Release Availability and Roll-out Timing
We are rolling out UTM Advantage (9.3) in three main phases over the coming weeks to provide a great upgrade experience for everyone:
- Phase 1: We are starting with an initial Up2Date to select customer systems today.
- Phase 2: Around mid-November, we plan to make the installation package generally availability for download via our FTP site as we continue the release roll-out to additional systems. Any customers wishing to update their UTM as soon as possible can take advantage of the manual download at this time. We’ll post a notification here on the Sophos Blog when the download is available.
- Phase 3: By mid-December we will have rolled-out the Up2Date package for all customer installations including HA/Cluster environments.
Release Notes
Major New Features:
- Live AV Look-ups in Email Protection
Introduced previously in UTM 9.2 for Web Protection, Live AV look-ups now come to UTM Email Protection. This option will improve the malware detection rates by consulting the cloud infrastructure from SophosLabs in real-time for possible threat matches. Look-ups that fail will still be scanned by the AV engine, and as part of our global feedback network unknown files will be sampled for execution and deep analysis by SophosLabs to benefit the global community while allowing you to tap the knowledge gained by these events worldwide. - SPX Email Encryption – Self-Registration
With the self-registration feature, recipients of our unique SPX encrypted email now have the option to register themselves through an online portal where they will be able to create, reset and recover passwords to access their encrypted emails. This eliminates the need to manually communicate passwords to recipients of encrypted emails, and allows them to use the same password (which they will remember) for all encrypted emails. It makes SPX Email Encryption simpler for everyone. - SPX Email Encryption – Support for Attachments on Reply Portal
SPX encrypted email recipients are now able to add attachments when securely replying to the sender using the SPX online portal. This allows for full encryption of all communications both ways. - URL Tagging
With UTM 9.2 we introduced the Website List feature where customers can add URLs and override the site category. URL tagging extends this feature by allowing customers to apply custom tags, or labels to URLs, in effect creating their own custom site categories. They can then use these tags in Web Policy just like regular system categories. For example, if a customer has a restrictive policy but needs to access customer websites that would otherwise be blocked, they can add their customer sites to the Website List, tag them as ‘Customer Sites’ and then modify the policy to enable access to the ‘Customer Sites’ tag. - Browsing Time Quotas
Many organizations want to allow users a limited amount of personal browsing time during the day. In many situations, limiting this to specific times of day does is too restrictive. With this new feature in Web Protection, administrators can allocate time quotas to specific sets of sites or categories for specific users or groups. Users can choose when to consume their time quota throughout the day. When they browse to a quota site, they will be warned that they’re about to use their quota. When a quota expires, they’ll be informed accordingly. Administrators can reset quota if necessary through the Web Protection Helpdesk area of the UTM. - Selective HTTPS Scanning
To allow more flexibility and provide better performance we have implemented an option to allow selective HTTPS filtering. This allows organizations to balance the need for security or visibility into some encrypted traffic, with the privacy and performance concerns that come with decrypting all HTTPS content. For example, customers can focus on performing important scans in HTTPS like (a) the ability to detect malicious content in uncategorized sites, (b) the ability to identify search terms and enforce safe search for Google and other search engines, and (c) the scanning webmail traffic for DLP only for specific sites. Previously, HTTPS decryption had to be enabled for all traffic, with exclusions being set up for individual sites where necessary. - Support for SG1xx Wireless Hardware
This release will add support for new SG 1xx wireless models we are going to introduce later this year. - Hotspot Improvements
This release improves our hotspot capabilities with a few new features: First, we built an interface to communicate with Micros Fidelio hotel management software via its FIAS protocol. Second, we have implemented HTTPS support for hotspot login pages. And finally, hotspots can now be configured in a more multi-tenant-like fashion by restricting the “Allowed Users” option on a per-hotspot basis. - Multiple Bridge Support
Many more advanced firewall configurations can be solved by allowing more then one network bridge. With this release we added support for multiple bridges. With introduction of this feature we at the same time cleaned up the configuration options in the UTM WebAdmin by moving the bridge configuration directly into the interfaces pane to allow you user-friendly and simple control over all aspects of your interface configuration.
Other New Features:
- VLAN DHCP & Tagging
We removed some restrictions around VLANs to make them easier to administer: you can now allow DHCP on VLAN interfaces and you can now tag and untag interfaces on the same hardware. - True-File-Type Detection
In our web and mail proxy we now traverse archive files (zip, rar, etc.) to detect the types of files inside. This allows granular policy enforcement based on file types included in an archive rather than blocking archive files in general. - One-Click Secure Sophos Customer Support Access to UTM
With an ever increasing number of Sophos global support sites with different IP ranges, it can often be challenging to enable Sophos Support access to the UTM via WebAdmin and SSH . As a result, we’ve implemented a feature that enables administrators to easily enable access to the UTM by Sophos Support upon request with just a single-click. - WAF Allow/Block Lists
For the Web Application Firewall we’ve now added support of lists to allow and block IP ranges. This is configured in the site paths settings. - WAF Wildcard Extension
Exceptions for internal servers now allow wildcards also in the middle of the server path. This allows administrators to easily add exceptions for multiple servers effectively eliminating the need to maintain long lists in WebAdmin. - WAF Prefix/Suffix Option
Some environments, most notably Microsoft servers like Exchange and Sharepoint, require UPN/domain-style user names for log in. By adding an option to append a prefix or suffix to user-names customers now are able to add a default domain (for example) to facilitate this in order to streamline the user experience. - HyperV 3.5 Support
The UTM 9.3 now fully supports Microsoft Hyper-V Server 2012 R2. We’ve also incorporated MS Integration Tools v3.5 for Hyper-V which include the latest drivers and additional capabilities like high availability and load balancing. - Improved performance for URL categorization
In version 9.2 we introduced Live URL Filtering, a new way of doing URL categorization lookups to our cloud data services that offers better performance than the existing CFFS system. On the UTM it provides better local caching of commonly-visited site data. In the cloud, it provides greater responsiveness and automated scaling. With version 9.3 we are enabling this feature by default. Although the URL data used has not changed, this new system will only return one category for each site. This may impact the operation of policy for a small number of sites that previously had more than one category.
Other Enhancements:
[Web] We have enhanced the HTTPS performance with several proxy improvements.
[Mail] Added fonts for Greek, Japanese, Chinese, and Cyrillic for PDF documents generated by SPX-encrypted emails.
[Mail] Added header manipulation possibilities for email in order to give customers the option to add/delete multiple headers to the message envelope.
[WiFi] Added Automatic Channel Selection (ACS), utilizing background scanning.
[AppCtrl] Updated Application Control Engine adding better support for ATP and broader application coverage as well as IPv6 support.
[WAF] Added a setting to change WAF performance parameters.
[WAF] Introduced an ability to upload custom rules (backend enablement required).
[WAF] Added a scan size limit configuration option.
Bugfixes
- 22468 HTML5 iptables rule doesn’t match for IPSec-routed hosts
- 27257 RED50 frequently reconnecting because configuring an Additional Address as UTM-Hostname is not supported
- 27588 Unable to fetch POP3 accounts on iOS devices via POP3 Proxy
- 27750 IPv6: Add support for DynDNS (Dyn & FreeDNS)
- 27905 [BETA] log the mac addresses human readable with leading zeros in the packetfilter log
- 28056 it’s not possible to view or download large log files in the webadmin because root partition is too small
- 28164 OSPF and default route priority issues
- 28400 Syslog not started after ipsbundle pattern installation
- 28842 HA takeover if master reboots takes too much time
- 28966 exceptions for Common Threat Filters do not work individually
- 29095 [BETA] improve reporting filter naming for ATP
- 29412 Wireless Security Manager Role can’t accept new AP’s
- 29963 profile mode ‘monitor’ does not work for Cookie signing
- 30008 Problem with Remote IPsec access in case of ID type is ASN1 Distinguished Name and using static RAS IP
- 30254 Import of non UTF-8 certificate breaks Webadmin access
- 30504 Sometimes the sender_confd_profile is undefined in the profile object
- 30800 [BETA] Some double byte characters aren’t filtered by DLP custom rule and AntiSpam Expressions filter.
- 30825 IPv6: Add support for DHCPv6 ‘rapid commit’
- 30851 emailpki_generate_user fails if pkcs12 file contains a cert twice
- 31083 Remote SSL VPN view is empty in printable configuration
- 31105 DynDNS: Add support for interface strategy for FreeDNS
- 31116 Performance and scalability improvements of HTTP proxy
- 31164 [BETA] Routing domain wildcards aren’t working for SMTP profiles.
- 31337 Too long hostname will break layout in dashboard
- 31340 rsyncd not started after switching to master mode (slave node hangs in syncing state)
- 31373 Form hardening exception match but doesn’t work
- 31387 ad-sid-sync.pl is executed even if AD sync is disabled
- 31581 Up2date pattern rpm’s fails to install if hostname contains ‘/’ character.
- 31814 nextgen-agent restarting permanently
- 31859 Make http proxy handle uncompressed DNS responses
- 31992 network range in network group shouldnt be allowed in allowed networks as per 21588
- 32012 Postgres startup problem because pg_xlog files are missing
- 32034 Full transparent AD SSO redirect URL request gets dropped by packetfilter
- 32079 UMTS modem device hanging
- 32097 High load after pattern installation [9.2]
- 32190 Policy tester always returns “allowed” if warn page is proceeded once
- 32237 Release of IPsec Pool IPs not working
- 32286 Sorting of APs in Webadmin
- 32391 UTM interface doesn’t come up again after the speed changed from 4G to 3G
- 32433 Not possible to delete VPN tunnel managed by SUM after use “cleanup object”
- 32537 Guest login fails in transparent browser auth mode if “terms of use” confirmation is required
- 32571 [V9] Blocked HTTPS-Sites in Filter Action Mode ‘Blacklist’ doesn’t match if Exception is matching on Categories
- 32588 Can’t restore backup beacause of an undefined value
- 32602 Web control policy not applying to endpoints
- 32604 Special characters like umlauts didn’t work in passwords with reverse authentication for the WAF
- 32607 Not possible to use virtual mac on lag interfaces
- 32683 Can’t send a VPN Profile to the SMC if the Organization Name includes a umlaut
- 32690 It’s not possible to use Subfolders for Remote Log File Archives over SMB on CIFS share
- 32696 Hotspot: only one login possible per username for backend authentication hotspot
- 32703 Multicast traffic problems after upgrading to SG430 and 9.204
- 32711 Mail preview should display kyrilic or chinese chars too.
- 32713 Console keyboard doesn’t work
- 32726 Dashboard does not show Antivirus active protocols for HTTP/S
- 32794 vpn-reporter.pl segfault in get_amazonvpc
- 32805 NETDEV WATCHDOG: eth0 (tg3): transmit queue 0 timed out
- 32832 Remote Syslog Server IPv6 support
- 32837 vpn-reporter.pl segfaults, error 4 in libc-2.11.3.so
- 32851 Device auth reports wrong client information
- 32852 Any SSL traffic through HTTP proxy gets classified as “Sophos Portal” if a “Sophos Portal” AppCtrl rule exists
- 32870 ad-sid-sync.pl fails to lookup trusted domains groups
- 32940 SG550: Licensing does not work if module is relocated after installation
- 32950 Configuring a whitelist in webfilter filter action appears in blacklist on UTM
- 32957 winbindd died in kernel_vsyscall
- 32969 Coredumps from reverseproxy after update to v9.206
- 32972 IPS exception does not work for SID 18575
- 32980 Remove RC4 from TLS ciphers in Exim
- 33019 After upgrading to iOS 8 UTM does not recognize iOS anymore (Device-specific Authentication)
- 33095 RED50 frequently reconnecting because configuring an Additional Address as UTM-Hostname is not supported [9.3]
- 33111 Group matching incorrect if user belongs to static and backend groups
- 33277 [9.2] Add support for passthrough NTLM connection
- 33307 Not possible to change TLS certificate
- 33323 Using @ in hostname results in corrupt /etc/syslog-ng.conf
- 33382 Config changes in IPsec remote access sometime causing a drop of established connections
- 33429 AP100: Unable to authenticate with an SSID using a PSK with a dollar character
- 33515 SMTP Vulnerability in SSL v3.0
- 33613 OS X HTTPS traffic identified as iOS
Remarks
- System will be rebooted
- Configuration will be upgraded
- Connected RED devices will perform firmware upgrade
- Connected Wifi APs will perform firmware upgrade
Source: blogs.sophos.com