Sophos UTM Changelog

What's new in Sophos UTM 9.1

May 14, 2013
  • Major Features:
  • Endpoint: Web Protection for UTM Endpoint
  • Network/RED/Wifi: Support for MAC Address Filtering
  • RED: Offline Provisioning Mode
  • VPN: SSL VPN Support for iOS and Android
  • WiFi: Wireless Repeating and Bridging for AP50
  • Other Features (Sample):
  • WebAdmin: Replace “Traffic Lights” with Toggle-Switch Design
  • WebAdmin: Replace Flash Charts with JavaScript-only Solution
  • Endpoint: SAA for MacOS X
  • Mail: SSL Support for POP3 Proxy
  • Network: QoS Download Throttling
  • Network: IPv6 Prefix Delegation
  • Network: IPv6 Renumbering
  • Network: DNSSEC Validation
  • Network: Allow to specify direction of Country Blocking
  • Network: Exceptions for Country Blocking
  • Network: Increase Scalability of Network Reporting/Accounting
  • Network: Multilink PPP Support
  • Network: Amazon VPC IPSec Tunnel Support
  • RED: Auto-Deauthorize Devices
  • RED: Improve UMTS Modem Support
  • RED/VPN: Notifications for tunnel up/down
  • VPN: SSL VPN Profiles
  • VPN: Support for AES+GCM and AES+CTR Ciphers in IPSec
  • WAF: Outlook Anywhere Passthrough Support
  • Web: Complete Customization of Block Pages
  • Web: Optionally Force Caching of Sophos Endpoint Updates
  • Web: Allow to specify Maximum Download Size
  • Wifi: Redirect Support for Hotspot
  • General: Database Architecture Overhaul
  • General: More Services Support Lock-Out after Failed Authentication
  • General: Time-Events can Span Across Midnight
  • Fixes:
  • #15089: Support for Outlook Anywhere protocol via the Web Application Firewall (Web Server Protection)
  • #17999: It’s not possible to take over the Internet explorer(8 & 9) proxy settings with the SSL VPN client
  • #18601: Checkbox “Mime blocking inspects HTTP body” enabled does not work when Antivirus scanning is disabled
  • #19006: Internet Explorer still doesn't trust the webadmin certificate after importing the WebAdmin CA
  • #20050: gzip deflate compression not working with WAF
  • #21494: IPS report for pdf and csv is incorrect
  • #21590: Fix SNMP traps for notifications
  • #21825: Form hardening breaks ‘XHTML 1.0 strict’ compliance
  • #21829: Timeframe and Department missing in PDF header lines
  • #21857: Reporting: in the Top Applications by Client PDF export the total column is displayed twice
  • #21861: Application Control Reporting: incorrect data in the exported pdf/xls
  • #21892: Encryption User: Download PKCS#12 key doesn’t work if S/MIME is disabled
  • #21898: Web Protection Reporting: missing sorting order in pdf under some circumstances
  • #21928: SSL certificate exceptions do not work for urls with an IPv6 literal as hostname
  • #21942: IPS notifications contain invalid links
  • #21957: DHCP server not working properly with large IP ranges
  • #21958: Live log for packetfilter shows numbers instead of the protocol
  • #22371: The NAT rule object cannot use network group objects for the traffic destination attribute with uplink primary address
  • #22546: RED Split-Tunneling via UMTS is not working properly
  • #22634: Static IP address assignment for RED does not work together with transparent/split mode
  • #23333: Blocked application name on the block page is truncated
  • #24156: Search Engine Report => Top 10 pie chart has label with HTML "br" tag in description.

New in Sophos UTM 8.300 (Jan 11, 2012)

  • Amazon Machine Images (AMI) for ASG (and ACC):
  • As mentioned in our earlier technical preview, you can now launch and run Astaro Security Gateway inside Amazon's Elastic Computing Cloud (EC2). Already we are seeing creative uses of this deployment method with partners using their cloud-based ASG to connect our RED product, and then extending their branches further by adding our Access Points to those devices - all managed centrally from their Amazon ASG. Let us know via a post at our UBB at www.astaro.org how it works for you, and how you are (or plan) to use it for your business - we are always interested in use cases! To locate the ASG AMI's, go to the community AMIs tab and search for "ASG". (A full deployment tutorial will be available at GA)
  • Amazon Virtual Private Cloud (VPC) Connector:
  • The Amazon VPC service allows you to host and run your server infrastructure in a secure, scalable cloud. Our VPC connector gives you a permanent, encrypted connection to your VPC resources right from ASG. The back end for this uses our new BGP routing to redundant Amazon gateways, and is done automatically without you needing to know anything about BGP or the Amazon technical parameters for doing it manually (or with more complex products). A guide will be available at GA release to assist you in connecting to your VPC.
  • Support for Astaro Wireless AP50:
  • Our new Wireless AP50 product is finished production and will be available very soon. You will need to be at ASG V8.300+ to use this product. With 5Ghz and 2.4Ghz bands, dual high-gain antennas, and Gigabit ethernet, this is our biggest and most capable wireless product, perfect for bigger environments or locations where the 2.4Ghz band is cluttered with interference. You can get more information from the Astaro Access Points section on our Website.
  • Site-to-Site VPN using RED Protocol:
  • We have added the ability to make tunnels between ASG devices using our much-heralded RED tunnel technology*. This operates similarly to how site-site over SSL works, you setup one ASG as the "Main" office (Server) and connect to them from other ASG sites as the "Client". Some quick steps to begin:
  • At the Main Site:
  • Go to "WebAdmin-->RED Management-->[Server]Client Management Tab"
  • Add a RED, enter a name and pick type "ASG". Click Apply.
  • Download the .red provisioning file which is created.
  • On the Remote ASG you wish to connect:
  • Go to "WebAdmin-->RED Management-->[Client]Tunnel Management"
  • Add a tunnel, create (or select) a definition for the Hostname of the Main ASG and supply the provisioning file you downloaded from the Main ASG
  • The tunnel will now be created.
  • Now that you have a tunnel, you must to setup things manually. You will find hardware interfaces you can use to create a Network Interface in the ASG's, select IP ranges to be used, and otherwise manually configure the connectivity. This was originally designed for a special use case; you have however surprised us with your interest in this feature. So, we plan to have a more guided setup within WebAdmin for using RED for a site-site VPN with ASG's in a future Up2Date.
  • *This will NOT turn your remote ASG into a RED terminal. It will still have a GUI and work like a normal Site-Site VPN does.
  • BGP4 Routing Support:
  • ASG now has the ability to do Border Gateway Protocol Routing (BGP). You will find the configuration for this in WebAdmin at "Interfaces & Routing-->Border Gateway Protocol". A specialized routing protocol with specific applications, you should make use of this feature only if you know what you are doing.
  • Minor Adjustments:
  • The Astaro Authentication Agent (AAA) has by popular request been made available as an MSI package as well as an EXE. You will find both on the Client Authentication section in WebAdmin. Enjoy your mass roll-outs of the AAA!
  • Saved Web Reports have been to school and now remember how info was sorted when you saved them
  • The printable configuration engine has also been educated on how to properly display big blocks of text without going outside the lines and now looks much better
  • You can now see and sort application rules by the groups you create
  • Notifications have had "select-all" boxes added, saving you from having to click dozens of times to select what you want
  • You can now create Web Security Reports from Pre-8.2 Logs, see Support-->Advanced-->Weblog Import
  • The Wireless Access Points Grouping section now has an apply button like the rest of WebAdmin, and no longer resets your selections between clicks as a result.

New in Sophos UTM 8.170 Beta (Jun 24, 2011)

  • This beta version adds support for Hurricane Electric IPv6 tunnel broker and advanced options for IPSec site-to-site connections.
  • It also fixes several bugs.

New in Sophos UTM 8.164 Beta (May 10, 2011)

  • This Beta release introduces Stripped Backups/"Templates", SNMP version 3 support, a new IRQ balancer for improved network performance, improved HTTP/S Proxy operation mode selection, some changes in the WebAdmin menu, and SHA2 support for Site-to-Site IPSec between ASG V7 and ASG V8. It also fixes a number of bugs.

New in Sophos UTM 8.160 (Mar 18, 2011)

  • This is the first public beta release of the upcoming version 8.2, which will include these three new features: network visibility and application control (L7 classification), new WebSecurity reporting, and user authentication (Windows client) for policies and reporting.
  • It also includes a UMTS modem interface, KVM virtio support, WiFi improvements, Web application security improvements, integration of log management cloud service, IPv6 support for SMTP proxy and HTTP proxy in "full transparent" mode, Packetfilter optimization, and HTTP proxy multi-threading performance optimization.

New in Sophos UTM 8.102 (Feb 17, 2011)

  • This small Up2Date is a stability release designed to enhance the reliability of your Astaro Security Gateway, mainly to fix minor issues in the HTTP/S proxy.

New in Sophos UTM 8.100 (Jan 21, 2011)

  • This big new release adds wireless support, transparent/split modes and a deployment helper for RED, German and Japanese language support, uplink balancing mixed mode, and HTTP parent proxy routing. It also changes the licensing, so DNS routing is available with any subscription now. Usability was improved. A problem with QoS and RED was fixed.

New in Sophos UTM 8.080 (Dec 2, 2010)

  • This is the second release candidate before the release of ASG 8.100.
  • Besides various bugfixes, it also includes a German and Japanese manual and online help.

New in Sophos UTM 8.001 (Aug 18, 2010)

  • This version fixes some bugs with how Web Application Security handles connections for protection of Outlook Web Access servers.
  • It also adjusts the very popular Country Blocking.
  • In addition, some other bugs were addressed and some hardware glitches for software users and their platforms of choice were solved.
  • It also addresses an issue regarding Unix Time which can affect the use of certificates, and thus your ASG installation.
  • This up2date package should be applied before the end of August if possible.

New in Sophos UTM 8.0 (Jul 1, 2010)

  • What's New? Highlights of Major New Things:
  • Updated WebAdmin - New colors, fonts, and visuals make WebAdmin more easily readable with crisper overall presentation
  • IPv6 - Support has been added for the next iteration of IP addressing throughout ASG
  • New Kernel and Base System - Provides 64-bit support, massively increased hardware compatibility, and better performance
  • Country Blocking - Deny communications to/from any combination of countries and/or regions
  • Web Application Security - A new subscription has been added to our protection portfolio which protects your web servers from modern attacks, hackers, viruses and data theft
  • Flash-Based Reporting - Reporting data can be displayed via animated charts which add strong visual representations to how the data is presented
  • WebAdmin Rights & Roles - Let multiple administrators or auditors share duties by separating access permissions; for example giving someone the ability to work only with the Mail Quarantine
  • Configuration Change Tracking - Aid compliance and accountability efforts by identifying what was changed by an administrator on a forensic level
  • Printable Configuration - Save the contents of the entire system as an XML file to aid compliance efforts and record keeping
  • New Online Help - Improved layout coupled with new feature set updates this reference to be faster and more useful in retrieving information on demand
  • VPN Remote Access Reporting - Displays usage graphs for the various types of user connections, along with historical data for examining session information
  • WebAdmin Menu Search - Instantly filter the menu to show sections of WebAdmin based on a search query box; great for locating an option or feature quickly
  • Web Content Filter Override - Allow configured users and groups to bypass URL filtering block pages by providing credentials and entering a reason, all of which can be tracked using new override reports
  • Other Features and Changes:
  • New installer for software appliances with improved navigation and troubleshooting options
  • Custom certificates support lets you remove browser warnings when accessing WebAdmin or the UserPortal
  • Windows Server 2008 R2 domain controller authentication support
  • Reverse DNS for creating reverse mappings in static DNS
  • Uninterrupted Intrusion Protection updates keep traffic flowing when new patterns are introduced
  • Rule numbering is preserved during search queries, making it easier to locate the resulting rules and where they sit in the configuration order
  • Exceptions improvements for HTTP/S and IPS now allow the use of granular "and/or" operators
  • Site-to-Site VPN's using PSK may now have different keys using PSK probing when configured as respond-only
  • Multiple syslog servers are supported which allows logging data to be sent to multiple locations simultaneously for preservation
  • Dozens of other usability improvements and minor feature additions!

New in Sophos UTM 8.0 Beta (Apr 1, 2010)

  • Major New Things:
  • New Kernel
  • New Hardware Compatibility
  • New Installer
  • IPv6 Support
  • HTTP Reverse Proxy/Web Application Firewall
  • Updated WebAdmin
  • WebAdmin Change Tracking
  • VPN Remote Access Reporting
  • Web Content Filter Override
  • Minor New Things:
  • WebAdmin Menu Search
  • WebAdmin Error Handling
  • Flash-Based Reporting Charts
  • Syslogging
  • Reverse DNS
  • IPSec VPN PSK Enhancements
  • Intrusion Prevention Exceptions
  • Intrusion Prevention Updates
  • Updated Online Help

New in Sophos UTM 7.501 (Oct 30, 2009)

  • This release addresses a few bugs and adds some backend adjustments for compatibility with Astaro Command Center 2.1.

New in Sophos UTM 7.5 (Oct 1, 2009)

  • Major New Things:
  • Intrusion Protection Performance:
  • Uses new version of the IPS engine
  • Scales massively when used with Multi-Core CPU/Appliances
  • Real-Time Bandwidth Monitor:
  • New Interface utilization bars on Dashboard (setup scale via editing the Interface and filling in new parameters for Upload/Download)
  • Click for detailed overview as to "whats happening in my network right now"
  • Import/Export Widget:
  • Gives the ability to work with manual lists for many features/fields
  • Useful to import a large blacklist (for example) into the URL Blacklist
  • Can been seen in many user-input boxes in Web, Mail and more. (Green Up/Down Arrows)
  • Transparent Authentication Support for Web Security:
  • Allows users to authenticate against a Portal-Style page
  • Allows for username based tracking, reporting, and surfing without changing browser settings
  • Currently logo can be customized. Text,HTML, and further customizations planned for a later time.
  • Configurable Timeout via HTTP-->Advanced. (Default 900s)
  • Clone Objects:
  • Easily duplicate existing objects for quick re-use.
  • Supported in most places for many objects (Definitions, Services, Certain Profiles/Actions)
  • Extended Network Security Reporting:
  • Added Detailed Packet Filter/Firewall Reports
  • Added Detailed IM/P2P Reports
  • Reputation Support for Web Security:
  • Allows use of the trustedsource.org reputation for Web Filtering
  • Adds an additional check when allowing sites to be visited based on their degree of evil
  • DHCP Improvements:
  • Automatically map a current lease to a static assignment
  • Limit DHCP leases to those with static assignments only
  • Configurable DHCP lease time
  • Servers retain configuration when enabled/disabled
  • Multicast Routing Daemon:
  • PIM-SM Routing support
  • Other New Things:
  • Windows SSL VPN Upgraded - New Client which supports 64-bit operating systems and configuration file parameters. (Download client again via the UserPortal)
  • Improved HTTP Caching - Increases hit/usage rates with new logic, making the cache more effective.
  • Quarantine/UserPortal Usability - Adds navigation to the bottom (supplementing the existing controls at the top), large amounts (250-1000) of displayed items per page, and sorting by subject line.
  • Default Definition for "Internet" - Created to specify "Internet" as an object which will exclude internal network(s) to aid policy creation (0.0.0.0/0 on Gateway interface)
  • Customizable Shortcuts - Change the default Ctrl+Key assignments to fit your preference
  • Improved Definition/Services Sidebar - Mouse-over now instantly shows full name and extended info to aid identifying desired object for drag 'n drop, especially for long names
  • User List shows static IP's - if assigned/configured (no need to edit in order to view)
  • Live Log Negation - use to filter live logs to not show lines that match "-" entries i.e. -test to remove lines containing "test"
  • Console/SSH Logins Trigger a notification - provides admin the needed insight when accessed.
  • Instant Email Backup - Button for every created backup file which allows it to be sent immediately via email to configured addresses
  • Custom text for notifications - Allows easier identification of which installation is sending the message. Especially useful if managing multiple sites using notifiers.
  • Test NTP Sync - Button to immediately poll the configured NTP server
  • Automatic Backup before Up2Date install
  • Configurable Default for Lists - Allows for the amount of items per page (Packet Filter Rules, or anywhere there is a number amounts drop down) to have a larger default view
  • Cluster/HA Serial Number View - Information on connected units made easier
  • Schedule Firmware Installation - When an Up2Date for Firmware is available, you can schedule it to auto-install at a certain time (not recurring)
  • WebAdmin Network Section Split - Now two sections; "Network" and "Network Services" for usability.
  • Search Boxes Retain Data - No need to re-enter query when returning from a drill down/result click.
  • System Restart Reason - Allows logging of "why was system restarted" in the notification
  • Group Tool tips for Members - Easily discern Network/Service Group members without having to edit in order to view
  • Reporting Exclusions - Used to remove unwanted entries from various reports (such as Google-analytics from Web Security tables
  • Log Flag for NAT Rules - Similar to packet filter, tells you which NAT rule was matched as part of traffic handling
  • Masquerading for Additional IP Addresses - Allows the use of Masquerading (vs. just SNAT) for additional IP's bound to an interface
  • Support for Multiple Authentication Servers - The authentication server section has been redesigned to support fallback/failover in an easier format, with many usability improvements
  • SNMP MIB - Downloadable via the SNMP section of WebAdmin
  • Up2date Status Reworked - Clarifies the current status of a Firmware Up2date to avoid confusion regarding the availability, download progress etc...of an issued Up2date.
  • Up2Date Content Distribution Network - Significantly increases the speed of Up2Date downloads using a cloud-based CDN.
  • Inline/Snap Report Links - Directly moves the Admin to the relevant details report when browsing the embedded daily reports located throughout WebAdmin
  • Global POP3 Sender Blacklist - Quarantined as "other" in the QM/EUP
  • Dashboard RSS Feed - Provides visibility to select Astaro-issued items via WebAdmin
  • ASG 110/120 WatchDog - Provides auto-restart of ASG 110/120 appliances during rare times of crisis. Since they are often at branch offices or remote locations, this check will auto-restart the unit after most types of any failure (eg. voltage spike)
  • New German Translation - The online help and other documentation has been updated with a reworked and much more accurate German-language translation

New in Sophos UTM 7.5 Beta (May 30, 2009)

  • Major New Things:
  • Intrusion Protection Performance
  • Uses new version of the IPS engine
  • Scales massively when used with Multi-Core CPU/Appliances
  • Real-Time Bandwidth Monitor
  • New Interface utilization bars on Dashboard (setup scale via QOS)
  • Click for detailed overview as to "whats happening in my network right now"
  • Import/Export Widget
  • Gives the ability to work with manual lists for many features/fields
  • Useful to import a large blacklist (for example) into the URL Blacklist
  • Can been seen in many user-input boxes in Web, Mail and more. (Green Up/Down Arrows)
  • Clone Objects
  • Easily duplicate existing objects for quick re-use.
  • Supported in most places for many objects (Definitions, Services, Certain Profiles/Actions)
  • Extended Network Security Reporting
  • Added Detailed Packet Filter/Firewall Reports
  • Added Detailed IM/P2P Reports
  • Reputation Support for Web Security
  • Allows use of the trustedsource.org reputation for Web Filtering
  • Documentation coming, for now visit their site/FAQ for more info on reputations
  • DHCP Improvements
  • Automatically map a current lease to a static assignment
  • Limit DHCP leases to those with static assignments only
  • Configurable DHCP lease time
  • Servers retain configuration when enabled/disabled
  • Multicast Routing Daemon
  • PIM-SM Routing support
  • More documentation on this implementation to come. Experiment with it and if it solves your needs.
  • Other New Things:
  • Windows SSL VPN Upgraded - New Client which supports X64 and many other options (download again via the UserPortal)
  • Improved HTTP Caching - Increases hit/usage rates and makes the cache more effective.
  • Quarantine/UserPortal Usability - Adds navigation to the bottom (supplementing the existing controls at the top), large amounts (250-1000) of displayed items per page, and sorting by subject line.
  • Default Definition for "Internet" - Allows to specify "Internet" as an object which will exclude internal network(s) to aid policy creation (0.0.0.0/0 on Gateway interface)
  • Customizable Shortcuts - Change the default Ctrl assignments to fit your preference
  • Improved Definition/Services Sidebar - Mouseover now instantly shows full name and extended info to aid identifying desired object for drag 'n drop.
  • User List shows static IP's - if assigned/configured (no need to edit in order to view)
  • Live Log Negation - use to filter live logs to not show lines that match "-" entries i.e. -test to remove lines containing "test"
  • Console/SSH Logins Trigger a notification - provides admin the needed insight when accessed.
  • Instant Email Backup - Button for every created backup file which allows it to be sent immediately via email to configured addresses
  • Custom text for notifications - Allows easier identification of which installation is sending the message. Especially useful if managing multiple sites using notifiers.
  • Test NTP Sync - Button to immediately poll the configured NTP server
  • Automatic Backup before Up2Date install
  • Configurable Default for Lists - Allows for the amount of items per page (Packet Filter Rules, or anywhere there is a number amounts drop down) to have a larger default view
  • Cluster/HA Serial Number View - Information on connected units made easier
  • Schedule Firmware Installation - When an Up2Date for Firmware is available, you can schedule it to auto-install at a certain time (not a recurring setting)
  • WebAdmin Network Section Split - Now two sections; "Network" and "Network Services" for usability.
  • Search Boxes Retain Data - No need to re-enter query when returning from a drill down/result click.
  • System Restart Reason - Allows logging of "why was system restarted" in the notification
  • Group Tool tips for Members - Easily discern Network/Service Group members without having to edit in order to view
  • Reporting Exclusions - Used to remove unwanted entries from various reports (such as Google-analytics from Web Security tables
  • Log Flag for NAT Rules - Similar to packet filter, tells you which NAT rule was matched as part of traffic handling
  • Masquerading for Additional IP Addresses - Allows the use of Masquerading (vs. just SNAT) for additional IP's bound to an interface
  • Support for Multiple Authentication Servers - The authentication server section has been redesigned to support fallback/failover in an easier format, with many usability improvements
  • SNMP MIB - Downloadable via the SNMP section of WebAdmin
  • Up2date Status Reworked - Clarifies the current status of a Firmware Up2date to avoid confusion regarding the availability, download progress etc...of an issued Up2date.
  • Inline/Snap Report Links - Directly moves the Admin to the relevant details report when browsing the embedded daily reports located throughout WebAdmin
  • Global POP3 Sender Blacklist - Quarantined as "other" in the QM/EUP
  • Dashboard RSS Feed - Provides visibility to select Astaro-issued items via WebAdmin
  • Other magic features, enhancements, and usability improvements

New in Sophos UTM 7.395 Beta (Feb 26, 2009)

  • This second release candidate is a bugfix and progression release based on the feedback of our testing community.

New in Sophos UTM 7.390 Beta (Feb 7, 2009)

  • This Up2Date is a bugfix and progression release based on the feedback of the testing community.

New in Sophos UTM 7.386 Beta (Jan 21, 2009)

  • This BETA Up2Date contains fixes for the BETA 7.4 release, and contains a new French translation of WebAdmin, as well as three small fixes for HTTP Proxy, SNMP, and bootup order of programs.

New in Sophos UTM 7.385 Beta (Jan 16, 2009)

  • This beta Up2Date contains fixes in almost every area, with major adjustments, fixes, and polish for the HTTPS filtering, WAN link balancing, and both single and cluster installations with large database sizes.

New in Sophos UTM 7.380 Beta (Dec 16, 2008)

  • This Up2Date includes bugfixes and feature additions.

New in Sophos UTM 7.305 (Nov 14, 2008)

  • This Up2Date improves overall database stability and the log cleaning process, fixes a libspf2 vulnerability, and fixes High Availability and Clustering.

New in Sophos UTM 7.304 (Oct 26, 2008)

  • This small Up2Date package enhances the stability of the HTTP proxy and address a few issues with Authentication.

New in Sophos UTM 7.303 (Oct 20, 2008)

  • Encryption behavior for various clients, certificate handling for email encryption, and device agent for ACC version 1.9 were improved.
  • Some bugs in IPsec, SMTP proxies, and OSPF were fixed.

New in Sophos UTM 7.302 (Sep 22, 2008)

  • This release updates the Web Security Categories, extends the HTTP Content filter subcategories, improves the URL Filter for HTTP Proxy, increases the Web Security Classification Categories to 97 (up from 60), improves the device agent for ACC 1.9, adds the option to flush the authentication cache, and fixes some clamav issues and other minor bugs.

New in Sophos UTM 7.301 (Sep 7, 2008)

  • This release adds various tweaks, tuning, and fixes for the recently-launched version 7.300, streamlines the migration operations during the Up2Date process, and adds further support for the upcoming Astaro Command Center 1.9 release.