today I will talk about how you can setup a virtual DMZ with a virt. Sophos UTM.

The logical network structure

For a better understanding, I have create a little grafic with the logical network structure.
I am using an Ubuntu server with KVM as hypervisor. My UTM, DMZ and LAN servers only run on the one server.

If you want to know how to set up a virtual UTM, just have a look at my blog entry about it.
https://networkguy.de/sophos-utm-how-to-install-a-virtual-home-firewall-under-ubuntu-via-kvm

Create the virtual switch

First we need a dummy interface.

You can create it with the following commands:

sudo ip link add name "what you want" type dummy
sudo ifconfig "what you want" up

For example I have call it “DMZ-Dummy5”

Second create the switch.

Modus = forwarded. You must give it an IP, otherwise there is an error message.

As the last step we have to isolate the server from the virtual DMZ.

For this we need an iptables rule to drop all incoming traffic to the dummy interface. And because it is so beautiful, we also ban outgoing traffic too.

sudo iptables -A INPUT -i Dummy-DMZ5 -j DROP
sudo iptables -A OUTPUT -o virbr3 -j DROP
sudo iptables-save

For what do we actually need this iptables rule? Quite simple. The DMZ server could access the hypervisor via this interface.

In this example, the hypervisor have in the virtual DMZ network the IP 10.3.69.1/24. The test server have the IP 10.3.69.2/24.
Ping test

ssh access to the hypervisor (not so good for a DMZ)

with iptables rule

Connect the DMZ with the UTM and the test server

OK, we have create the virtual DMZ. Now we need a connection with a test server and our virtual UTM.

For this example I use the virtual switch VirtDMZ3.

The switch nic is called virbr3, I don’t know why. But you can find it by IP address.

UTM

Connect the virtual switch as an additional NIC.

Test server

For the test server, use the virtual switch as NIC.

Needed configurations on the UTM

insert the new DMZ interface

You can find the correct interface using the MAC address. Compare it with the Virt Manager and the UTM.

virtmanager:

UTM:

Add the new interface:

Network Services

DNS

Don’t do this! If you allow the DMZ devices to use the DNS service of the UTM, DNS queries can be made via all devices known to the UTM. Every hacker is happy about this.

negative example:
The DMZ device can resolve the IP address from my LAN client.

without UTM DNS service

DHCP

If you want a DHCP, use for DNS open DNS server like google DNS or quad9.

NTP

I recommend, to use the UTM own NTP service for your devices. The fewer external services allowed, the better.

Network Protection

Firewall

For the DMZ you need 2 firewall rules. One for the internet access and one for the management.
The permitted services are only exemplary. Just check which services you need and allow them.

ICMP

The UTM has the special feature that ping is also handled under ICMP and can overwrite firewall rules if ping is prohibited. Therefore you should disable pinging via the gateway interface and enable firewall rules if required. Otherwise it would be possible that DMZ devices can map the IP network structures via IP scanner.

NAT

I recommend to use a SNAT rule for accessing the DMZ, so that no conclusions can be drawn from the communication to the rest of the network.

without SNAT rule:
You can see the IP from my client

with SNAT rule:
You see only the UTM DMZ gateway.

That’s all

Have a nice day!

The post Ubuntu how to setup a virtual DMZ with a virt. Sophos UTM appeared first on Network Guy.