Sophos released UTM 9.704. The release will be rolled out in phases.
An Up2Date was released today for Astaro Security Gateway Version 8. This Up2Date is designed to improve the stability of your V8 installation, offers some security patches, and acts as the new target landing version for appliance users who one-touch upgrade to ASG V8 via the 7.508 Up2Date which will be released next week. Currently if we release an Up2date package there is a time delay while the ASG gets a download slot, downloads and completes it, and makes it ready for installation. Meanwhile the dashboard shows an up2date available for download, which can confuse the user, as they think there is something to do on their end to make it happen. If an up2date is available, show the exact status as 'waiting for. UTM Up2Date 9.705 Released. Today we've released UTM 9.705. The release will be rolled out in phases. In phase 1 you can download the update package from our download server In phase 2 we will make it available via our Up2Date servers to all installations Up2Date Information. 24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service. Going beyond simply notifying you of attacks or suspicious behaviors, Sophos takes targeted actions on your behalf to neutralize even the most sophisticated.
In phase 1 you can download the update package from their download server, in phase 2 they will spread it via their Up2Date servers.
- Maintenance Release
- System will be rebooted
- Connected REDs will perform firmware upgrade
- NUTM-11829 [Access & Identity] L2TP connections fail when many users are connected
- NUTM-11928 [Access & Identity] Hardening of Authentication Server configuration page
- NUTM-11559 [Basesystem] Update i40e driver
- NUTM-11966 [Basesystem] Patch binutils (CVE-2018-17985)
- NUTM-11982 [Basesystem] Patch BIND (CVE-2020-8616, CVE-2020-8617)
- NUTM-12007 [Basesystem] Patch OpenSSL 1.0.2j (CVE-2019-1547, CVE-2019-1551, CVE-2019-1563)
- NUTM-12041 [Basesystem] Patch UTM kernel (CVE-2019-3701, CVE-2019-15916, CVE-2019-20096 CVE-2020-8647, CVE-2020-8648, CVE-2020-10942, CVE-2020-11494)
- NUTM-11664 [HA/Cluster] Error message “send_ha_msg(ECHO_MASTER): sendto(255) errno = 22”;
- NUTM-11113 [Logging] Log archiving to SMB share fails to connect
- NUTM-11846 [Network] Add confd option to enable multicast for IGMP
- NUTM-11849 [Network] Syslogng fails to write if max concurrent connections is reached
- NUTM-11936 [Network] DNS host object not updated/unresolved after fail-over
- NUTM-11938 [Network] Unable to save the new profile in SSLVPN, it gives error “Warn: Client authentication cannot use more than 170 user and group networks at the same time”
- NUTM-11779 [RED] RED site-to-site tunnel failover doesn’t always work
- NUTM-11886 [RED] RED server restart notification sent from auxiliary node
- NUTM-12040 [RED] RED20 is not forwarding tagged traffic like RED15
- NUTM-12134 [RED_Firmware] Improve throughput for SD-RED WiFi
- NUTM-12135 [RED_Firmware] Enable 802.11ac for SD-RED WiFi
- NUTM-11972 [REST API] REST API: Invalid response on GET query for S/MIME component
- NUTM-11681 [Sandstorm] Sandbox Activity tab uses the incorrect date formatter
- NUTM-11685 [WAF] Let’s Encrypt renewal fails with HTTP->HTTPS redirection for IPv6 vhost
- NUTM-11925 [WAF] WAF redirects some requests to the first domain of the virtual webserver
- NUTM-11388 [Web] Httpproxy restarted due to segmentation fault and generated core dump
- NUTM-11577 [Web] WebProxy not reliably deleting cached temp files
- NUTM-11841 [Web] Proxy crash with coredump
RPM packages contained:
Having had mixed results with the Sophos XG, and having hardware that just can’t keep up with the latest updates for it, I’ve reverted back to the Sophos UTM9. This still plays nicely with my PIA VPN setup whereby a pfSense router is placed in front of a UTM interface to anonomise traffic however I do miss the highly granular way policy based routing could be done in the Sophos XG.
For example, in the XG it is possible for each ACL rule to define a gateway and failover gateway as well as NAT’ing policies.
Within the UTM9 I’ve had to create ACL rules, NAT rules and Policy Routes separately – no big deal but it certainly needs more clicking around and isn’t as clear how the Policy Routes would handle an interface down situation – will it stall on the rule or move to the next valid rule for that traffic?
Anyway – after setting everything up I was quickly able to get traffic flowing outbound through the pfSense gateway as well as out through the Virgin Media router direct depending on the traffic type. Likewise, getting my PRTG server published outbound was a doddle using Webserver protection. However, try as I might I was not able to update the UTM via the Up2Date process.
018:02:19-00:00:14 utm9 audld: no HA system or cluster node
2018:02:19-00:00:14 utm9 audld: Starting Up2Date Package Downloader
2018:02:19-00:00:24 utm9 audld: patch up2date possible
2018:02:19-00:00:27 utm9 audld: Could not connect to Server 126.96.36.199 (status=500 Can’t connect to 188.8.131.52:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: Could not connect to Server 184.108.40.206 (status=500 Can’t connect to 220.127.116.11:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: Could not connect to Server 18.104.22.168 (status=500 Can’t connect to 22.214.171.124:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: Could not connect to Server 126.96.36.199 (status=500 Can’t connect to 188.8.131.52:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: Could not connect to Authentication Server 184.108.40.206 (code=500 500 Can’t connect to 220.127.116.11:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: Could not connect to Authentication Server 18.104.22.168 (code=500 500 Can’t connect to 22.214.171.124:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: Could not connect to Authentication Server 126.96.36.199 (code=500 500 Can’t connect to 188.8.131.52:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: Could not connect to Authentication Server 184.108.40.206 (code=500 500 Can’t connect to 220.127.116.11:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld: >
2018:02:19-00:00:27 utm9 audld: All 4 Authentication Servers failed
2018:02:19-00:00:27 utm9 audld:
2018:02:19-00:00:27 utm9 audld: 1. Modules::Logging::msg:46() /</sbin/audld.plx>Modules/Logging.pm
2018:02:19-00:00:27 utm9 audld: 2. Modules::Audld::Authentication::_handle_failure:235() /</sbin/audld.plx>Modules/Audld/Authentication.pm
2018:02:19-00:00:27 utm9 audld: 3. Modules::Audld::Authentication::start:66() /</sbin/audld.plx>Modules/Audld/Authentication.pm
2018:02:19-00:00:27 utm9 audld: 4. main::main:174() audld.pl
2018:02:19-00:00:27 utm9 audld: 5. main::top-level:40() audld.pl
2018:02:19-00:00:27 utm9 audld:
2018:02:19-00:00:27 utm9 audld: id=”3703″ severity=”error” sys=”system” sub=”up2date” name=”Authentication failed, no valid answer from Authentication Servers”
Sophos Utm Up2date Cli
Strangely I could connect fine to the addresses in the log such as https://18.104.22.168:443 I could ping them and resolve DNS records such as v8up2date3.astaro.com all from my PC behind the UTM. After messing for a couple of hours reviewing logs, forum posts and trying various changes including removing all policy routing and going straight out via a non-VPN’d route I finally found out the root cause… the UTM does not follow the rules of Policy Routes!
I’d set up routes to 192.168.0.1 (VMRouter) and 192.168.10.1 (pfSense) for administration of those routers, with HTTP(S) and ICMP to go via the VPN’d pfSense route.
Orbit Downloader is devoted to new generation web application downloading and provides a total solution to download music and video. So you can download streaming media, social music, social video, movie, flash and file from anywhere include Pandora, YouTube, Yahoo, Myspace and Rapidshare more simple and easy. Orbit can be integrated seamlessly into Microsoft Internet Explorer to automatically handle your downloads. No matter if you download via HTTP, FTP, RTSP or MMS, orbit will handle it and will make them faster. It accelerates your downloads like no other download manager, and it’s for free. Orbit downloader.
So while I had no default gateway as such on the interfaces I had instead setup a catch all policy route which sent all traffic not hitting an above rule via the non-VPN’d gateway. Unfortunately the UTM doesn’t follow this and absolutely requires a tick box against “IPv4 default GW” in the interface.
Sophos Utm Up2date Ftp
After ticking this the updates flowed in 🙂