# LIST OF KNOWN ISSUES FOR SOPHOS UTM V9 # ======================================= # The purpose of this list is to give you an overview of known issues and # possible workarounds, as well as known problems in other software being # used in connection with Sophos UTM V9 # The ID denotes the internal Sophos bugtracking ID and will be shown in # the description of an Up2Date if the issue is fixed. # # We would appreciate if you contribute to this list and would give us # feedback in this respect. # For further infos please contact: knownissues@astaro.com # # Last edit (time is UTC): # $Id: Known_Issues-UTM-V9.txt,v 1.162 2016/02/05 10:04:10 mantis Exp $ Open Issues - Email Security ======================================================================== ID34875 9.113 False error handling in smtp proxy while using callout recipient verification ------------------------------------------------------------------------ Description: If a recipient validation callout fails (eg. resulting in error: "552 Requested mail action aborted: exceeded storage allocation") Exim only reports back "550 address unknown". This is a design limitation of Exim. Workaround: NA Fixed in: ID29448 9.165 SPX Encryption - Attachments could not be seen with Adobe XI ------------------------------------------------------------------------ Description: Some versions of Adobe Reader (8.1.7, 8.2, 9.0+) open PDFs with attached files slowly (few minutes) if "Enhanced Security"/"Protected Mode" is turned on. After that few minutes attachments can be opened or saved again depending on security settings. This can happen when opening PDF in SPX-encrypted e-mails. Workaround: This page contains information on configuring attachments' security in Adobe Reader: http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/attachments.html Furthermore the user (or admin) can disable the "Protection Mode" of Adobe Reader by un-checking this checkbox: Edit -> Preferences -> Security(Enhanced) -> Enable Protected Mode at startup. Fixed in: ID22955 9.003 S/MIME verification doesn't work for users having different certs for verification and encryption ------------------------------------------------------------------------ Description: Incoming mails which have different certificates for signature and mail encryption cannot be verified/decrypted. Internal Storage can only hold one certificate for a remote user, due to this the verification/decryption fails if different certificates are used. Workaround: - Fixed in: Open Issues - High Availability ======================================================================== ID35584 9.315 It is not possible to deactivate HA Link Monitoring for LAG Interface ------------------------------------------------------------------------ Description: It is not possible to deactivate HA Link Monitoring for LAG Interface in WebAdmin. Workaround: Please contact support. It is possible to deactivate via the console. Fixed in: ID31066 9.109 Argos information is not synced to cluster slave - http proxy requests cannot be authorized ------------------------------------------------------------------------ Description: SAA client client information is not synced to slave node in HA/ Cluster setups. In HA setups (active/passive) clients using SAA client need to authenticate on master again after e.g. takeover is performed. --- On cluster setups (active/active) the usage of SAA client will result in wrong profile matching when HTTP Proxy + SAA auth is in use, because authentication and proxy traffic may be handled on different nodes for the same client request. Workaround: NA Fixed in: ID30556 9.100 [NUTM-407] Up2Date button can be used before all up2date packages are distributed to all nodes ------------------------------------------------------------------------ Description: Up2Date button can be pressed before all Up2Date packages have been distributed to all nodes. Workaround: If you want to be sure that all packages have been distributed: Login with ssh and check on all nodes in /var/up2date/sys that the Up2Date package had been distributed. If it is available on all nodes you can press the Up2Date button. Fixed in: Open Issues - Logging/Reporting ======================================================================== ID33000 9.206 Broken quarantine report in OWA 2010 non light version ------------------------------------------------------------------------ Description: If OWA is used for reading the quarantine report the email's in the preview window is broken because of the OWA's unique way of overriding CSS attributes. Workaround is to open the message (by double clicking). http://community.office365.com/en-us/f/158/t/74246.aspx Workaround: Fixed in: ID21565 9.000 SAA user names are not displayed for IPS in the reports ------------------------------------------------------------------------ Description: Reverse DNS and user are not displayed for ips in the reports For IPS reverse DNS and Users (SAA) are not displayed by the inline report and in the executive report. Only the ip addresses are displayed. Workaround: Fixed in: ID21159 9.000 SMTP reporting doesn't show full address ------------------------------------------------------------------------ Description: SMTP reporting doesn't show full address UTM sets from address like this: m-aq5r6v5yfbgdcxorthezn47ji-54 but smtp logs state, the actual email address was: m-aq5r6v5yfbgdcxorthezn47ji-54zief7ssm2mav8qrehfcstvw61xce@domain.com Workaround: Fixed in: Open Issues - Network Security ======================================================================== ID34829 9.310 exception needed to not block Sophos Cloud updates ------------------------------------------------------------------------ Description: In case Sophos cloud updates are not working on systems with IPS enabled please do this: create an exception for rule 33717 in Webadmin -> Network Protection -> Intrusion Prevention -> Advanced -> Modified Rules by pressing on the plus sign enter the rule id 33717 check disable this rule save this Workaround: Fixed in: ID29653 9.180 ips: the changes of the rule counters in the attack pattern tab are only visible when reloading the tab ------------------------------------------------------------------------ Description: The rule counters in the IPS Attack Pattern Tab are not updated instantly when changing the rule age. Workaround: Reload the Attack Pattern Tab Fixed in: ID21846 9.000 NTP doesn't work properly in virtualized environments ------------------------------------------------------------------------ Description: When using the NTP time synchronization in a virtualized system (Xen, VMware, KVM…) it does not sync properly and gets out of sync over time. There is no need to use NTP in a guest VM, as the VM still has access to the host systems clock which will set the guest VMs hardware clock. Workaround: Fixed in: Open Issues - Networking ======================================================================== ID34705 9.308 Cannot query NTP peers from remote host ------------------------------------------------------------------------ Description: Query UTM ntp service for peer info from remote host fails after update to 9.308. NTP vulnerabilities, CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 introduced a configuration change in ntp.conf which prevents external peer lookup. Workaround: NA Fixed in: ID33399 9.305 Network chipset 82574L ( UTM 220 rev 4/5, UTM 320 rev 4/5) :Detected Hardware Unit Hang / Reset adapter unexpectedly ------------------------------------------------------------------------ Description: For devices with an Intel 82574L network card chipset you might see messages like e1000e 0000:01:00.0 : Detected Hardware Unit Hang: or e1000e 0000:01:00.0 : Reset adapter unexpectedly in the kernel log. This chipset is also used in UTM 220 rev 4/5, UTM 320 rev 4/5. Workaround: Please ensure that PoE is disabled for the port the UTM is connected to. Fixed in: ID31301 9.000 NIC ordering on VMWare not stable, might change if interface are added/removed ------------------------------------------------------------------------ Description: If adding or removing NICs for VMWare instances, it can happen that the remaining interfaces change their names, so that they are not associated with the correct interface objects anymore. Workaround: Fixed in: ID21659 9.000 Multiple PPPoA interfaces not working ------------------------------------------------------------------------ Description: If you create more than one PPPoA interface in WebAdmin, they might not work correctly. Workaround: Fixed in: ID21167 9.000 Some Auditor errors ------------------------------------------------------------------------ Description: Some Auditor errors There are some confd errors if your're logged in as auditor. Interfaces > BGP>Advanced Network Protection > Firewall > Advanced When clicking on 'Apply' a red frame will blink in the WebAdmin menu Network Protection > IPS > Attack Patterns Email Protection > SMTP > Relaying When clicking on 'Apply' the message "One of the values you entered is syntactically or logically incorrect." is shown Email Protection > Encyption > Internal Users > S/MIME Authorities > S/MIME Certificates Webserver Protection > Certification Management > Revocation list When this menue points are filled you received this error messages. Permission denied to call the Confd function 'list_sessions'. Permission denied to call the Confd function 'list_sessions'. Permission denied to call the Confd function 'emailpki_generate_user'. Workaround: Fixed in: ID20973 9.000 Disabling bridge interface in Interfaces & Routing > Interfaces will break bridging ------------------------------------------------------------------------ Description: The routing through the bridge interface doesn't work properly after removing the bridge interface in Interfaces & Routing >> Interfaces (e.g. Ping through the bridge interface br0 doesn't work anymore). So the behaviour is different than directly after creating a bridge. Workaround: Disable bridging and create a new bridge or create the bridge interface in Interfaces & Routing >> Interfaces again. Fixed in: Open Issues - Various ======================================================================== ID36309 9.351 Bind Vulnerability CVE-2015-8000 [9.31] ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID36308 9.351 Bind Vulnerability CVE-2015-8000 [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.217 ID36294 9.352 4G WWAN Interface QoS Throttling not Working ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID36292 9.300 OpenSSH security update (CVE-2016-0777, CVE-2016-0778) [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID36291 9.200 OpenSSH security update (CVE-2016-0777, CVE-2016-0778) [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.217 ID36282 9.000 XSS vulnerability in mod_avscan [9.35] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.354 ID36281 9.000 XSS vulnerability in mod_url_hardening [9.35] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.354 ID36277 9.000 XSS vulnerability in mod_avscan [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.217 ID36276 9.000 XSS vulnerability in mod_url_hardening [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.217 ID36275 9.000 XSS vulnerability in mod_avscan [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.319 ID36274 9.000 XSS vulnerability in mod_url_hardening [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.319 ID36266 9.352 OpenSSH security update (CVE-2016-0777, CVE-2016-0778) ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID36206 9.100 Bind Vulnerability CVE-2015-8000 [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.119 ID36201 9.351 Bind Vulnerability CVE-2015-8000 ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID36136 9.351 ISC DHCP security update (CVE-2015-8605) ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID36133 9.117 WebAdmin reflective XSS Vulnerability caused by ContentType sniffing [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.119 ID36127 9.100 OpenSSL security update 1.0.1q [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.119 ID36111 9.315 Slow web browsing with IE 9/10 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID36081 9.117 Corrupted rpmdb - check and repair from 33545 doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.119 ID36064 9.351 Regeneration of VPN Signing CA doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID36062 9.351 QoS using Application Selector isn't working with WebProxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID36061 9.351 Unable to upload attachements with IE to backend server via WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID36056 9.350 Printable report generating "Errors were encountered during serialization:" error ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID36028 9.315 82546GB Gigabit Ethernet Controller: Reset adapter / Detected Tx Unit Hang ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35957 9.350 ERROR: netlink response for Increase seq numbers HA SYSTEM included errno 3: No such process ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35926 9.315 VPN Signing CA using encryption of 1024bit ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35859 9.315 Some users are removed from all groups during update_ad_bg_members ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35855 9.315 RED: Kernel crash - decompression failed: -22 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35848 9.113 rsyncd not started after switching to master mode (slave node hangs in syncing state) [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.119 ID35808 9.314 Endpoint protection duplicated entries ------------------------------------------------------------------------ Description: If the customer is booting from an image, and on every boot the EP gets a new MCS ID, then each boot WILL create a new EP entry in UTM. This explains the duplicated entries in the UTM. This deployment scenario is currently not supported by the EP, and there's nothing the UTM can do to fix this. Workaround: Fixed in: ID35791 9.315 QoS not working with more than 600 applications in a traffic selector definition ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35778 9.314 Sometimes SAA connection disconnect for 3 minutes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35689 9.315 RED50: Loadbalancing does not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35675 9.315 First time connection always fails with ssl remote access vpn and remote auth ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35662 9.315 Additional Adresses of a PPPoE Interface are not reachable after Takeover ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35635 9.314 Transparent AD SSO - b_auth_failed_but_accepted_as_user_any ------------------------------------------------------------------------ Description: HTTP-Proxy only sends a 407 (authentication request) for requests which could be authenticated. This means, if the request matches any of the following criterias it will not be authenticated: - HTTPS - Non-browser Request - Request that contains a query. In these cases the proxy looks up in its cache for last authenticated user from that IP address. If no cache record found it uses the "default" profile. Workaround: Send a simple HTTP request through browser to authenticate user. Any subsequent request from that IP address will use the authenticated user. Fixed in: ID35602 9.315 Outdated perl-ldap -0.39 causing errors in Intermediate.pm ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35592 9.314 Restoring backup from 220 to 230 caused eth3 to exist two times ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35583 9.315 Web traffic appears as 'unclassified' in flow monitor despite application being detected by HTTP proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35548 9.314 Endpoint client matches wrong HTTP proxy filter action ------------------------------------------------------------------------ Description: In transparent mode, the UTM web proxy cannot challenge HTTPS requests for authentication. As endpoint web control filters HTTP requests, it is possible that a user will not be in the authentication cache and policy will fall back to policy based on the IP address. This can, for instance, block a site that the user is approved to visit. Workaround: To work around this issue, use agent or browser authentication or bypass the specific HTTPS site on the UTM. Fixed in: ID35541 9.314 [NUTM-1959] IPFIX not working with SolarWinds ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35474 9.314 [NUTM-1941] AD group cache still contains obsolete group information after update_ad_bg_members.plx is executed ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35459 9.313 Site-to-site SSL VPN client fails to add routes after server restart ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35457 9.312 [NUTM-1954] Amazon vpc gets imported but quagga doesnt start ------------------------------------------------------------------------ Description: cc set routing quagga password "abcdefgh" (any 8 character string) cc set routing quagga enable_password "abcdefgh" (any 8 character string) Workaround: Fixed in: ID35353 9.212 Intermittend authentication failed messages during unstable SAA connection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35279 9.312 Option "Drop packets from blocked hosts" does not work correctly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35269 9.310 Random auth-pop ups in with eDir SSO ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35175 9.312 PGP encrypted Mails arrive as encrypted attachement at the client ------------------------------------------------------------------------ Description: When encrypting a message on the UTM with OpenPGP the encrypted MIME part will contain some mail headers (like "from", "to" etc.). Because of this on some mail clients/decoders these headers show up duplicated, while other clients/decoders are displaying the message just fine. Workaround: N/A Fixed in: ID35143 9.310 LT2P remote access - client get assigned an IP from the pool which is already in use ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID35061 9.310 aua fails to handle passwords with umlaut for http proxy authentication ------------------------------------------------------------------------ Description: Passwords containing non-ascii characters do not work in IE and FireFox when authenticating through the http proxy. Chrome works properly. Workaround: Fixed in: ID34972 9.310 memtest does not work on SG series ------------------------------------------------------------------------ Description: memtest shipped with UTM does not start on some SG appliances. Workaround: We can not get the latest memetest version integrated in UTM at the moment. Customers with those SG series who need memory testing may follow this workaround: Download the memtest86 USB stick image from http://memtest86.com/ (memtest86+ from memtest.org usb images will not boot) Write image to any USB stick. Stick content will be deleted. The Windows download contains a image writing executable, select the memory stick and click write. Linux and mac users find instructions in the readme Boot SG appliance from this stick. If the boot priority in the bios is wrong, press "b" at bios startup to launch boot menu and select Udisk. Fixed in: ID34886 9.310 filter:FORWARD:rule will cause a conntrack entry without SYN ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID34877 9.308 Ultrasurf not being blocked by Application Control ------------------------------------------------------------------------ Description: Application control block for "Ultrasurf" doesn't work when HTTP Proxy is enabled but Full SSL scanning is not enabled. Workaround: Enable Full SSL Scanning in the HTTP Proxy settings. Fixed in: ID34828 9.309 Don't start dhclient without interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID34778 9.308 Upload through ftp proxy don't work directly if the file is bigger then 150 MB ------------------------------------------------------------------------ Description: When using FTP to upload large files through the proxy, the client may not receive a 226 response code before it times out. Workaround: If this occurs, it can be prevented by increasing the setting to a large timeout value for your FTP client. Fixed in: ID34775 9.309 Disk cache cleanup causes massive load peaks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID34649 9.309 Official Microsoft Android RDP application didn't work with WAF ------------------------------------------------------------------------ Description: The official Microsoft Android and iOS remote desktop (RDP) apps don't work with WAF. The apps fail with the following error message when trying to connect to a remote computer through WAF: We couldn't connect to the gateway because of an error. If this keeps happening, ask your admin or tech support for help. Error code: 0x3000008 Workaround: No workaround possible other than configuring a DNAT rule to skip WAF completely. Fixed in: ID34589 9.305 Upload of Eicar virus is possible with OWA Full when Silverlight is enabled ------------------------------------------------------------------------ Description: Upload of Eicar virus is possible with OWA Full when Silverlight is enabled. OWA light + enabled silverlight -> it's not possible to upload a virus like eicar OWA light + disabled silverlight -> it's not possible to upload a virus like eicar OWA Full + disabled silverlight -> it's not possible to upload a virus like eicar OWA Full + enabled silverlight -> it IS possible to upload a virus like eicar Workaround: Don't use the combination of OWA Full + enabled silverlight on clients which have OWA access. In this combination it is not possible to scan for viruses because we can't scan for viruses in SOAP requests. Fixed in: ID34496 9.308 Bridge + QoS: Bandwidth pools does not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID34478 9.306 https enduser message not shown in AD SSO mode ------------------------------------------------------------------------ Description: Periodically an Internet Explorer user may not see an UTM generated block page when getting blocked from accessing https site. The user instead would see a generic IE error page. This is due to an issue within IE. Workaround: Hit Refresh in the browser to see the proper UTM block page. Fixed in: ID34447 9.306 Issue with WAF Rev. Auth. and OTP ------------------------------------------------------------------------ Description: Sometimes OTP authentication for WAF didn't work. When handling a client request, the current process has to have the data structure holding all known user sessions in it's memory. If this is not the case, no user session for the user currently being handled will be found and a new one will be initiated. During this initialization process, the user's credentials will be verified against AUA. In case of OTP this will fail since the user's client sent a session cookie containing a password with an old OTP token. Workaround: Please contact support referring to this bug ID to provide a workaround for that issue. Fixed in: 9.370 ID34386 9.306 AFC detects some different traffic as FREENET ------------------------------------------------------------------------ Description: If the Application Control is active it could happens that different Traffic that goes through the HTTP Proxy or the Packetfilter will be wrong classified as Freenet. This could causing in blocked traffic that is normally allowed. Example Loglines 2015:02:02-11:06:25 testutm ulogd[4630]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="wlan0" outitf="eth1" mark="0x346b" app="1131" srcmac="64:9a:be:4a:4c:06" dstmac="00:1a:8c:0a:76:00" srcip="10.16.28.236" dstip="10.16.239.0" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="52316" dstport="5223" tcpflags="SYN" 2015:02:02-11:06:26 testutm ulogd[4630]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="wlan0" outitf="eth1" mark="0x346b" app="1131" srcmac="64:9a:be:4a:4c:06" dstmac="00:1a:8c:0a:76:00" srcip="10.16.28.236" dstip="10.16.239.0" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="52316" dstport="5223" tcpflags="SYN" Workaround: Fixed in: ID34334 9.306 [9.3] NTPd still fails to synchronize (Cloned fron 9.1) ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID34264 9.208 Script error issue with large Network Group objects ------------------------------------------------------------------------ Description: It is not possible to use large network group objects with over 200 items. Everything which exceeds 200 items in a group might be subject to script timeouts. Workaround: Fixed in: ID34242 9.306 [NUTM-1958] Communication error with Amazon AWS server ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID34098 9.210 Slave node in RESERVED mode with 9.304, although this mode never activated ------------------------------------------------------------------------ Description: Sometimes during the upgrade from 9.2x to 9.3 it can happen on HA/cluster system that the slave node is going in RESERVED mode (although this feature isn't enabled in webadmin). Output from "hs" on command line looks like this: Current mode: HA MASTER with id 1 in state ACTIVE -- Nodes ----------------------------------------------------------------------- MASTER: 1 Node1 198.19.250.1 9.210020 ACTIVE since Mon Dec 15 12:16:22 2014 SLAVE: 2 Node2 198.19.250.2 9.304009 RESERVED since Mon Dec 15 13:36:03 2014 -- Load ----------------------------------------------------------------------- Workaround: To fix that issue, please reboot the master node. If that will not solve the problem, contact the support. Fixed in: ID34034 9.300 [9.3] it's not possible to view or download large log files in the webadmin because root partition is too small ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33938 9.209 Problem with display of "connected clients" in webadmin when using L2TP with Radius auth ------------------------------------------------------------------------ Description: Connected L2TP VPN clients are not counted as 'connected clients' in the dashboard when using RADIUS/DHCP. But they are listed in the Remote Access reporting. Workaround: Fixed in: ID33898 9.210 SUM-Agent doesn't handle blacklisting correct if managed by two SUMs ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33886 9.000 SSO login on UTM devices not working if useraccount contains a '@' ------------------------------------------------------------------------ Description: In case the user name to login to the gatway manager contains a '@' sign (e.g. admin@sophos) the SSO login from the gateway manager to the UTMs will not work. Workaround: Don't use account containing a '@' sign in the username. Fixed in: ID33858 9.209 Userportal - adding multiple addresses to whitelist/blacklist does not work ------------------------------------------------------------------------ Description: It is not possible to add multiple entries to the sender whitelist/blacklist in User Portal (SMTP) in one step. When a user accesses the User Portal, adds multiple entries to the sender whitelist/blacklist, then leaves this page, only the first entered entry is saved. Others entered during the same session are not saved and have to be re-entered. Workaround: Add one entry per session, browse to another tab, then come back to the whitelis/blackist tab, enter another address and safe it again. Repeat this steps if needed. Steps to reproduce: 1. Login to User Portal 2. Select Whitelist or Blacklist 3. Add multiple entries and click green check box to save each entry 4. Change to a different tab (doesn't matter which) 5. Browse back to whitelist/blacklist tab 6. Issue occurs (only the first entered address appears, the rest are lost) Workaround: Fixed in: ID33826 9.280 [beta] login when pressing green arrow doesnt work ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33713 9.113 Chinese characters in email subject are not displayed correctly in Mail Manager ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID33657 9.280 Bridge: Error messages when you enable / disable an additional address on a bridge ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID33638 9.209 Usage of standard "domain user" AD group for rev. auth in WAF is not possible ------------------------------------------------------------------------ Description: Note that primary groups cannot be used as limitation for backend user membership. Primary groups are not returned by the Active Directory in the memberOf attribute. Only groups returned in the memberOf attribute of a user entity can be used to limit backend membership. The most common primary group is "Domain Users". Usually all users on an Active Directory are member of this primary group. If you want to use this group on the UTM, consider not restricting the group to backend membership. Workaround: Fixed in: ID33587 9.275 Bridge: Add renew button for DHCP ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33582 9.208 Bittorrent traffic not being blocked ------------------------------------------------------------------------ Description: Bittorrent is not reliably blocked by the Application Control offered by the WebProtection. So we can not offer a liability for blocking Bittorent. Workaround: Fixed in: ID33560 9.275 Default route metric: value of zero disappears in webadmin after applying ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33510 9.250 IPv6: 'Rapid Commit' option missing for all PPP interface types ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33503 9.208 Reporting: Graphs and values in mail reporting are inconsistent ------------------------------------------------------------------------ Description: The graphs and values in the mail reporting are inconsistent due different time frames. The graphs reach back for 24 hours, whereas the report is generated live of "today". Workaround: Fixed in: ID33325 9.206 Failed login reported from wrong IP Address ------------------------------------------------------------------------ Description: Sometimes when the message 'Failed to connect backend' appears the next failed login is being reported as coming from the ip of the last successful login. Workaround: Fixed in: ID33202 9.207 Microsoft Exchange 2013 changed behavior of RCPT verification with callout ------------------------------------------------------------------------ Description: Microsoft changed in the Exchange the behavior for its recipient verification. The Mailserver sends the "550" after "data" instead of after "rcpt to:" This is NOT RFC conform. Workaround: Use Recipient verification over Active Directory. Fixed in: ID33107 9.209 Detected Hardware Unit Hang and Reset adapter unexpectedly still exists (82583V / UTM 120r5) ------------------------------------------------------------------------ Description: If you notice the following log lines in kernel.log for this specific adapter type (82583V) on a UTM120r5, please disabled ASPM in BIOS setup. 2014:09:11-15:09:24 utm kernel: [129844.820420] e1000e 0000:05:00.0 eth0: Detected Hardware Unit Hang: 2014:09:11-15:09:28 utm kernel: [129848.833045] e1000e 0000:05:00.0 eth0: Reset adapter unexpectedly Verify the adapter: utm:/root # lspci | grep Ethernet 02:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection 03:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection 04:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection 05:00.0 Ethernet controller: Intel Corporation 82583V Gigabit Network Connection Procedure: Press DEL during UTM reboot - disable ASPM in BIOS at Advanced -> PCI Express Configuration -> Active State Power-Management Check that it worked: lspci -vvv | grep ASPM | grep LnkCtl All entries have to be set to disabled. utm:/root # lspci -vvvv | grep LnkCtl LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ LnkCtl: ASPM L0s L1 Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+ Workaround: Fixed in: ID33039 9.206 SNMPd reports wrong mac address ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID32922 9.206 QoS: Download Throttling doesn't work if Upload Optimizer is disabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32875 9.107 radvd fails to start when special characters are entered as domain ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32708 9.205 Power on issues on SG310 appliance ------------------------------------------------------------------------ Description: We are using ATX Power Supplies in our appliances, which have a power switch to turn it on or off. In case you do a shut-down using the LCD-Panel, WebAdmin or on the console, the system goes down and halts. The Power Supply Unit still gets power, and provides low power to different components on the main board. This means that the system doesn’t completely power off. On a standard desktop computer for example, this is used to turn it on using the push button from the front panel. To turn the appliance on again, you have to switch off the power supply unit and wait roughly 10 seconds before you can power it on again. This is to protect components like capacitors or inductors, which have to discharge from delivering low voltage to the Motherboard. Workaround: Fixed in: ID32446 9.104 Webadmin runs into timeout during lengthy report generation ------------------------------------------------------------------------ Description: The WebAdmin runs into a timeout while the query is executed (timeout warnings may be displayed in WebAdmin). This may happen if it takes too long to generate the dashboard data which is derived from the database. Workaround: none Fixed in: ID32327 9.203 OTP is not useable when the password has numeric characters ------------------------------------------------------------------------ Description: The UTM cannot determine if a 6-digit number at the end of the password is a passcode or the end of the password, so it takes it as the passcode. As a consequence OTP users cannot not have a password that ends in 6 digits. Workaround: Use a password without digits at the end Fixed in: ID32281 9.104 Web usage reports cannot be generated when database query exceeds process memory limits ------------------------------------------------------------------------ Description: Some database operations required to generate web usage reports require a significant amount of memory, if the amount of reporting data is very large. With the UTM userland being a 32bit system, processes cannot allocate more than 4GB of memory. If the database queries exceed that size, report generation will fail. Workaround: none Fixed in: ID32261 9.201 Policy tester returns wrong group membership if local security groups are used (groups in groups) ------------------------------------------------------------------------ Description: If a user is a member of a local AD group that is sub-group of a global AD group, policy tester results for that user will be inconsistent with the actual behavior of the proxy profile. Workaround: None Fixed in: ID32217 9.203 Outlook anywhere behind the WAF didn't work ------------------------------------------------------------------------ Description: If an Outlook Anywhere is behind the WAF and the test tool from microsoft (https://testconnectivity.microsoft.com/) is used you will get some errors in the output from the test tool. But there is no issue when you use the WAF config for the outlook client. Everything works fine and the error from the test tool can be ignored. Workaround: Independent from the error in the output of the microsoft test tool you can use the OA config for outlook on the clients. Fixed in: ID32093 9.202 Joining the domain fails on W2K12 server when smb 1.0 is not installed ------------------------------------------------------------------------ Description: Joining a AD SSO domain fails for a UTM on W2K12 domain controller if SMB protocol (1.0) is not installed in addition. In this case the SMB negotiate request will be refused from DC. Workaround: Please follow the instructions documented in KBA 121344: http://www.sophos.com/en-us/support/knowledgebase/121344.aspx Fixed in: ID31899 9.201 RED disconnect during high load on the utm ------------------------------------------------------------------------ Description: Connected RED devices get disconnected if there is a high load on the corresponding UTM. Workaround: none Fixed in: ID31690 9.104 postgresql: excessive virtual memory consumption via array_agg() ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31457 9.200 Add method to check if references are of a given type/class ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31148 9.200 SUM agent uses deprecated names of reporting graph ph-files ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID30909 9.200 AD Authentication should always work with user@domain and domain\user (and not only for http proxy) ------------------------------------------------------------------------ Description: AD authentication with USER@DOMAIN and DOMAIN\USER is not supported (except partially for the http proxy and the HTML5-VPN RDP configuration) Workaround: At least USER@DOMAIN can be used if the AD server is configured a second time as LDAP server, using the "userPrincipalName" as a custom user attribute Fixed in: ID30823 9.200 Transparent Mode AD SSO - Gotchas ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID30717 9.195 [NUTM-609] CVE-2014-1943: DoS in file ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID30583 9.193 Pinging the SSL client gateway IP address from the server side fails. ------------------------------------------------------------------------ Description: In a SSL site-to-site setup ping packets from the server site to the remote network gateway address don't work. If you try the same thing from the client side, everything works without any problem. Workaround: Ping will work if you use the command with source ip address: ping -I "source ip address" "destination ip address" Fixed in: ID30557 9.107 Eicar virus was uploaded althought the WAF said "Access denied with code 400" ------------------------------------------------------------------------ Description: Eicar virus was uploaded althought the WAF said "Access denied with code 400" 1) The file to be uploaded is split into several files and those files are uploaded separately. Even if the file as a whole is a detectable virus, the file segments - now each a file by themselves - could be clean in regards to AV scanning. This is a general problem for AV scanning, not specific for the WAF and cannot be solved the WAF either. 2) The file to be uploaded is wrapped in additional data which is used by the web page framework to carry meta data. From a WAF point of view, all of it is payload since every byte - no matter whether actual payload or meta data as seen by the web page framework - could be part of a virus. Hence, the whole stream is passed to AV scanning which then fails to extract the (potential) virus from the stream. Again, this is a general AV scanning problem which cannot be solved by the WAF. Workaround: Fixed in: ID30183 9.192 [internal] OpenWRT Review: Wireless B devices won't connect ------------------------------------------------------------------------ Description: AP50 does not support 802.11b mode. The 802.11b only capable clients would not be able to connect to AP50. Workaround: Fixed in: ID30148 9.191 Import of a filter action omits entries for blocked / allowed websites ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID29916 9.186 issue with HTTP/S redirection on fallback hosts ------------------------------------------------------------------------ Description: Having multiple virtual webservers with wildcard domains and using HTTP to HTTPS redirection, it is possible that in some configurations redirection is applied instead of using the correct HTTP virtual webserver. Example: - virtual webserver A - HTTPS, HTTP->HTTPS redirection enabled - wildcard certificate - domains: *.mydomain, sub.mydomain - virtual webserver B - HTTP - domain: *.sub.mydomain The request http://xyz.sub.mydomain is redirected to https://xyz.sub.mydomain instead of using virtual webserver B. Workaround: Fixed in: ID29907 9.185 Authentication fails with users in AD Nested Groups ------------------------------------------------------------------------ Description: * The authentication services that support backend membership for groups, do not support nested groups * For Active Directory, LDAP and eDirectory the groups that are set in "Limit to backend group(s) membership" or have to contain the users directly * The UTM checks group membership directly by retrieving values of group membership attributes of a user object from the backend Workaround: Fixed in: ID28904 9.250 WiFi: mesh upgrade from 9.1 to 9.2 ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID28457 9.106 [NUTM-1957] Name resolution not working on HA Slave if BGP is configured ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID27936 9.105 AD SSO fails on ReadOnly DC ------------------------------------------------------------------------ Description: If configured AD SSO against a ReadOnly DC on a UTM, SSO will fail. While the client tries to authenticate with kerberos you will get following errormessages in the http logfile: "gss_accept_sec_context: Decrypt integrity check failed" Workaround: Set the AD SSO server to ReadWrite mode or do the SSO against an ReadWrite Server. Fixed in: ID27711 9.104 [Container] Web usage reports shows "empty result" for domains and users ------------------------------------------------------------------------ Description: When selecting one entry in the Web Usage Report it could show empty results for several values. As this could have several reasons please consider the list below. If none of those fits your situation please contact Support. This issue can have three different reasons: 1. There is a huge amount of virtual memory used by sql which makes the postgres database cancelling the query. One indicator for this reason can be that the postgres master logfile located at /tmp/postgres.log grows rapidly. Another indicator can be that you will find one of the following entries in the system.log located at /var/log on the shell of the UTM: "ERROR: out of memory" and/or "Failed on request of size ..." In this occurrence the value of size is relatively low (some hundred bytes). Furthermore you will see that the postgres.log contains a lot of accumArrayResult messages and it is growing fast. Also the output of the tool "top" on the shell of the UTM shows you that the virtual size(VIRT) grows larger than 4 GB. 2. Only on UTMs with more than 8 GB RAM: When running the command “top” on the shell of the UTM you can identify that the virtual size(VIRT) and the resident memory(RES)for postgres grows larger than 4GB. As the base system of the postgres is 32bit it fails on the limitation of only supporting 4GB. Another necessary condition to be met is that you see messages like this in /var/log/system.log: "ERROR: out of memory" and/or "Failed on request of size ..." with values for size of 80+MB. 3. The WebAdmin runs into a timeout while the query is executed (timeout warnings may be displayed in webadmin). To get a workaround / solution for all three reasons : Please contact Support. Workaround: Fixed in: ID27596 9.104 VDSL reconnect results in RED 50 looping reconnects with Zyxel VMG1312-B30A Modem ------------------------------------------------------------------------ Description: After a VDSL reconnect the Zyxel Modem doesn't forward the UDP packets on port 3410 to the RED. This will result in a RED 50 reconnect loop. Workaround: It could be that a new modem firmware solves the problem. http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-71990825/Geraete-und-Zubehoer/theme-2000178/DSL-Geraete/theme-535504220/Zyxel/theme-535505129/Zyxel-VMG-1312-B30A;jsessionid=FC2E4ACCF7242DAE3B72276DD4F2D0C2 Unfortunately we don't have feedback yet if this firmware solves the problem or not. Another workaround is to disable and enable the PPPoE interface in the webadmin Fixed in: ID27574 9.103 Reboot command from LCD panel doesn't work after initial installation ------------------------------------------------------------------------ Description: During the installation of UTM software on Sophos appliances, the LCD is used to show the installation status. Other functions of the LCD program, don’t work during installation. The used base system / environment for the installer, is different as in normal operation and doesn’t offer all functions. When you use the LCD program or WebAdmin to shut down or reboot the appliance during normal operation, the system will do a clean shutdown before it reboots or halt. The installer will always force the reboot instead. To reboot the appliance after installation, use the ‘Reboot’ button on the final screen or press ‘CTRL + ALT + DEL’. If you want to power off the appliance at the end of installation, you have to switch it off using the switch of the power supply. Workaround: Fixed in: ID27127 9.150 backends seem to be not in use with Site Path Routing ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID26620 9.101 VPN Up/Down notification doesn't trigger for RED50 unless both links are down. ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID25775 9.100 RED: add message to warn users if they add a MAC to the list which is used by RED ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.370 ID25408 9.080 installation on citrix xen server fails ------------------------------------------------------------------------ Description: When using a 32bit kernel on a XEN hypervisor, the kernel will hang during boot. This also prevents installation of the UTM on XEN hv. Workaround: When installing UTM, boot the installer kernel with "default lapic=notscdeadline". Installation will proceed normally. When a 64bit kernel is chosen during installation, no further action is required. Using 32bit kernels is not supported at this time, but it may work by specifying the same parameter (lapic=notscdeadline) in grub.conf Fixed in: ID24956 9.005 Reports exported to CSV files are incorrect ------------------------------------------------------------------------ Description: If you open reports exported to CSV files with Microsoft Excel (German localization) some percentages are displayed as dates. The problem here is that German Excel prefers to interpret 2.6 as 2nd of July since in Germany that number would have been written 2,6. Workaround: Import the file via the "Daten" menue and manually switch the type of those columns to "Text" instead of "Standard". Fixed in: ID23541 9.060 WiFi [AP50]: Mesh AP can't connect to Root AP under certain circumstances ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID23534 9.004 Playing mp4 files on Safari browser is not possible while using AV scan ------------------------------------------------------------------------ Description: Playing mp4 files on Safari browser is not possible while using AV scan. Workaround: Add an exception for sites / URLs which serve streaming media Fixed in: ID23509 9.200 Vodafone ZTE K5006-Z isn't working on REDv2 ------------------------------------------------------------------------ Description: 3G modem Vodafone ZTE K5006-Z isn't working on RED devices. Workaround: Fixed in: ID23417 9.060 WiFi [ASG]: Mesh access points which already have a role should not be in the list if you add a new one ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID23401 9.060 Wifi [AP50]: Mesh forwarding could kill control connection. ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID23321 9.004 Facebook options like facebook post are not blocked until you select 'Facebook' ------------------------------------------------------------------------ Description: Enabling a sub-category of 'Facebook' without enabling 'Facebook' itself will not work and will allow access to the sub-categories, although these are checked. Workaround: sub-categories of 'Facebook' can only be blocked when 'Facebook' is enabled itself. Workaround: Fixed in: Open Issues - VPN ======================================================================== ID24745 9.005 IP displayed instead of username when using NCP client with more than one remote networks ------------------------------------------------------------------------ Description: In case you configure a remote access IPsec connection with more than one local networks, you will find in the ipsec.log file that "username" is filled with the IP address instead of the real name of the user. This will also cause, that the IP of the User Network Object will not be set. Workaround: Fixed in: ID21262 9.000 HM: When User is removed from UP, auth. to HTML5 VPN Connection is still possible ------------------------------------------------------------------------ Description: When User is removed from User Portal, authentication to HTML5 VPN Connection is still possible Workaround: Fixed in: ID20926 9.000 HTML5 VPN: Websocket error when accessing User Portal via HTTPS proxy ------------------------------------------------------------------------ Description: When the HTML5 VPN portal is accessed via a HTTP proxy that intercepts SSL connections, the HTML5 VPN portal doesn't work. The user gets a popup error message "Websocket Error". Workaround: You can only work-around this issue on the HTTP proxy side. If the HTTP proxy is under your control, you need to configure a SSL interception bypass for the address of the HTML5 VPN portal. Fixed in: ID20815 9.000 Username cannot be left blank for SSH connection type ------------------------------------------------------------------------ Description: "Automatic login" for the SSH connection type in the HTML5 VPN Portal is not checked - Username cannot be left blank. Workaround: Fixed in: ID18608 9.000 WOL-Packages through Site2Site IPSec are dropped by Destination-ASG ------------------------------------------------------------------------ Description: WOL packet will be dropped by Site2Site IPSec tunnels. Workaround: You can send the WOL packet directly from the UTM. An example script is available in the UBB: https://www.astaro.org/gateway-products/web-protection-web-filtering-application-visibility-control/35980-wake-waf-wan-magic-web-application-firewall.html When using this the wakeability of the client could be tested from the ASG with this command: ether-wake Fixed in: Open Issues - Web Application Security ======================================================================== ID35349 9.313 Problems with opening word documents from sharepoint via WAF in different browsers ------------------------------------------------------------------------ Description: If SharePoint is published through WAF with form-based reverse authentication enabled, opening Office documents doesn't work. Instead of the Office document the reverse authentication form template is shown. Workaround: Either disable SharePoint integration in the browser (then download the Office document, edit and re-upload it) or disable reverse authentication. Fixed in: ID34103 9.209 Complete download from a webserver behind the WAF is not possible ------------------------------------------------------------------------ Description: It is not possible to download big files through the WAF. Neither mod_proxy nor the UTM-WAF modules were designed to handle a high amount of parallel large file uploads or downloads. Workaround: Please contact support. Fixed in: ID33532 9.209 RDWeb via WAF is not possible on customers site ------------------------------------------------------------------------ Description: We don't have protocol support for Microsoft's RDG-RPC protocol suite which they added with Windows Server 2012 (we only support the "old" MSRPC suite). Whenever such a RDG (2012) connection fails the log contains line stating method="RDG_IN_DATA" or method="RDG_OUT_DATA" it's a strong indication the lack of protocol support is causing the connection to fail. Currently, this cannot be mitigated using the WAF. Workaround: Fixed in: ID30623 9.194 Rev. Auth.: form auth fails with some browsers if path contains special characters ------------------------------------------------------------------------ Description: Form based reverse authentication uses session cookies. The matching of cookie to paths in browsers seems to be implemented very inconsistently regarding escaping of special characters. In some cases authentication will fail because the cookie is not sent by the browser. E.g. when using Firefox and paths containing the single quote character ' Workaround: The following special characters seem to be safe to use in URLs in all tested browsers: -._~!$&()+,=:@ We recommend limiting site paths using reverse authentication to using those characters (in addition to alpha numeric characters). Fixed in: ID30444 9.193 wrong HTTP/S redirect using multiple vhosts with wildcard domains and subdomains ------------------------------------------------------------------------ Description: Using HTTP to HTTPS redirection in combination with wilcard domains could lead to using the wrong virtual webserver. Example: - virtual webserver A - HTTPS, HTTP->HTTPS redirection enabled - wildcard certificate - domains: *.mydomain, sub.mydomain - real webserver: real1 - virtual webserver B - HTTPS - domain: main.mydomain - real webserver: real2 The request http://main.mydomain is correctly redirected to https://main.mydomain. Afterwards the request https://main.mydomain is answered by the wrong real webserver, real2 instead of real1. Workaround: Fixed in: ID30394 9.192 AV scanning and ActiveSync ------------------------------------------------------------------------ Description: Antivirus scanning does not work on Microsoft ActiveSync. The scanning fails because ActiveSync encodes the transferred data in formats which the Anti-virus engine does not understand. Workaround: Fixed in: ID30209 9.192 [BETA] Rev. Auth.: deploy one auth. profile with frontend mode 'form' for more than one path ------------------------------------------------------------------------ Description: Even if you deploy one form-based Reverse Authentication profile to more than one site path, you have to log in for each path separately. Workaround: Fixed in: ID26640 9.101 Not possible to activate more than 62 virtual webserver ------------------------------------------------------------------------ Description: It's not possible to activate more than 62 virtual webservers. With more than these 62 servers configured you will get this error message in the reverseproxy.log: No space left on device: xxxx: worker slotmem_create failed Workaround: Fixed in: ID14663 9.000 WAS AV doesn't work for SOAP style file uploads (as used in some OWA 2010 configurations) ------------------------------------------------------------------------ Description: WAF AV doesn't work for SOAP style file uploads (as used in some OWA 2010 configurations). Workaround: Fixed in: Open Issues - Web Security ======================================================================== ID35581 9.315 Application control block for "Teamviewer" didn't work anymore ------------------------------------------------------------------------ Description: Application control block for "Teamviewer" doesn't work when HTTP Proxy is enabled but Full SSL scanning is not enabled. Workaround: Enable Full SSL Scanning in the HTTP Proxy settings Fixed in: ID21783 9.000 Backend Membership groups limited to AD Users do not work ------------------------------------------------------------------------ Description: The backend membership authentication didn't work if limited to Active Directory users, only when limited to Active Directory groups. For example Authentication failed for user ads_test3 when using the following LDAP string: CN=ads_test3,CN=Users,DC=auth2k8r2,DC=qa but it worked when using the following LDAP string: CN=ads_group1,CN=Users,DC=auth2k8r2,DC=qa (User ads_test3 is a member of the ads_group1) Workaround: Fixed in: ID19998 9.000 HTTP-Proxy unresponsive on Pattern Up2Date installation ------------------------------------------------------------------------ Description: During AV Pattern Up2Date the HTTP-Proxy is unresponsive. As this update may take some time it often breaks existing connections (e.g. downloads). Workaround: Fixed in: Open Issues - Wireless Security ======================================================================== ID34240 9.303 Bridge with a Wifi interface and some other Ethernet doesn't work after Update to v9.3 ------------------------------------------------------------------------ Description: Wifi Traffic is not processed correctly from the separate Zone interface to the LAN in a bridge which is setup between a LAN and a separate Zone interface. Workaround: Fixed in: ID21933 9.000 RED [RED10r2]: "Any" does not direct all traffic to UTM in Split mode ------------------------------------------------------------------------ Description: "Any" does not direct all traffic to UTM in Split mode If you configure a RED in mode transparent / split and add "Any" to the split networks (you can choose Any; AnyIPv4 or Internet IPv4) the traffic will not be directed to the UTM. Workaround: In this configuration the RED is supposed to act as if it were in standard mode. Just using standard mode without split networks will do the trick. Fixed in: ID19632 9.000 AP stays inactive if there exists no Wireless Network ------------------------------------------------------------------------ Description: AP stays inactive if there exists no Wireless Network Workaround: Create Wireless Network Fixed in: Closed Issues - Email Security ======================================================================== ID24065 9.004 Regression from V8: Recipient Verification against AD not working with LDAP-SSL ------------------------------------------------------------------------ Description: SMTP recipient verification against AD is not working with LDAP-SSL. Workaround: Option 1: Switch to non encrypted LDAP connections or recipient verification with callout. Option 2: Add the following line to /var/chroot-smtp/etc/openldap/ldap.conf TLS_REQCERT allow According to http://linux.die.net/man/5/ldap.conf : TLS_REQCERT Specifies what checks to perform on server certificates in a TLS session, if any. The can be specified as one of the following keywords: ... allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. Fixed in: ID22566 9.001 Out of Office emails are marked as spam ------------------------------------------------------------------------ Description: Out of Office emails can be falsely marked as spam Workaround: There is currently no workaround Fixed in: ID21895 9.000 No actions possible for mails in error state under "Mail Manager > SMTP Spool" ------------------------------------------------------------------------ Description: If you can see mails in error state under "Mail Manager > SMTP Spool" than no action is possible like "View", "Download" etc. Workaround: Fixed in: ID21894 9.000 OpenPGP keyserver does not work if port number is explicitly specified ------------------------------------------------------------------------ Description: Signed mails with stored keys on a PGP key server (e.g. pgp.mit.edu) cannot be verified when the port number is explicitly specified in the "Encryption > Options > OpenPGP Keyserver" setting (e.g. if it is set to "pgp.mit.edu:11371"). If "Encryption > Options > OpenPGP Keyserver" is set to the keyserver only i.e. without colon and port number (e.g. "pgp.mit.edu"), everything works as expected. Workaround: Fixed in: ID21891 9.000 Upload of S/MIME certificates in PKCS#12 format doesn't work ------------------------------------------------------------------------ Description: When you try to generate a new or edit an existing Email Encryption User and choose to upload a PKCS#12 file, you get the following error message: "Cannot create email encryption user object: P12 file malformed or wrong password." Workaround: Fixed in: 9.001 Closed Issues - High Availability ======================================================================== ID26613 9.101 Since update to v9.101 inodes are filling up the slave node root partition ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.104 ID25794 9.100 HA: After takeover, several services fail because interfaces are incorrectly marked as offline ------------------------------------------------------------------------ Description: In some configurations it can happen on HA/Cluster systems that after takeover some interfaces are marked as offline incorrectly. Due to this several services running on the machine not being configured correctly. Workaround: Fixed in: 9.101 ID25742 9.100 ha: disabling virtual_mac for ha did not result in different mac addresses on master/slave ------------------------------------------------------------------------ Description: Disabling virtual_mac for ha did not result in different mac addresses on master/slave Workaround: Fixed in: 9.104 Closed Issues - Logging/Reporting ======================================================================== ID29584 9.106 "Department Reports" in Web Sec Reporting does not work for host objects ------------------------------------------------------------------------ Description: If there is a "Departement Report" created for a single or also multiple host objects, the report will not deliver any result. Creating a similar Departement Report for a Interface Network (as LAN or DMZ), the Departement Report works Workaround: Fixed in: 9.190 ID26452 9.101 Web Security reporting does not work correctly ------------------------------------------------------------------------ Description: The information from web filtering log regarding departments may not be analyzed correctly. You will find some entries like this in system.log: 2013:06:13-17:14:29 utm-1 postgres[6840]: [3-1] ERROR: malformed array literal: "{,myDepartment}" Workaround: Please contact support to get a fixed rpm for this issue Fixed in: 9.104 ID25868 9.100 performance regression in ins_accounting(): Postgres running on 100% ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.101 ID25676 9.100 [UBB][9.100] Executive Report - Wrong charts displayed on Apple Devices ------------------------------------------------------------------------ Description: Wrong charts are displayed when opening multiple executive reports concurrently. Workaround: Fixed in: 9.200 ID24922 9.005 after reboot syslogng was not started ------------------------------------------------------------------------ Description: After reboot of the UTM it might happen that syslog-ng was not started Workaround: Restart syslogng manually via command: /etc/init.d/syslogng start or just reboot the system again until syslog-ng is running Fixed in: 9.103 ID22693 9.002 Negative entries in vpn reporting ------------------------------------------------------------------------ Description: It is possible if you can see negative entries in the VPN Reporting sheet like -1 or -2. Workaround: Fixed in: ID22456 9.000 Empty graphs in Hardware and Network Usage ------------------------------------------------------------------------ Description: In special circumstances it can happen that the graphs for 'Hardware' and 'Network Usage' are empty. Workaround: Contact the Support Team to fix it. Fixed in: 9.005 ID22260 9.001 WebApplication firewall reporting does not work in timezones behind UTC ------------------------------------------------------------------------ Description: If the UTM is located in a timezone with negative offset to UTC (e.g. in U.S., Canada, south americas etc.), the WAF reporting does not work at all. Even though there are events logged in reverseproxy.log, the reporting database is not populated with any entries, and the WAF reports are empty. Workaround: Set the timezone to UTC. Fixed in: 9.003 ID22120 9.000 Filtering in web security reporting didn't work correctly with IE for the 2nd and more customized filter. ------------------------------------------------------------------------ Description: Filtering in Web Security Reporting didn't work correctly with InternetExplorer for the 2nd and more customized Filter. Workaround: Fixed in: 9.004 ID21898 9.000 Web Protection Reporting: missing sorting order in pdf under some circumstances ------------------------------------------------------------------------ Description: If you change the sort order in a report and switch to another this field doesn't exist and the exported PDF report is not sorted. Workaround: Fixed in: 9.091 ID21865 9.000 WAF reporting brokenness ------------------------------------------------------------------------ Description: In the following list there are things which were broken in the WAF reporting. -The 'Top Groups' report consisted only of one entry with an empty group name -'The Top Rules by Virtual Host' report doesn't work at all, if you select it and press update nothing happens -'The Top Groups by Virtual Host' report doesn't work at all, if you select it and press update nothing happens PDF: -The 'TOP Responses' PDF report is missing the Response Code column, which makes the report rather pointless. -The 'Top Groups' PDF report contains a column named 'Domains', but the number displayed there seem to be the value of 'Hits'. The 'Hits' column itself was empty though (see attached PDF) CSV: -The 'TOP Responses' CSV report is missing the Response Code column, which makes the report rather pointless. -The 'TOP Attackers' CSV report contains percentage numbers. This is rather unusual, since this isn't done for any of the other CSV reports. -The 'TOP Groups' CSV is just as broken as the PDF one. Workaround: Fixed in: 9.090 ID21861 9.000 Application Control Reporting: incorrect data in the exported pdf/xls ------------------------------------------------------------------------ Description: Under reporting & Logging -> Web Protection -> Application Control, when you export as pdf/slx the Top Blocked Destinations of the countries are displayed as numbers. Also the last column is empty. It looks like a column is missing and the IPs are incorrect. The same for "Top Blocked Destinations by Source" in the pdf/xls export. Workaround: Fixed in: 9.090 ID21857 9.000 Reporting: in the Top Applications by Client PDF export the total column is displayed twice ------------------------------------------------------------------------ Description: Under Reporting -> Network Usage -> Bandwitdth Usage, you can export "Top Applications by Client" as PDF and the column "Total" is displayed twice. Workaround: Fixed in: 9.090 ID21850 9.000 Several search engines does not appear in the search engine report ------------------------------------------------------------------------ Description: Several search Engines doesn't appeared in the search engine report e.g. Bing or Yahoo. Only Google works right. Workaround: Fixed in: 9.090 ID21829 9.000 Timeframe and Department missing in PDF header lines ------------------------------------------------------------------------ Description: If you are sending a report via email with a selected department and a specific timeframe like yesterday, last week, last month or a custom timerange then this timeframe fields are missing in the PDF header lines. But when you download the PDF directly from reporting page all header lines are there. Workaround: Fixed in: 9.091 ID21717 9.000 Websecurity reporting does not work for IPv6 address URLs ------------------------------------------------------------------------ Description: Websecurity reporting does not work for IPv6 address URLs If an request contains an IPv6 address in the URL host part, this request does not show up in the websecurity reporting. Workaround: Fixed in: ID21494 9.000 IPS report for pdf and csv is incorrect ------------------------------------------------------------------------ Description: in the pdf/csv report from the ips some fields are empty or not the same as in the webgui Top Destination Hosts - dest hosts are counted in the pdf/csv report, but in the webgui the src hosts are counted which makes more sense - the rule field is empty in the pdf/csv, but counted in the totals field, also the % field for the rules are empty Top Source Hosts by Destination Host - source hosts are counted in the pdf/csv report, but in the webgui the dest hosts are counted - the rule field is empty in the pdf, but counted in the Totals field, also the % field for the rules are empty ( not in the csv ) Workaround: Fixed in: 9.090 ID21291 9.000 Hide ha_sync user in Last WebAdmin sessions ------------------------------------------------------------------------ Description: Hide ha_sync user in Last WebAdmin sessions Workaround: Fixed in: 9.006 ID21158 9.000 Web protection Report doesn't have hostname ------------------------------------------------------------------------ Description: Web protection Report doesn't have hostname It seems that the reports show an ip as user instead of the host name. This is not the case when the report is run via UTM directly. Workaround: Fixed in: ID19798 9.000 WAF usage details are not shown although you can see WAF usage in the graphs and the live log ------------------------------------------------------------------------ Description: The WAF usage graphs under Reporting -> Web Application Firewall -> Usage Graphs show a lot of requests but when you go to the "Tab" Details you see nothing. Also when you change the view from today to weekly or monthly. In WAF livelog you can see the requests too. Workaround: Fixed in: 9.000 ID19698 9.000 WAF reporting doesn't work correctly ------------------------------------------------------------------------ Description: Web Application Firewall Reporting: 'Top Clients' report does not redirect to another report when clicking on an IP Address. Workaround: Will be fixed in one of the upcoming version. Fixed in: Closed Issues - Management ======================================================================== ID35615 9.314 Dashboard is not displayed if you use "Asia/Beijing" as timezone ------------------------------------------------------------------------ Description: Dashboard is not displayed if you use "Asia/Beijing" as timezone. You see the following error message "The timezone 'Asia/Beijing' could not be loaded, or is an invalid name. Workaround: Use Asia/Shanghai instead which is a different name for the same timezone. Fixed in: 9.317 ID34724 9.308 OBJECT_NAMESPACE collision when whitelist/blacklist with identical name is deployed via SUM ------------------------------------------------------------------------ Description: HTTP proxy whitelist/blacklist objects with identical names as already existing whitelist/blacklists cannot be deployed in 'data only' substitution. Confd logfile on UTM will report "OBJECT_NAMESPACE (The whitelist/blacklist object with the name 'whitelist' already exists.)" Workaround: Rename whitelist/blacklist object on SUM or UTM to deploy the object. Fixed in: 9.314 ID25916 9.100 SUM can't set Web Filter URL Blacklist and URL Whitelist ------------------------------------------------------------------------ Description: SUM can't set URL Blacklist and URL Whitelist for UTM 9.100 and newer. Workaround: Fixed in: 9.104 ID25097 9.005 System up2date are disabled without an obvious reason ------------------------------------------------------------------------ Description: Systems upgraded from V8 to V9 will not see and download the 9.006 Up2Date. Workaround: On the console execute as root # rm /var/upgrade/fetch-stamp Fixed in: 9.005 ID22004 9.000 'Edit dashboard settings' is broken after importing an ASG V8 config ------------------------------------------------------------------------ Description: After importing a ASG V8 configuration backup into UTM 9 you can't use the new Dashboard customization feature. The following error is displayed: "The WebAdmin user preferences object may not have an empty WebAdmin keyboard shortcuts attribute." This is caused by a missing definition for the keyboard shortcut for Endpoint Protection objects. Workaround: Go to Management >> WebAdmin Settings >> User Preferences and add the missing shortcut for Endpoint Protection. New installations of UTM 9 use CTRL+M. Fixed in: 9.001 ID21958 9.000 Live log for packetfilter shows numbers instead of the protocol ------------------------------------------------------------------------ Description: Live log for packetfilter shows numbers instead of the protocol name TCP, UDP and ICMP protocol are displayed correctly. If other 'proto' numbers are used only these numbers are shown in the live log. Workaround: Fixed in: 9.055 ID21892 9.000 Encryption User: Download PKCS#12 key doesn't work if S/MIME is disabled ------------------------------------------------------------------------ Description: "Email Encryption > Internal Users": If you download the PKCS#12 key and S/MIME is disabled it doesn't work anymore for this user. Workaround: Fixed in: 9.050 ID21794 9.000 Support UTM 9 install on ASG 120 Rev4 with 2GB Memory ------------------------------------------------------------------------ Description: As the ASG 110/120 supports 2GB memory, and we have changed this for the Rev 5 to 2GB, the installer should permit the "appliance" installation on a Rev4 which has 2GB memory. The customer can already install UTM with 1gb and then swap in a 2GB anyways, so we might as well not force them to keep swapping the DIMMS when they want to re-install (or then open a support ticket) and just support this. Workaround: Fixed in: 9.107 ID21590 9.000 Fix SNMP traps for notifications ------------------------------------------------------------------------ Description: There are some SNMP Issues - wrong label (v2c/v1) in webadmin - specificTrap value not set correctly - confused sink/agent addresses - Maybe v3 traps have similar issues Workaround: Fixed in: 9.092 ID21246 9.000 ACC Device agent not running ------------------------------------------------------------------------ Description: ACC Device agent not running Upgrade to 8.940 breaks device agent functionality Workaround: Fixed in: ID20540 9.000 [UBB][8.900] Dashbord reload flickers on Google Chrome ------------------------------------------------------------------------ Description: There's a short flicker at every reload of the dashboard when using the Google Chrome Webbrowser on machines with an ATI graphics card, probably caused by Chromes hardware acceleration. Workaround: Fixed in: ID16216 9.000 Confd sync daemon runnnig on slave node ------------------------------------------------------------------------ Description: Confd sync is falsely runnnig on slave node. This was a race condition between selfmon restarting the confd-sync process and the MDW stopping the confd-sync process. Workaround: Fixed in: Closed Issues - Network Security ======================================================================== ID28847 9.160 ips: snort does not log correctly to logfile ------------------------------------------------------------------------ Description: The log message "Reload Complete" is not logged instantly to the logfile. It needs another event to be logged until the reload complete message is actually in the logfile. Workaround: Fixed in: ID21942 9.000 IPS notifications contain invalid links ------------------------------------------------------------------------ Description: IPS notifications contain invalid links When IPS sends an alert due to a detection, 3 of the 4 "helpful links" in the alert do not work. 1 goes to a sort of script error, 1 is a simple root page without the parameters we pass it, and 1 is to a "this is a paid service" link. e.g. http://ws.arin.net/cgi-bin/whois.pl?queryinput= https://apps.db.ripe.net/search/query.html?query= http://www.dnsstuff.com/tools/ptr.ch?ip= Workaround: Fixed in: 9.050 Closed Issues - Networking ======================================================================== ID32406 9.204 Adding a host definition with DNS name "localhost" breaks named.conf ------------------------------------------------------------------------ Description: Adding a host definition with DNS name "localhost" breaks DNS configuration. Named (DNS proxy) will fail to start with the error message "fatal error" zone 'localhost': already exists. Workaround: remove the DNS host definition Fixed in: 9.308 ID23950 9.100 Wildcard Domains for SMTP Routing (Regression) ------------------------------------------------------------------------ Description: If you used wildecards like "*" for SMTP routing on ASG 7 please consider that this isn't possible on ASG 8 and UTM 9 anymore. UTM 9 allows you to enter wildcards but they won' t work properly. Workaround: Fixed in: 9.192 ID22646 9.003 Bridge: Use the MAC address of the converted interface instead of the smallest one ------------------------------------------------------------------------ Description: If you configure a bridge with a "Convert interface", the smallest MAC address of all selected interfaces will be used. This isn't really predictable just by looking at the MAC addresses. In this case the one from the Convert interface should be used for 'br0'. Workaround: Configure a "Virtual MAC address" for the bridge interface in Interfaces & Routing >> Bridging >> Advanced (e.g. the MAC address of the Convert interface). Fixed in: 9.165 ID22398 9.001 Clients are not listed in the UTM ------------------------------------------------------------------------ Description: It is possible if you register more clients for Endpoint Protection no all clients are listed as "online" or listed at all. The other are offline even if they're online and communicating with the broker. Workaround: Fixed in: ID21948 9.000 Cable Modem: every renew of the ip address adds a new ip address to the dhcp interface (v9) ------------------------------------------------------------------------ Description: Cable Modem: every renew of the ip address adds a new ip address to the dhcp interface If a Cable Modem interface is configured including an additional ip address on this interface after every renew of the dhcp lease the client adds a new address from the dhcp to the interface but doesn't delete the old one. Workaround: Fixed in: 9.003 ID21934 9.000 OSPF: Can't enable 'Interface Link Detection' [v9] ------------------------------------------------------------------------ Description: OSPF: Can't enable 'Interface Link Detection' [v9] When 'Interface Link Detection' in the OSPF settings are enabled the changes are not applied. Workaround: Fixed in: 9.006 ID20322 9.000 SSL VPN routes are not distributed correctly over OSPF ------------------------------------------------------------------------ Description: To redistribute SSL VPN routes ( regardless Remote Access or Site2Site) make sure to tick redistribute connected in Webadmin -> Interface & Routing -> Dynamic Routing (OSPF) -> Advanced. Workaround: Fixed in: 9.170 Closed Issues - RED ======================================================================== ID25766 9.100 RED 50 connection is permanently dropped after HA takeover ------------------------------------------------------------------------ Description: RED50 permanently drops tunnel connection after HA takeover. The following messages occur in the red.log: 2013:06:15-11:46:30 utm red_server[1234]: SELF: New connection from 20.30.40.50 with ID A3400XXXX (cipher RC4-SHA), rev1 2013:06:15-11:46:30 utm red_server[1234]: A3400XXXX: already connected, releasing old conne Workaround: please contact support for a hotfix Fixed in: 9.104 ID25748 9.100 Sending overlay-fw on every Takeover/Restart of the UTM takes too long until all REDs are online again ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.101 ID25736 9.100 RED firmware update fails if upload takes longer than 3 minutes ------------------------------------------------------------------------ Description: In 9.100 the RED appliances retrieve the firmware from the UTM instead of the provisioning server. If the UTM is behind a weak link or if there are many REDs the timeout of 3 minutes is too short and the firmware update fails. Workaround: Fixed in: 9.101 ID25524 9.300 The RED interfaces lost their ip addresses after license change ------------------------------------------------------------------------ Description: If you install a license without RED subscription and then install a license with RED subscription, the RED interfaces will loose their ip addresses. Workaround: restart the middleware: /etc/init.d/mdw restart Fixed in: 9.304 ID24287 9.000 RED 10 stops working while handling large packets [9.1] ------------------------------------------------------------------------ Description: When a customer sends packets with a size over 1300 bytes via the RED is stops working. No further packets are flowing and after the timeout the RED is completely disconnected. It doesn't reconnect again, it seems it freezes and the customer has to power off/on manually to re-establish the connection. The packets are leaving the ASG via RED-tunnel but there is no response. This occurs only with a packetsize over 1300 bytes! Workaround: Put a router in between RED and Cisco. Fixed in: 9.112 ID24091 9.070 RED [RED10, RED50]: prevent RED50 from being deployed as RED10 and vice versa ------------------------------------------------------------------------ Description: RED50 (RED10) must not be deployed as RED10 (respectively RED50) when adding new device. Workaround: Fixed in: 9.204 ID22634 9.002 Static IP address assignment for RED does not work together with transparent/split mode ------------------------------------------------------------------------ Description: LEDs: System=green permanent Router=green blinking Workaround: use another mode e.q transparent/split with dhcp Fixed in: 9.055 ID22571 9.001 UTM-RED Client with dynamic IP doesn't re-establish the tunnel ------------------------------------------------------------------------ Description: UTM-RED Client with dynamic IP doesn't re-establish the tunnel if the dynamic IP address is changing. Workaround: Fixed in: 9.107 ID22546 9.001 RED Split-Tunneling via UMTS is not working properly ------------------------------------------------------------------------ Description: Split-Tunneling via UMTS is not working with RED Workaround: Fixed in 9.100. Fixed in: 9.055 Closed Issues - Various ======================================================================== ID36221 9.352 After update to version 9.317/9.351 SMTP messages stop being processed (without any notifications/errors in log) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID36178 9.352 Graphs in executive report are missing after update to v9.352 ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID36171 9.352 Flow Monitor broken since the XSS patches ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID36132 9.214 WebAdmin reflective XSS Vulnerability [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.216 ID36131 9.317 WebAdmin reflective XSS Vulnerability ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.318 ID36129 9.300 OpenSSL security update 1.0.1q [9.31] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.318 ID36128 9.200 OpenSSL security update 1.0.1q [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.216 ID36126 9.350 OpenSSL security update 1.0.1q ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.352 ID36115 9.351 WebAdmin reflective XSS Vulnerability ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.352 ID36086 9.351 Executive Report: Wrong count of ssh logins in summary ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID36065 9.351 Webadmin triggers L2TP over IPsec PSK change if "&" is used in PSK ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID36019 9.315 IP range objects in allowed relays will not insert in the exim configuration ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID36013 9.351 Installation of first package failed during Up2Date (db_verify?) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID36012 9.314 No "Server Hello" is send by WebProxy from the UTM to the client ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID36008 9.351 SPX registration mails mess up exim header sporadically ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35999 9.351 FTP over HTTP: directory listing uses wrong paths ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35994 9.351 MAC filter list with more than 700 entries doesn't get updated on change ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35985 9.315 Executive Report: VPN client 'duration' counted incorrectly if users logged > 1 day ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35980 9.317 Proceed button for a forbidden file extension change the signature of a https request ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35979 9.315 HTTP Proxy does not provide full certificate chain when using custom cert for enduser pages ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35978 9.351 Update ntp to 4.2.8 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35974 9.315 Printable config doesn't show content of WebAdmin user preferences > shortcuts in Confd format ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35970 9.315 Remote access reporting is incorrect ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35967 9.315 Support Access deamon crashes if server is not available ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35928 9.315 Windows devices randomly showing up as Linux device=3 in httpproxy with device authentication ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35923 9.315 HTTP Proxy: fix of memory leaks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35922 9.308 HA/Cluster Up2Date doesn't complete if BIOS time is not UTC and TZ is < GMT ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35921 9.315 HTTP Proxy locking up intermittently ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35920 9.314 Connection to http://www.bundesfinanzministerium.de is not working properly through HTTP Proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35919 9.314 Webadmin alternating displays "cff_profile_name" and "name" attribute on Web Filter Profiles tab ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35918 9.314 Webadmin: searching in the logfiles with "-c" will print a count of matching lines instead of "searchresult" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35917 9.314 packetfilter rule will not apply automatically if services are in groups ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35916 9.313 VoIP Telephone can't connect to new AP model ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35915 9.313 SSO password parsing error with & character ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35914 9.314 DHCP option 234 for APs to connect to another UTM than the main UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35913 9.313 ad-sync script failing due to invalid credentials ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35912 9.312 Uploading a modified template in hotspot results in Webadmin warning ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35911 9.209 Winbindd: Exceeding 16.000 client connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35910 9.314 Email encryption: virus_protection.pm causes mdw to die ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35909 9.313 Coredumps from httpd after update to v9.314 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35908 9.313 Swap space change via confd to AWS UTM instance doesn't survive reboot ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35907 9.313 Facebook does not work properly in IPv6 mode when transparent proxy is used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35906 9.312 Kernel: enable x2apic ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35905 9.314 Network monitor daemon segfault / coredump (again) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35904 9.313 SMTP scanner timeout/deadlock if DLP enabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35903 9.313 Authentication pop-up when warned extensions are proceeded on HTTPS sites ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35902 9.313 "cannot create socket" AV error messages for sites behind the WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35901 9.310 Avscan notice while trying to transfer data with a AS2 connection via WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35900 9.313 Endpoint antivirus policy won't be displayed correctly in German webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35899 9.313 125w r2 Internal Wifi adapter Spurious quick kickout ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35898 9.310 adbs-maintenance running indefinitely ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35897 9.313 Reporting show blocks from AFC from networks which are in the exception list ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35896 9.312 SPX: 404 if recipients are only in bcc ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35895 9.313 Typo in default Subject line for SMTP Data Protection end-user messages ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35894 9.313 Pop-up disappears if you want to save CSV/PDF report with right click ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35893 9.313 Temp files not removed from /var/log/tmp on slave node after remote logfile archive ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35892 9.313 Sorting websites by tag doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35891 9.312 Scoreboard is full message in reverse proxy log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35890 9.310 QR Code is missing on voucher in customer template ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35889 9.313 disabled shortcuts in webadmin will be displayed as "OFF +X" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35888 9.313 Bridge to LAN network on both Internal WiFi & External AP not accessible via External AP ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35887 9.314 Dashboard is not displayed if you use "Asia/Beijing" as timezone ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35886 9.313 undefined error message on DHCP-Relay activation when interface is used by DHCP server ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35885 9.315 DLP slows down mail delivery drasticly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35884 9.313 Update from 9.2 to 9.3 with deactived REDs as part of a bridge will prevent opening of interfaces-tab in webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35883 9.310 Remote Log File Archive: Notification was not sent "File too large" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35882 9.315 Improve process scaling for SMTP Proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35881 9.309 awed and confd consume a lot of CPU time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35880 9.312 Encoding errors for japanese words on Terms of Use ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35879 9.317 Firmware-Updates triggered via SUM are not installed on the UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35878 9.310 Allow to set cipher list and protocols for WebAdmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35877 9.315 Number of concurrent connections is rising constantly. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35876 9.310 Access control in site path routing didn't work as written in the online help ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35875 9.316 Sessions for SSL VPN are not listed in reporting if the username consists of numbers only ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35874 9.308 ctasd permanently segfaults on slave node ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35873 9.315 HTTP Proxy core dump during ATP Reload ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35872 9.306 "AV Scanner unreachable" mails should be moved to error queue instead of quarantine. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35871 9.315 POP3 Proxy passes read receipt header for blocked messages ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35870 9.304 Mail Manager POP3 Quarantine global actions do not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35869 9.315 SSL VPN text for Windows in User Portal is always English ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35868 9.209 HTTP Proxy freezes after config change ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35867 9.315 Typo on QoS status tab in German webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35866 9.112 Customized web templates, problems with Block All mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.351 ID35816 9.315 spx-auth dies without any log entry ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35810 9.350 Web Proxy unable to start following update to 9.350 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35799 9.117 Corrupted rpmdb - check and repair from 33545 doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35797 9.300 dynamic mac filter changes not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35792 9.117 NUTM-2170: Display of a SG Series shows 'HA Slave Status Error' [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.118 ID35787 9.300 SG1xxW: middleware errors + changing txpower not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35766 9.315 Certificate with Netscape Cert Type: SSL Client not usable for S/MIME encryption ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35764 9.315 Typo on QoS status tab in German webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35756 9.315 Typo in Up2date Inline Help Text ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35755 9.315 User Portal: Login not possible - "Authentication system error" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35750 9.315 SMTP Proxy dies every two hours when using SPX ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35740 9.315 SSL VPN text for Windows in User Portal is always English ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35739 9.315 SPX Encryption works only if the customer uses "senderspec" as option ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35730 9.117 Update BIND to 9.9.7.P3 to take care of CVE-2015-5986 and CVE-2015-5722 [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.118 ID35729 9.214 Update BIND to 9.9.7.P3 to take care of CVE-2015-5986 and CVE-2015-5722 [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.215 ID35725 9.317 Avira scanner does not work if MIME blocking inspects HTTP body selected ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35714 9.317 Memory leak in safesearchscanner ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35704 9.315 WAN Failover on RED50 with static IP addresses not successful ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35688 9.315 SMTP: Duplicated MIME-type blacklist entries when processing messages ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35683 9.315 Update kernel to 3.12.48 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35672 9.315 POP3 Proxy passes read receipt header for blocked messages ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35670 9.315 HTTP Proxy core dump during ATP Reload ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35659 9.316 Sessions for SSL VPN are not listed in reporting if the username consists of numbers only ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35648 9.315 Number of concurrent connections is rising constantly. ------------------------------------------------------------------------ Description: Workaround: 1) Open file in editor: /etc/init.d/iptables 2) search for "dns" 3) Comment the matching line: - modprobe -q nf_conntrack_dns + #modprobe -q nf_conntrack_dns 4) Save the file 5) This needs a reboot to apply (Further take care you do this for all cluster/ha nodes) Impact (Minor): DNS conntrack helper will be disabled. This will result in parallel DNS lookups used by some unix systems to timeout. As clients have a procedure to workaround that connection will establish but with a delay of 5sec. Fixed in: 9.317 ID35647 9.117 ctasd selfmon restarts [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.118 ID35645 9.314 FTP Proxy: frox segfault still occurs after udpate to 9.314 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35644 9.315 Improve process scaling for SMTP Proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35643 9.315 DLP slows down mail delivery drasticly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35642 9.316 Update BIND to 9.9.7.P3 to take care of CVE-2015-5986 and CVE-2015-5722 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35600 9.308 HA/Cluster Up2Date doesn't complete if BIOS time is not UTC and TZ is < GMT ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35599 9.315 Cannot delete user object when user network is still used by another network group object ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35593 9.315 HTTP Proxy locking up intermittently ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35559 9.314 Connection to http://www.bundesfinanzministerium.de is not working properly through HTTP Proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35553 9.314 Webadmin alternating displays "cff_profile_name" and "name" attribute on Web Filter Profiles tab ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35552 9.314 Webadmin: searching in the logfiles with "-c" will print a count of matching lines instead of "searchresult" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35547 9.314 packetfilter rule will not apply automatically if services are in groups ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35546 9.313 VoIP Telephone can't connect to new AP model ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35542 9.315 WiFi channel of SG1xx-w Appliance is missing in Access Points overview ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35540 9.313 SSO password parsing error with & character ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35530 9.314 DHCP option 234 for APs to connect to another UTM than the main UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35524 9.314 nf_ct_dns: misleading error message ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35521 9.314 Support Access user cannot be enabled if complex passwords & non-alphanumeric character required ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35511 9.314 Maildrop lock will not removed by pop3proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35509 9.313 ad-sync script failing due to invalid credentials ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35507 9.116 CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.117 ID35502 9.213 CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.214 ID35501 9.314 Pluto segfault after update to 9.314 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.315 ID35499 9.312 Uploading a modified template in hotspot results in Webadmin warning ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35498 9.209 Winbindd: Exceeding 16.000 client connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35494 9.314 Email encryption: virus_protection.pm causes mdw to die ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35493 9.313 Coredumps from httpd after update to v9.314 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35490 9.313 CVE-2015-5477 - An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.315 ID35486 9.314 Network monitor daemon segfault / coredump [Cloned for 9.350] ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35480 9.313 Swap space change via confd to AWS UTM instance doesn't survive reboot ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35476 9.313 Facebook does not work properly in IPv6 mode when transparent proxy is used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35466 9.312 Kernel: enable x2apic ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35463 9.314 Network monitor daemon segfault / coredump (again) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35460 9.313 SMTP scanner timeout/deadlock if DLP enabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35437 9.313 Authentication pop-up when warned extensions are proceeded on HTTPS sites ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35420 9.313 "cannot create socket" AV error messages for sites behind the WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35412 9.310 Avscan notice while trying to transfer data with a AS2 connection via WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35408 9.313 Endpoint antivirus policy won't be displayed correctly in German webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35397 9.313 125w r2 Internal Wifi adapter Spurious quick kickout ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35394 9.310 adbs-maintenance running indefinitely ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35392 9.314 If reply portal is disabled in the SPX template some logos are missing from the password registration form ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35385 9.313 Reporting show blocks from AFC from networks which are in the exception list ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35378 9.312 SPX: 404 if recipients are only in bcc ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35370 9.313 Typo in default Subject line for SMTP Data Protection end-user messages ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35368 9.313 HTTP Proxy fails to lookup correct backend group intermittently ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35367 9.314 If SPX portal is not enabled in SPX template, recipient cannot register password ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35365 9.313 Pop-up disappears if you want to save CSV/PDF report with right click ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35363 9.313 Temp files not removed from /var/log/tmp on slave node after remote logfile archive ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35360 9.313 Sorting websites by tag doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35351 9.312 Scoreboard is full message in reverse proxy log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35348 9.312 Unknown cssd response: 500 Internal Server Error in pop3proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35345 9.310 QR Code is missing on voucher in customer template ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35344 9.313 disabled shortcuts in webadmin will be displayed as "OFF +X" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35343 9.313 Bridge to LAN network on both Internal WiFi & External AP not accessible via External AP ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35341 9.313 undefined error message on DHCP-Relay activation when interface is used by DHCP server ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35339 9.313 Update from 9.2 to 9.3 with deactived REDs as part of a bridge will prevent opening of interfaces-tab in webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35338 9.313 Bridge with RED: No warning that RED-interface will be removed from bridge when RED will be deactivated ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.350 ID35336 9.310 Remote Log File Archive: Notification was not sent "File too large" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35323 9.309 awed and confd consume a lot of CPU time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35307 9.312 Encoding errors for japanese words on Terms of Use ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35300 9.211 Interface was deleted through backup restore ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35272 9.312 Mail Manager: incorrect pagination when removing entries ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35266 9.312 Uncategorized websites show up in reports as Categorization Failed ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35260 9.312 Real webserver advanced section doesn't expand automatically if defaults are changed ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35257 9.312 Not possible to add Network group object as "Network Protection Manager" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35256 9.313 Middleware logs error for uninitialized value during regex operation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35248 9.115 OpenSSL security update 1.0.1o [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.116 ID35247 9.115 RED: Update OpenSSL [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.116 ID35245 9.312 Raid monitor not running ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35243 9.312 Re-Design of FTP Proxy: Real-time filesize counting/pass-through mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35240 9.310 Web Proxy duplicates headers in XSS request ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35239 9.000 Firmware-Updates triggered via SUM are not installed on the UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35236 9.312 rsync does not sync up2date/pattern packages due to corrupted rsyncd.conf ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID35235 9.312 RED: Update OpenSSL ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.313 ID35234 9.212 RED: Update OpenSSL [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.213 ID35229 9.312 Access control: Mail Protection Manager can not create any exceptions ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35228 9.310 handle nvme devices during installation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35226 9.312 Mail Manager: perl runtime error while trying to view an email without mail body ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35225 9.312 Background channel switching doesn't work on AP55C/AP100C ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35214 9.212 OpenSSL security update 1.0.1o [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.213 ID35213 9.312 OpenSSL security update 1.0.1o ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.313 ID35200 9.312 SSID and PSK disappear from Voucher ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35199 9.312 Mail Manager: "\" in Sender/Rcpt/Subject substring causes a perl error ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35185 9.310 SPX: Password registration form (PW specified by recipient) does not work due disabled reply portal ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35183 9.312 HTML5 VPN: mobile keyboard not working on iOS devices in Safari ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35177 9.310 SPX encryption does not work if From header is invalid ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35176 9.312 IPTables will not update if you add a host to a network group which is used in a packetfilter rule ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35165 9.312 Problem displaying quarantined emails in case several addresses are in cc ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35161 9.312 Hotspot login page is looping if the interface for the hotspot is a RED vlan interface and QoS is enabled on the interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35141 9.310 WIFI-Client can't get an IP if static and dynamic VLAN is same ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35137 9.211 Endpoint - USB exemptions configured on the UTM do not work for some USB sticks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35135 9.310 webadmin does not check hostname in a host object (network definition) ------------------------------------------------------------------------ Description: From a DNS point of view, the hostnames "hostname" and "hostname." (note the '.') denote the same host. The UTM does not regard these as being equal. It is therefore possible to configure two different hosts, which resolve to the same hostname. This is an invalid BIND configuarion and will prevent BIND from starting. Workaround is to not have a host in both styles, but use either the notation with, or without dot. Workaround: Fixed in: ID35134 9.310 SPX reply portal removes original filename from attachments ------------------------------------------------------------------------ Description: SPX: Uploading files to SPX reply portal while using IE10 or higher can cause that the filenames are overwritten by the complete local path. Example: CUsersUsernameDesktopFilname.docx Workaround: You can disable this behavior in IE: IE -> Internet Options -> Security -> Internet -> Custom level Disable: "Include local directory path when uploading files to a server" Fixed in: ID35133 9.310 SPX: Reply portal shows wrested email recipient and sender addresses in original message ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35128 9.312 User portal fallback language is not set to what it suppose to be set ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35108 9.312 Day in Dashboard date sometimes off by one ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35107 9.312 Can not display "Endpoint Protection" summary page when there is an Endpoint without group ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35073 9.312 SafeSearch does not block all provocative images ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35070 9.310 SSL VPN: change default DH key size to 2048 and add key size 3072/4096 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35069 9.310 Logjam TLS vulnerability (CVE-2015-4000) - RED ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35065 9.310 Logjam TLS vulnerability (CVE-2015-4000) - SMTP ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35064 9.310 Logjam TLS vulnerability (CVE-2015-4000) - POP3 ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35062 9.310 Logjam TLS vulnerability (CVE-2015-4000) - WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID35057 9.310 Internal Wifi adapter is active on slave node in HA ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35046 9.312 Problems with sticky multipath rules and IPv6 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID35042 9.312 Error output while executing repctl -m command ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35040 9.310 HTTP Proxy: POST request fails with "broken pipe" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35034 9.310 DLP emails are not visible in Mail Manager SMTP Log if DLP action is "Allow" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35033 9.310 Allow to set cipher list and protocols for WebAdmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID35028 9.312 Timezone update 2015c ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35026 9.310 HTTP Proxy: Country blocking exceptions for destination not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35025 9.312 SPX: no NDR is sent out if recipient does not register ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35018 9.310 HTTP Proxy: EpollWorker segfault in kernel_vsyscall ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35017 9.312 Websec-reporter creates coredumps ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35013 9.310 DPD not set in case remote device is sending DPD vendor payload not in the first main mode message ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35006 9.310 syslog-ng reaching max connections due to hotspot traffic ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35005 9.310 It is not possible to create a second convert bridge ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID35003 9.310 Untrusted issuer warnings for trusted CAs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34994 9.312 HTTP Proxy crashes when using country blocking combined with HTTP exceptions using 'AND' operator ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34993 9.310 Dashboard does not display traffic data for ethernet vlan interface types ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34988 9.310 RED50 ignores list of allowed VLAN tags in 'Tagged' VLAN port operation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34984 9.310 Can't use string ("0") as a HASH ref while "strict refs" in use at /wfe/asg/modules/asg_wireless.pm line 3714 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34978 9.309 RED50 doesn't work with some big packets ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34976 9.312 If HTML only email is sent to be SPX encrypted than the scanner dies. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34975 9.310 HTTP Proxy: core dump kernel_vsyscall ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34974 9.312 BGP with IPv6 is broken ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34971 9.310 AP 100C / AP 55C: ath10k: Spurious quick kickout / ath10k: SWBA overrun on vdev ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34970 9.310 AP100C/AP55C: IFUP_ERROR ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34968 9.310 AP55C not becoming active ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34954 9.310 HTTP filter action still shows the old category name after the name was changed ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34950 9.310 Can't enable Cisco VPN anymore after the last user was deleted ------------------------------------------------------------------------ Description: Workaround: 1. Shell -> cc 2. remote_access 3. cisco$ 4. copy REF object 5. changing to OBJS mode 6. paste the REF object 7. aaa=['REF_DefaultSuperAdmin'], -> enter 8. save with "w" Fixed in: 9.314 ID34945 9.310 Network monitor daemon segfault / coredump ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34943 9.310 afcd memleak in 9.310 ------------------------------------------------------------------------ Description: Workaround: Enable ATP. It will restart afcd every hour Fixed in: 9.314 ID34942 9.310 Access control in site path routing didn't work as written in the online help ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34939 9.310 WAF reverse auth Japanese characters garbled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34927 9.310 Change default algorithm for creating CAs to sha256 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34924 9.310 SMIME signed invitations will loose the "meeting" features in outlook ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34920 9.310 Web Usage 'Sites' report shows 'Empty result' ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34917 9.310 Dashboard times out in case of many interfaces ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34911 9.309 Backend AD sync shows error messages in aua.log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34907 9.310 HTTP Proxy: deflate zlib data according to RFC ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34902 9.310 outgoing spam is always quarantined even though (confirmed) spam action is "warn". ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34901 9.310 Can't use string ("0") as a HASH ref while "strict refs" in use at smtpd.pl line 4134 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34891 9.310 'Show IP BGP Unicast' button not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34890 9.310 REDs disconnected when connecting more than 270 concurrent RED tunnels ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.350 ID34888 9.310 True type file inspection should not be executed if MIME type blocking is disabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34887 9.310 Up2date not possible caused by DNS issue ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34882 9.310 Imported SMIME cert fills up storage partition ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34874 9.310 Manual firmware download via WebAdmin doesn't work anymore (9.310 regression) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34872 9.309 Up2Date Cache setting not updated when changing SUM host ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34871 9.308 IPsec Remote Access connection may fail to aquire an IP from pool of static IPs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34857 9.310 Paket rate limitiation in Flood Protection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34854 9.309 SG210 - FlexiPort NIP-51084 not recognized ------------------------------------------------------------------------ Description: How to do hardware changes to a cluster: 1) Power down all nodes 2) Do hardware changes (module addition/removal/changes) 3) Power up master 4) Power up worker and slav node If this is done differently there is high chance that cluster is in inconsistent hardware state. This can result in strange behavior. Workaround: Fixed in: ID34853 9.310 Mail Manager: perl runtime error when subject contains double byte charactes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34852 9.310 Web Proxy doesn't handle "302 Object Moved" without a keep alive ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34850 9.310 Httpproxy cannot handle tls1.2 client connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34845 9.310 Remote Access graphs shows wrong values ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34834 9.310 Regex match exceeds pcre limit for "Chrome Update" on google sites ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34830 9.310 httpproxy reports "failed to get network: Operation not permitted" in function confd_network_filter ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34824 9.309 device-agent stucks when deployment is taking too long ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34812 9.309 SPF check against IPv6 subnet does not work. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34793 9.309 E-mail graph missing in executive report ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34791 9.308 HTML5 VPN: keyboard input not working on Android devices ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34788 9.308 HTTP Proxy: segfault in tcmalloc::ThreadCache ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34773 9.309 awed died - Can't use an undefined value as an ARRAY reference at awed_ng.pl line 1850. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34772 9.310 Voucher QRcode misses IP/hostname information ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34760 9.309 Prefork: MaxRequestWorkers of 256 exceeds ServerLimit value of 16 servers ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34755 9.310 Autoneg settings for bridge ports are not applied on startup 9.3 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34748 9.309 SG W-Appliances: Bridge with internal Wifi interface will be not created correctly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34744 9.309 Email scanner timeout/deadlock if blacklist entry contains multiple * ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34739 9.309 Support Access Tunnel gets blocked by Country Blocking ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34730 9.309 create_rrd_graphs timeslots should not be hardcoded ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34728 9.114 Autoneg settings for bridge ports are not applied on startup ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.115 ID34717 9.309 WiFi: delete vxlan tunnels before creating for modified ones ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34712 9.308 Cisco remote access causing 10 minute mdw cycle ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34711 9.114 Import OpenSSL security updates from 1.0.1m [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.115 ID34710 9.211 Import OpenSSL security updates from 1.0.1m [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.212 ID34703 9.310 edir directory browser runs into Error: Search failed: no search control ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34697 9.309 Import OpenSSL security updates from 1.0.1m ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34695 9.309 Kernel: Unable to handle kernel NULL pointer dereference at (null) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34693 9.309 HTML5 portal kicks users with configuration changed message on every aptp update ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34689 9.308 warning: called by undefined caller! ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34685 9.309 3g modem not available after reboot ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34684 9.309 Wireless.log shows lots of messages like "rt305x-esw 10110000.esw: link changed" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34683 9.309 OpenSSL security update for Wifi APs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34681 9.309 MAC Filter does not work correctly after changing the mac list ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34676 9.329 11ac cards still crash on SG125w/135w ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.311 ID34666 9.308 FTP Proxy: frox segfault in realloc ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34661 9.309 IEEE802.11ac is disabled if ACS is selected on SG1x5w appliances ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34655 9.211 Web Protection reporting will be not displayed correctly if you use a german webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34645 9.308 Forbidden applications are not blocked if filter action is in mode "whitelist" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34630 9.308 Web-Proxy: GET request with missing content length fails ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34626 9.308 Long path name in site path routing breaks WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34622 9.309 History back traverse broken in chrome ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34612 9.308 device-agent restarting constantly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34608 9.306 Reset adapter on intel 82571EB ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34607 9.308 Hotspot: Users have to accept terms of use - HTML misinterpreted ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34605 9.309 Unconverting Bridge Interface does not work properly in some cases. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34604 9.308 Mail Manager: IP Substring search does not work. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34599 9.100 FREAK: OpenSSL vulnerability (CVE-2015-0204) [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.115 ID34595 9.308 Enabling Uplink Balancing results in invalid Masquerading config if additional address is used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34581 9.308 ctasd permanently segfaults on slave node ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34576 9.306 ftp download fails via http proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34575 9.308 AP10/AP30 - auto channel selection always selects channel 1 ------------------------------------------------------------------------ Description: Auto channel selection on AP10 and AP30 will always select channel 1 if used on AP10 or AP30. Workaround: Fixed in: 9.314 ID34570 9.308 Various segfaults after 9.308 ------------------------------------------------------------------------ Description: Since version 9.308 we got several reports that the HTTP Proxy segfaults in the following setups: Agent authentication basic authentication browser authentication Standard or transparent mode. In the kernel.log you will find entries like this: httpproxy[18113]: segfault at 0 ip 00000000f73e2103 sp 00000000ecef0c70 error 4 in libtcmalloc.so.4.1.0[f73bb000+48000] APTPReload[10391]: segfault at 30737361 ip 00000000f738cd41 sp 00000000ea685040 error 4 in libtcmalloc.so.4.1.0[f736a000+48000] NAVLWorker_14[15381]: segfault at 46af46b3 ip 00000000e9794321 sp 00000000e72d8060 error 6 in 15244__usr_lib_netview_plugins4_ip.plg (deleted)[e978c000+e000 Workaround: Support can provide a RPM to fix that issue in version 9.308 or 9.309. Fixed in: 9.310 ID34558 9.308 RED frequently reconnecting because configuring an Additional Address as UTM-Hostname ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34554 9.308 Suppress snmpd logline "Wrong netlink message type 3" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34549 9.209 Complete download from a webserver behind the WAF is not possible ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID34548 9.308 raid_monitor.plx fills up / partition (&STDOUT) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34544 9.308 HTML5 portal RDP login not possible if same user already logged in (smartcard required) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34543 9.307 BGP: if "Install routes" is unchecked bgd deamon will not start ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34542 9.308 File extension and/or mime type check does not work in an archive ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34541 9.308 Shell access cannot be activated when ssh networks are empty ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34534 9.308 End-user Messages for "SPX - Internal error - sender notification" cannot be changed ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34533 9.308 Browser-language should be used for keyboard layout in HTML5 portal RDP connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34531 9.306 Bridge to VLAN SSID - AP50s - roaming issues since upgraded from 9.209 to 9.302 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34514 9.204 [9.3] Availability Group object configured in active directory causes "malformed parameter setting precedes LDAP URL" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34512 9.307 malformed UTF-8 character in JSON string, at character offset 5502 (before "\x{0}uency": 2304, "...") at awed_ng.pl ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34510 9.307 NTLMSSP_AUTH not send from Windows 7 workstations ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34505 9.307 Can't enable L2TP profile anymore when the single user was deleted ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34501 9.307 SPX: Password reset not possible ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34498 9.307 DNS Host still up in gui after change the hostname to a not existing name ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34497 9.304 Request body no files data length is larger than the configured limit ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34495 9.308 QoS: Disabling Download Equalizer breaks Downlink limit ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34491 9.306 Web security search engine report shows every keytab from google search ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34476 9.306 First boot after installation stucks in "Starting ProgreSQL" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34475 9.307 Improve Firewall Rules search field behavior ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34470 9.306 status code 407 messages are not logged anymore ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34467 9.306 "AV Scanner unreachable" mails should be moved to error queue instead of quarantine. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34460 9.306 IE 9/10 crashes when displaying 4xx/5xx error page ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34459 9.307 Adobe Flash is not blocked by AFC ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34458 9.306 Kernel panic - not syncing: Fatal exception ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34454 9.308 Bridge: dhclient doesn't restart after updating bridge ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34453 9.308 Bridge: Converting dynamic interface doesn't work properly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34452 9.306 Authentication test incomplete when using custom group attributes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34438 9.306 processing of new http profile blocks client requests ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34424 9.307 WAF: Client repuation check slow dnsbl.proxybl.org down ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34420 9.113 [9.1] Upgrade ctipd to apply security fix for GHOST ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID34418 9.114 [9.1] Upgrade ctasd to apply security fix for GHOST ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID34416 9.306 SSL VPN rekeying triggers a disconnect/reconnect of the whole tunnel ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34415 9.305 mdw crash when configuring radius for local wifi ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34414 9.306 "Cannot allocate memory" messages in the afc log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34413 9.305 Bridge Interface are not available for QoS since v9.305 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34406 9.211 [9.2] Upgrade ctasd to apply security fix for GHOST ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.211 ID34403 9.210 [9.2] Upgrade ctipd to apply security fix for GHOST ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.211 ID34397 9.307 Increase ringbuffers for SG series ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34396 9.306 LTE dongle (ACM modem) is not more working after update to v9.3 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34394 9.306 Commit issues with visio behind the WAF - Empty content length ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34389 9.306 "Invalid response from server" when browsing sites that return non compliant 204 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34385 9.306 http proxy resets https connection after 5 minutes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34383 9.306 Wireless clients connecting to a separate zone network are unable to receive DHCP replies from the UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34382 9.306 Client is unable to get an IP address from UTM DHCP server in seperate zone network ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34381 9.306 Traffic shaping and throttleing is not possible from the web filtering dashboard ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34373 9.306 WARN-080 messages sent very often ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34364 9.306 ulogd segfaults and core dumps ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34355 9.000 glibc vulnerability (GHOST, CVE-2015-0235) [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.211 ID34354 9.000 glibc vulnerability (GHOST, CVE-2015-0235) [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID34352 9.306 Sender address gets invalid in smtp proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34347 9.000 glibc vulnerability (GHOST, CVE-2015-0235) [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.307 ID34337 9.306 HTTP Proxy: Device auth reports wrong operating system ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34333 9.305 Webadmin backend connection failed 'Shift + f5'-reload causes incorrect and premature failed login alert ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34330 9.306 outdated SSL certificate for WebAdmin on fresh installations ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34324 9.305 FTP Proxy looping file download if client use active mode and av scanning is enabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34320 9.305 Proxy download patience page not displayed when using custom template ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34317 9.304 websec-reporter segfaults in UPL_ParseLine ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34315 9.209 Ulogd is filling up the swap memory ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34311 9.306 httpproxy ignores dynamic user group networks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34308 9.209 Backup import via wizard doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34302 9.306 SG W-Appliances: Not possible to assign a Bridge to AP LAN SSID to internal WIFI ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34296 9.306 Postgres connections running out due hotspotd DB connects ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34281 9.306 After update to 9.306 PDF Attachments can not be open in Adobe Reader ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34279 9.306 Clients are disappearing from the Endpoint overview and some clients appear with high numbers behind the computername ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34268 9.305 Missing graphs in Web Protection after updating to 9.305 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34263 9.305 UMTS dongle shows up in webadmin twice ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34258 9.303 (VxLAN) Wifi performance issue after update with separate zone cause a wrong MTU used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID34250 9.310 Httpproxy terminated with signal 8 in in g_hash_table_lookup ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34236 9.305 Endpoint Protection overview is not displayed in the webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34234 9.305 AFC problem with HTTPS in transparent mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34232 9.305 Postgres died without any corefile ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34226 9.305 repctl -s stops working if using time zone AEDT (Australia) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34225 9.304 Authentication failed with a disabled remote user if user name is similar to a local user ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34224 9.305 Database problems due to Up2Date while in syncing ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID34213 9.305 Cloning and editing of a http whitelist breaks the original whitelist ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34210 9.305 BGP Soft-reconfiguration not honoured ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID34203 9.308 Enabling NTP server without allowed networks throws error ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34197 9.305 httpcache cannot be created - mkdir /var/httpcache/0 failed: File exists ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34191 9.205 smtpd dies without coredump because parsing of from field results in a timeout [v9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34190 9.100 [NUTM-463] OpenSSL security update ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34183 9.304 Since update to v9.304 there is no computer name in the endpoint virus notification ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34181 9.303 Kernel panic in ip_route_output_flow ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34180 9.210 Duplicated HTML comments break the production web application ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34174 9.305 Download links in UserPortal (e.g. to download IPsec client software) don't work anymore ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34173 9.305 Httpproxy fails to lookup correct backend group ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34172 9.300 RAID monitor not running after updates ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34165 9.305 Change of the UTM hostname in the settings of a RED results in a wrong log entry ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34164 9.300 frequent notifications about corrupted RPM Database ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.307 ID34157 9.305 Bridge interface not part of ha link monitoring ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34156 9.209 IPv6 network in "Block password guessing" do not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34155 9.305 SPX encryption kills attachments ------------------------------------------------------------------------ Description: When sending an SPX encrypted mail with attachments, the number of attachments is shown but the actual attachments are not accessible. Workaround: Fixed in: 9.306 ID34154 9.209 WAF https/s redirection does not work with non-standard ports ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34139 9.113 NTP Vulnerabilities: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID34133 9.210 NTP Vulnerabilities , CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.211 ID34132 9.305 NTP Vulnerabilities , CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34128 9.304 vpn-reporter.pl invoked oom-killer ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID34117 9.304 Invalid response line on handler 5 from one website when using web filter in standard mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34104 9.304 WAF: Domain wildcards didn't work anymore after update to v9.3xx ------------------------------------------------------------------------ Description: The use of wildcards in the domain name for the virtual webserver doesn´t work correctly. Workaround: Fixed in: 9.308 ID34096 9.210 Dual scan mode defect ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34087 9.210 SPX: If encryption is done with SPX umlauts will get lost. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34063 9.210 AD groups with identical names on different domains won't be updated correct ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34057 9.209 Middleware dies if deactivated host object is used in DNS forwarder config ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34049 9.304 Mail Manager POP3 Quarantine global actions do not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID34041 9.000 CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34039 9.300 [9.3] vpn-reporter.pl segfault in get_amazonvpc ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID34037 9.300 [9.3] aua does not work with facility http while installing basic guard license ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID34036 9.300 [9.3] Using @ in hostname results in corrupt /etc/syslog-ng.conf ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID34035 9.300 [9.3] Dashboard does not show Antivirus active protocols for HTTP/S ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID34015 9.209 SMC integration with UTM is not able to push Android\iOS wireless profile ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID34014 9.303 Wifi performance issue after update with separate zone cause a wrong MTU used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.306 ID34011 9.209 Saved report displays all results instead of "Top 50" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34009 9.303 Bridge with a RED interface and some other Ethernet doesn't work after Update to v9.3 ------------------------------------------------------------------------ Description: RED Traffic is not processed correctly from the RED interface to the LAN in a bridge which is setup between a LAN and a RED interface. Workaround: Fixed in: 9.310 ID34008 9.209 Outgoing mail gets blocked because unscannable - recipient gets a notification ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID34005 9.209 SMTP Vulnerability in SSL v3.0 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID34004 9.209 POP3 Vulnerability in SSL v3.0 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID34001 9.204 Quarantined mail will be quarantine again after release with the same reason ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID34000 9.205 Mail preview should display kyrilic or chinese chars too. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33999 9.206 Remove RC4 from TLS ciphers in Exim ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33998 9.103 Unable to fetch POP3 accounts on iOS devices via POP3 Proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33997 9.105 Quarantine reports has got the wrong releaselink. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33996 9.195 [BETA] Some double byte characters aren't filtered by DLP custom rule and AntiSpam Expressions filter. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33995 9.303 SMTP Proxy in Profile Mode: failed to open /etc/exim.conf.senderblacklist/REF_SMTPGlobalProfile ------------------------------------------------------------------------ Description: Mails are not processed correctly when using the SMTP proxy in profile mode. Workaround: Fixed in: 9.306 ID33990 9.210 Log Files are not visible in Webadmin after Update to 9.210 ------------------------------------------------------------------------ Description: In 9.210 you will get no list of files to view if you click on Webadmin -> Logging & Reporting -> View Log Files. A fix is already available and integrated into the update to version 9.304. Workaround: Fixed in: 9.212 ID33984 9.303 [9.3] Wifi: aweclient crashes during scan ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33981 9.206 [9.3] Group matching incorrect if user belongs to static and backend groups ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33980 9.208 [9.3] LDAPS fails on W2K12R2 with weak ciphers ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33978 9.208 [9.3] Config changes in IPsec remote access sometime causing a drop of established connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33977 9.202 [9.3] Can't send a VPN Profile to the SMC if the Organization Name includes a umlaut ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33976 9.209 ulogd segfaults and core dumps ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33974 9.210 Vulnerability for openvpn connections CVE-2014-8104 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33971 9.302 Device Agent reports wrong RED interface link state ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33968 9.209 Snort manual rule modification didn't match for pre-processor IDs ------------------------------------------------------------------------ Description: Manual modified IPS rules configured at Network Protection | Intrusion Prevention | Advanced may not be reliably dropped. Workaround: Fixed in: ID33962 9.302 Clients on AP100 shows only 6mbit/s ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33959 9.302 RED10: bootcounter problem happens often after update to 9.3 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33958 9.209 IPFIX is mixing data streams in HA/Cluster mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID33952 9.300 Not possible to store comments for Vouchers ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33951 9.209 Masquerading rule overview empty ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33941 9.210 UMTS: Support ESN and MEID ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33936 9.301 prevent "ulogd: ct1: nl_recvmsgs: Try again" error message in system.log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.307 ID33926 9.209 Virus scanner error happens when downloading files via WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33924 9.302 Streaming an Enterprise SSID without having Radius Server configured ends in AP stops streaming SSIDs at all ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID33918 9.209 Unresolved interface in user portal listen address breaks interface status ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33911 9.301 Up2Date not possible with essential license ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.303 ID33908 9.209 HTTP Proxy freezes after config change ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID33906 9.301 INFO-302 New Firmware Up2Date installed misses new firmware version ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33881 9.301 BATV messed up SMTP proxy message handling ------------------------------------------------------------------------ Description: Incoming BATV mails lead to misbehavior of the SMTP handling Workaround: Fixed in: 9.304 ID33880 9.209 Slow wireless speeds when using Linux (Intel Centrino Advanced-N 6205) and AP50 ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33875 9.209 libsavi.so.3 in /var/chroot-smtp/var/pattern/savi/engine/ has 0 byte after installation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33872 9.209 Reporting for HTML5VPN connections didn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33859 9.300 [9.3] Up2date flag not set for owaspcrs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33853 9.301 update.c[646]: Assertion '!local.disabled ' failed ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33849 9.301 "Creating postmaster public or private key failed." message in "Email Protection > Encryption > Global" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID33845 9.301 Bridge: Cannot enable multiple vlan interfaces on top of a bridge ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33843 9.280 SPX - Send and attachments icon hides. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33841 9.301 Mesh APs keep rebooting ------------------------------------------------------------------------ Description: When you are using meshed Access Points on the UTM the APs will keep rebooting frequently. Workaround: Fixed in: 9.307 ID33839 9.300 Network objects with interface bindings get overwritten from SUM ------------------------------------------------------------------------ Description: Network objects with interface bindings get overwritten from SUM. Workaround: Fixed in: 9.308 ID33838 9.280 SPX reply portal garbled characters ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33824 9.301 Wifi: rt2x00queue_write_tx_frame: Error - Dropping frame due to full tx queue 2 ------------------------------------------------------------------------ Description: wireless.log shows "rt2x00queue_write_tx_frame: Error - Dropping frame due to full TX queue 2" and leads to connection lost of clients. Workaround: Fixed in: 9.302 ID33823 9.201 Routing domain wildcards isn't working for SMTP profiles. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33818 9.301 Web Filter category blocking not working because URID fails to restart ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID33814 9.301 Application control block does not show up in the report ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID33813 9.203 [9.3] Policy tester always returns "allowed" if warn page is proceeded once ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33812 9.300 Quota proceed on a url with '&' will not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.303 ID33811 9.200 [9.3] ad-sid-sync.pl is executed even if AD sync is disabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33809 9.205 [9.3] winbindd died in kernel_vsyscall ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33808 9.201 [9.3] High load after pattern installation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33807 9.204 [9.3] Guest login fails in transparent browser auth mode if "terms of use" confirmation is required ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33805 9.201 [9.3] Full transparent AD SSO redirect URL request gets dropped by packetfilter ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33803 9.209 Webadmin stopped working from time to time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID33799 9.300 Some websites fail to load with "invalid response line on handler 74" after 9.300 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.302 ID33792 9.301 MAC filter doesn't work for local wifi ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID33785 9.250 Local wifi has problems with string "Interface" in SSID ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID33782 9.300 MDW error when amazon vpc is enabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.306 ID33771 9.205 [9.3] Device auth reports wrong client information and iOS 8 isn't detected properly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33769 9.206 [9.3] ad-sid-sync.pl fails to lookup trusted domains groups ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33768 9.280 [9.3] OS X HTTPS traffic identified as iOS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33766 9.300 Slave stays in "syncing" state after update to 9.300 ------------------------------------------------------------------------ Description: Slave appliance stays in "SYNCING" state after update to 9.300. Workaround: Fixed in: 9.302 ID33760 9.300 ipsec: dying Middleware with Bridge configured ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.301 ID33754 9.280 [beta] pop3 proxy stopped working ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33752 9.300 Wifi: confd error after awe->device validation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33751 9.300 Bridge without Address lost after Upgrade from 9.2x to 9.300 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.301 ID33746 9.300 psk and ssid with a \ are wrong in confd ------------------------------------------------------------------------ Description: Sophos UTM 9.3 no longer supports the use of a backslash \ in the SSID and the PSK. Workaround: Remove the backslash \ in the PSK and/or the SSID. Fixed in: 9.301 ID33744 9.204 RA: umlauts don't work in usernames with Exchange 2007 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33743 9.300 Wifi: after upgrade from 9.2 -> 9.3 awe_status is 0 ------------------------------------------------------------------------ Description: After the update to 9.3 the wireless protection module is automatically disabled. Workaround: The Wireless Protection module gets automatically activated again after you navigate Wireless Protection | Global Settings on the WebAdmin. Fixed in: 9.301 ID33739 9.304 After enabling Amazon VPC the connection to the box is broken. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.306 ID33735 9.209 Authorization fails for openvpn if group "Active Directory Users" is used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID33722 9.204 [9.3] Special characters like umlauts didn't work in passwords with reverse authentication for the WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33721 9.204 Can't restore backup because of an undefined value [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33720 9.206 [9.3] Coredumps from reverseproxy after update to v9.206 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33718 9.165 exceptions for Common Threat Filters do not work individually [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33716 9.209 Dashboard shows AntiSpam is active for protocols POP3 with Basic Guard License ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID33709 9.209 Logfile Search for pop3 proxy not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33704 9.208 lag2 interface will be lost after adding as HA interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33701 9.207 ulogd is restarted every hour due to ATP pattern update ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33693 9.280 Bridge: default ethertype '88B7' not set after converting ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33680 9.303 up2date installation fails if previously running up2date download process is still running ------------------------------------------------------------------------ Description: If you want to install an up2date by clicking on "install" at Management | Up2Date | Overview it can happen that you receive a message which indicates that the installation has been started but you don´t get any feedback on the WebAdmin and the UTM doesn't restart. This is because the up2date installation aborts without an error message and therefore doesn´t finish. The reason for this issue is that the Up2Date download process is still running in the background because the download is not finished and so the installation is not able to start. You can verify that you are affected if you press the reload button and then still see your old version and no "Available Firmware Up2Dates". Workaround: Wait a few minutes until the download is finished and then hit the "install" button again. This time the up2date should work. Fixed in: 9.308 ID33677 9.210 WAF: fix request handling for status code 413 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33676 9.280 Bridge: Enabling IPv6 is not applied under some circumstances ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33666 9.209 HTTP server (UserPortal/WebAdmin) has missing/wrong error handling for "CONNECT" method ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID33662 9.270 Quota Status page does not work when ha->status set to 'zeroconf' ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.303 ID33661 9.270 SSL errors appearing in http.log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33658 9.280 Bridge: MAC address is not reset after removing the convert interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33655 9.210 Special characters in SSID lead to an awed crash [9.3] ------------------------------------------------------------------------ Description: Special characters in a SSID will lead to an unwanted shutdown of the wireless daemon. Workaround: Fixed in: 9.302 ID33654 9.210 Special char in SSID lead an awed crash [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33647 9.209 SAA client not compatible with newest MacOS (Yosemite) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33632 9.207 Can't disable Application control with Web Protection Manager role ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33627 9.275 Error message while activating/deactivating Pop3 and FTP without local networks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33624 9.209 [9.3] WAF report 'Top Groups by Virtual Host' wrong filtering ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33613 9.208 OS X HTTPS traffic identified as iOS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33599 9.275 Warnings after every awed restart on UTM without onboard wifi in wireless.log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID33580 9.300 [9.3] vpn-reporter.pl segfaults, error 4 in libc-2.11.3.so ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID33566 9.209 Aua child core dumps during Tacacs+ authentication ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33562 9.208 ERROR: duplicate key value violates unique constraint "modified_headers_pkey" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33550 9.275 [9.3] Add support for passthrough NTLM connection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33545 9.113 Improve handling of rpmdb corruptions ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID33527 9.208 Site path routing tab is not visible with "web application protection manager" access ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33520 9.106 [9.3] Wireless Security Manager can't accept new AP's ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33516 9.209 POP3 Vulnerability in SSL v3.0 [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.211 ID33515 9.209 SMTP Vulnerability in SSL v3.0 [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.211 ID33513 9.200 HA SELFMON tries to restart repctl of reserved nodes ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33496 9.204 [9.3] Not possible to delete VPN tunnel managed by SUM after use "cleanup object" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33491 9.206 Invalid service names of remote access connections in database ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33488 9.300 [9.3] Wrong date in executive report ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33481 9.265 [BETA][9.265] INFO-302 New Firmware Up2Date installed misses changelog ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33479 9.207 [9.3] Not possible to change TLS certificate ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33468 9.300 [9.3] Remote SSL VPN view is empty in printable configuration ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33467 9.300 [9.3] Remote Syslog Server IPv6 support ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33466 9.300 [9.3] It's not possible to use Subfolders for Remote Log File Archives over SMB on CIFS share ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33465 9.208 ad-sid-sync.pl fails to connect to DC if Bind DN contains a comma ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33441 9.208 Pre 9.206 uploaded png logos should be converted automatically ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33437 9.300 [9.3] Configuring a whitelist in webfilter filter action appears in blacklist on UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33432 9.100 RED: Weak cipher EXP-RC4-MD5 not excluded in cipher list [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID33431 9.206 Enable/Disable sliders for Users objects not working when using Safari on MAC or IOS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID33429 9.208 AP100: Unable to authenticate with an SSID using a PSK with a dollar character ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33423 9.100 POODLE: Backports to 9.1 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID33414 9.208 SMTP: AV Scanner timeout or deadlock ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33397 9.270 E-Mail Notification that new Firmware Up2Date is available for installation is missing ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.280 ID33394 9.265 Web-customization is confusing MiddleWare with redundant dependency ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33391 9.205 leading zeros within snmp oids ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33386 9.205 smtpd dies without coredump because parsing of from field results in a timeout ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33382 9.208 Config changes in IPsec remote access sometime causing a drop of established connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33327 9.250 support access tunnel page in webadmin hangs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33323 9.208 Using @ in hostname results in corrupt /etc/syslog-ng.conf ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33320 9.208 Wireless Protection 'Password of the Day' feature is generating passwords that are offensive ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID33307 9.207 Not possible to change TLS certificate ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33304 9.207 SSL interception causing annoying pop-ups in Microsoft Outlook and other client software ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33278 9.260 Not possible to download log files as archive ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33277 9.208 [9.2] Add support for passthrough NTLM connection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33272 9.265 Can enslave a wireless separate zone interface into a bridge interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33260 9.270 Upgrading (9.2 -> 9.3) leads to mdw errors regarding vxlan ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33258 9.207 Cluster smtpd restarting permanently (segfaults and core dumps) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.303 ID33236 9.208 [beta] View log file displays nothing in Safari ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33228 9.206 Remote access reporting incorrect in case openvpn gets a restart ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33226 9.265 mdw error removing of ebtables rules fails ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33211 9.207 [NUTM-1141] Change behavior how NAC enforce WiFi connections ------------------------------------------------------------------------ Description: The desired functionality or behaviour can be achieved by setting the mac filter type to "Black list" in SSID configuration. In this case only, the black listed mac group and non-complaint devices are blocked. Other complaint and non-managed devices are able to join the wireless Network. However, the default behaviour is set to block everything expect complaint devices, so that more security is achieved. Workaround: Fixed in: ID33206 9.260 Beta Installer says 9.3 Alpha ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33200 9.250 Wifi: make IEEE 802.11r optional ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33197 9.305 kernel panic on systems running large http proxy installation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID33190 9.260 Notification for pattern up2dates are not send anymore ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33180 9.260 Missing help link on HTTPS tab ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33176 9.260 AV scan size limit not applied in mode 'monitor' ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33171 9.260 auisys in --nosys mode deletes sys descriptions -> this results in that the button to start the Up2Date is not visible ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33169 9.260 Regression: Application Control via HTTP proxy doesn't work at all ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33159 9.207 Timezone update needed for Russia [v9] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.209 ID33149 9.206 rrdcached exiting due to unknown reason ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33133 9.260 SPX "Generated and Stored for recipient" does not work after "recipient specified" mode was used. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33128 9.251 Installation fails for SG450 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.280 ID33116 9.200 Up2date flag not set for owaspcrs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID33111 9.206 Group matching incorrect if user belongs to static and backend groups ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID33103 9.251 User Activity Search in Search Log files does not work for Endpoint web protection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.300 ID33095 9.200 RED50 frequently reconnecting because configuring an Additional Address as UTM-Hostname is not supported [9.3] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33081 9.251 Deanonymization gives wrong name in Quota status report ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33080 9.251 search engine report does not work neither searches, nor user searches, nor search engines ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33064 9.251 display that 'Accept unhardened form data' is enabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33061 9.113 Bash Vulnerability: CVE-2014-6271 [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID33059 9.000 CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.208 ID33048 9.251 rewriting links containing non-standard port number not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID33040 9.206 fix traffic counting for br0 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID33028 9.251 client does not get an IP from separate zone network ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID33027 9.206 Packetfilter numeration in webadmin does not match iptables ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID33024 9.250 Header Modification fixes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID33019 9.206 After upgrading to iOS 8 UTM does not recognize iOS anymore (Device-specific Authentication) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32996 9.306 Authentication failed after I proceed with accepting warn- or quota page ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID32994 9.251 Customization template will not be used when http proxy is running ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID32980 9.206 Remove RC4 from TLS ciphers in Exim ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32972 9.205 IPS exception does not work for SID 18575 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32969 9.206 Coredumps from reverseproxy after update to v9.206 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32960 9.206 Tunnel traffic is counted twice by QoS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID32957 9.205 winbindd died in kernel_vsyscall ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32950 9.207 Configuring a whitelist in webfilter filter action appears in blacklist on UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32940 9.205 SG550: Licensing does not work if module is relocated after installation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32935 9.206 Missing option to enable/disable Sophos Outlook Add-in in Webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32933 9.250 vxlan tunnels are corrupted if more aps have the same last_ip value ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.275 ID32930 9.206 Kernel Panic in 9.206 RIP nf_nat_setup_info+0x209/0x652 [nf_nat] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.209 ID32913 9.200 Fix vlan 0 and 4095 handling ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32908 9.206 Error messages in kernel.log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32900 9.200 pppoe ipv6: link local address is displayed as external ip address ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID32886 9.206 ARP request is performed with wrong IP address ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32880 9.205 Cached user backend memberships won't be updated ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID32877 9.205 Winbindd running on 100 percent cpu while poll on DC Kerberos connection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID32870 9.206 ad-sid-sync.pl fails to lookup trusted domains groups ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32867 9.250 RED Interface doesn't send dhcp requests after the RED is online ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID32862 9.205 Traffic is included in statistics and executive reports although an exception exists ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID32852 9.205 Any SSL traffic through HTTP proxy gets classified as "Sophos Portal" if a "Sophos Portal" AppCtrl rule exists ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32851 9.205 Device auth reports wrong client information ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32842 9.207 Webcontrol for UTM and SEC managed clients does not work - failed to ConvertStringSidToSid ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32837 9.205 vpn-reporter.pl segfaults, error 4 in libc-2.11.3.so ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32833 9.206 Regression: SMTPd/Exim does not reload on AD backend server modification ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32832 9.205 Remote Syslog Server IPv6 support ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32831 9.250 enabling time based dynamic channel selection should not be possible without selecting a scan-time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.265 ID32805 9.205 NETDEV WATCHDOG: eth0 (tg3): transmit queue 0 timed out ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32794 9.205 vpn-reporter.pl segfault in get_amazonvpc ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32781 9.204 Hotspot: expiry not set in DB ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32769 9.205 Connection to TS Remote Desktop doesn't work correctly over HTML5VPN using windows server 2012 or windows 8 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID32761 9.204 Proxy cert for customized HTTPS enduser messages is not delivered with complete chain information ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID32741 9.209 Hitting "proceed button" after contentfilter warning does not display entire website ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32738 9.250 Regression: When changing interface type, the currently used hardware is dropped from selection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.270 ID32726 9.206 Dashboard does not show Antivirus active protocols for HTTP/S ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32724 9.206 improvements for the rpmdb check ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.307 ID32717 9.209 Sip helper drops fax packets ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32713 9.205 Console keyboard doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32711 9.205 Mail preview should display kyrilic or chinese chars too. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32709 9.205 can't change IP via Front Panel to 10.192.226 stopps at 10.192.225 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32707 9.205 HTTP proxy basic auth forces re-auth too often ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32703 9.204 Multicast traffic problems after upgrading to SG430 and 9.204 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32701 9.205 Matching DLP expressions - entries in log even if DLP is not configured ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32696 9.205 Hotspot: only one login possible per username for backend authentication hotspot ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32690 9.205 It's not possible to use Subfolders for Remote Log File Archives over SMB on CIFS share ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32683 9.202 Can't send a VPN Profile to the SMC if the Organization Name includes a umlaut ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32665 9.305 memleak in afcd ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID32646 9.205 OWA and OA access didn't work anymore after changing the password ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32631 9.204 iptables-restore running with nearly 100% CPU (CVE-2014-9402) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID32626 9.000 SUM-SSO login on UTM devices not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID32616 9.200 Scanner time out while too many CCL rules are turned on ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32607 9.205 Not possible to use virtual mac on lag interfaces ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32605 9.205 UTM525 stops with kernel panic with nf_nat_seq_adjust+0x93/0x2e2 [nf_nat] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32604 9.204 Special characters like umlauts didn't work in passwords with reverse authentication for the WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32602 9.204 Web control policy not applying to endpoints ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32601 9.205 Kernel panic at nf_ct_remove_expectations+0x50/0x63 [nf_conntrack] ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32596 9.205 RED Interface doesn't send dhcp requests after the RED is online ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32594 9.202 WAF: Disable backend connection pooling ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID32588 9.204 Can't restore backup beacause of an undefined value ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32571 9.060 [V9] Blocked HTTPS-Sites in Filter Action Mode 'Blacklist' doesn't match if Exception is matching on Categories ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID32560 9.205 Configure nf_conntrack_max value for new SG1xx appliances ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32553 9.204 AFC control skiplist host listed in top 10 blocked application control destinations ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32552 9.204 Quarantined mail will be quarantine again after release with the same reason ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32539 9.205 The default "nf_conntrack_max" value is too low for new SG550/SG650 series. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32537 9.204 Guest login fails in transparent browser auth mode if "terms of use" confirmation is required ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32533 9.201 Extenteded information from web security reporting results table shows nothing ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32519 9.204 vpn-reporter.pl segfault in libc-2.11.3.so ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32484 9.205 acc_cleanup_objects runs into timeout if there is a large amount of global objects [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32433 9.204 Not possible to delete VPN tunnel managed by SUM after use "cleanup object" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32431 9.204 Kernel panic in 9.204: ip_queue_xmit+0x19a/0x2d3 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32412 9.204 Sync WiFi preshared keys to SMC ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32401 9.204 dhcp option 43 , scope server is not working on one system ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32393 9.200 Denial of service in mod_deflate's request body decompression (CVE-2014-0118) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32392 9.200 Race condition in Apache scoreboard handling (CVE-2014-0226) ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32391 9.204 UMTS interface doesn't come up again after the speed changed from 4G to 3G ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32388 9.250 Change snort links to vendor homepage ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32387 9.200 Change snort links to vendor homepage [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32386 9.113 Change snort links to vendor homepage ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID32381 9.204 Httpproxy EpollWorker segfault in kernel_vsyscall (dns_lookup_proto) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID32380 9.204 Httpproxy EpollWorker segfault in send_request_headers () ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID32378 9.204 Reset Adapter and Hardware unit hang after update to v9.204 for intel ethernet controller 82579LM Gigabit Network Connection ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32376 9.202 Problems with form reverse authentication in reverseproxy for OWA / ActiveSync ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32364 9.203 Syntax error on line 1 of /usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.skip ------------------------------------------------------------------------ Description: Sites behind the WAF are not accessable anymore and browser shows a 403 error. When you try to restart the reverseproxy via commandline (/var/mdw/scripts/reverseproxy restart) you will get an error message like this: AH00526:Syntax error on line 1 of /usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.skip or similar to this path with modsecurity_crs_xss_attacks.conf for example. Workaround: Disable common threat filter for all firewall profiles and restart the reverseproxy after the new firewall profile config was saved. The reverseproxy should start normally now. Check this with browsing to the URL which had the 403 error before config changes. If this is possible again and the 403 error is gone you can enable common threat filter for all firewall profiles again. Fixed in: 9.205 ID32359 9.204 Transparent SSO not applying proper policy when using defined groups ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID32347 9.201 SSH connection are hanging while configure the UTM from webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32340 9.203 Clients with Windows Live ID Sign-in Assistant still fail to authenticate ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32321 9.203 Upload fails for passive FTP connections in transparent mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32315 9.112 Customized web templates, problems with Block All mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID32306 9.203 "Skip rule on interface error" does not work in multipath ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID32286 9.203 Sorting of APs in Webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID32282 9.104 [NUTM-118] Generate reports asynchronously ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID32254 9.113 Master shows slave device name as "unknown" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32252 9.203 Installer breaks formatting in 70-persistent-net.rules ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32241 9.203 "Update to Latest Version Now" downloads and installs newer up2date packages than displayed ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32238 9.203 ulogd restarts (BUG at ipfix.c:313 / BUG at thread.c:33 ) and coredumps ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID32237 9.203 Release of IPsec Pool IPs not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID32236 9.204 bounced spx encrypted mail is shown as delivered ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32233 9.203 Switching user group from "backend membership" to"static" does not set backend_match to "none" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32219 9.203 Can't change the hotspot admin email without websecurity license ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32214 9.203 System freeze using uplink balancing and IPsec bind to interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32190 9.203 Policy tester always returns "allowed" if warn page is proceeded once ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32183 9.204 RED10: potentially no reboot after firmware update ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32180 9.201 smtp connection is lost during unnecessary config reload ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32168 9.305 Add support for AES GCM with AES-NI and keylength above 128bit ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID32165 9.203 Don't allow usage of disabled interface in user portal ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32158 9.200 Transparent mode AD SSO should redirect to the hostname of the UTM, not the FQDN ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID32150 9.201 confd sync daemon runnnig on slave node ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32129 9.203 RED: rewrite cert files after cert change ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32127 9.203 smtpd dieing without Coredump ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32126 9.202 The SMC connection test didn't work before applying the configuration ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32114 9.203 Transparent AD SSO fails after redirect page with "cannot assign requested address" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID32108 9.201 Country blocking exceptions with empty country doesn't work if destination is local to UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32097 9.201 High load after pattern installation [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32095 9.111 Keyboard Layout for RDP always defaults to QWERTY ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID32082 9.202 Issue with clipboard in html5vpn connection and chinese characters ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID32079 9.200 UMTS modem device hanging ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32067 9.203 Workaround for software updates/ downloads via download manager ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID32048 9.202 Using a Reverse Authentication profile requires the 'Path' to end with a / ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID32043 9.201 IPsec Auto-Packetfilter rules depolyed by SUM (4.2) again and again ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32034 9.201 Full transparent AD SSO redirect URL request gets dropped by packetfilter ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID32029 9.201 Switching user group from "static" to "backend membership" does not remove static group members ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID32027 9.202 Packetfilter rules numbering in webadmin and livelog doesn't match ------------------------------------------------------------------------ Description: Numbering of firewall rules are incorrect in packetfilter log if "automatic firewall rules" are existing. In case you have activated the option e.g. for a IPSec VPN tunnel that the UTM creates "automatic firewall rules" this will influence the numbering of the firewall rules because the automatic rules are written before the user-created rules. So if you have e.g. five automatic firewall rules created by the UTM the first user-created rule will be number six. Workaround: Fixed in: 9.206 ID32019 9.201 Japanese double byte text in "Device Specific Text" of notification mail broken ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32012 9.201 Postgres startup problem because pg_xlog files are missing ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID32010 9.202 Packetfilter rules are not visible in webadmin when IE is used and version 9.202 is installed ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID32008 9.202 Using lag interfaces in a bridge setup is not reboot save ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID32004 9.200 Confd sometimes returns Strings on BOOL over JSON-RPC ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31998 9.201 When BATV is active incoming mails are not decrypted ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID31992 9.111 network range in network group shouldnt be allowed in allowed networks as per 21588 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID31986 9.202 Tpyo in install instruction for the SPX outlook add-on ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID31980 9.111 If a Endpoint client with WebControl is behind a UTM it doesnt belong to or is no UTM managed Endpoint at all surfing gets slow ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID31948 9.201 "Any" in "Requiring TLS for specified hosts/nets" does not allow TLS skip list objects. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID31939 9.100 OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224) [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.113 ID31938 9.200 OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.203 ID31915 9.112 Default exception for chrome updater/installer [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID31910 9.201 Request dns_host object info causes high system load due to large confd_objects table ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID31907 9.201 mails with attachments are causing scanner timeout or deadlock ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31901 9.201 Not possible to activate MSP licenses on SG appliances ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.205 ID31895 9.201 smtpd causes high disk I/O after update to 9.2 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31889 9.202 Reduce exceptions for Firefox Update [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31859 9.202 Make http proxy handle uncompressed DNS responses ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID31858 9.201 Already encrypted attachments get broken if Content-Transfer-Encoding was not set to Base64 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID31857 9.201 SMTP profile mode not working, because not all domains are written in exim.conf.includes/local_domains ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID31855 9.111 Application control Rule created but is invisible in Webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.305 ID31837 9.201 kernel NULL pointer deref at nf_nat_setup_info+0x299/0x61f [nf_nat] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31835 9.201 It's not possible to send automatic backups if INFO-011 is disabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31827 9.111 netselector does not write server sorted correctly [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID31814 9.111 nextgen-agent restarting permanently ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID31812 9.201 Extended information from web security reporting results table shows nothing ------------------------------------------------------------------------ Description: Sometimes there is an issue with the detailed informations of the web usage report. One click on a entry in the web usage report results in an empty reporting direction box. This could happen cause of an timeout after two minutes. This will be fixed in version v9.3 Workaround: Fixed in: 9.206 ID31806 9.201 dhcpd not started after up2date ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31795 9.201 Skip download patience page for files which match in "block downloads larger than" filter action ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31792 9.201 selfmon too agressive about ctasd_inbound_mem_usage counter and ctasd_inbound_mem_usage counter ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31785 9.202 netselector does not write server sorted correctly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31784 9.201 smtpd is restarting and creates coredumps in 9.201 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31776 9.201 Departments in web security reporting are only viewable with filter "any time" ------------------------------------------------------------------------ Description: If departments are configured, it is not possible to filter them in the websecurity reporting. Then the requested informations are visible with the filter "any time" only. All other filters for the department view are empty. Workaround: Fixed in: ID31772 9.201 Hotspot: voucher details for bridge-to-vlan networks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID31750 9.201 Upload of exe files via waf results in segmentation fault of reverseproxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31746 9.201 Not downloadable Mails can be downloaded with the 'Selcect action to apply on messages' dropdown ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID31744 9.111 Blacklisted(Mail) due to not working Mutlipath rule ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID31742 9.201 Segfault caused when generating PDF Bandwith Usage report in Webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31739 9.202 RED50 firmware install loop after up2date to 9.202-028 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31716 9.201 Permanent admin-reporter.pl restarts causing high cpu load ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.203 ID31696 9.201 Kernel panic after adding new Access Point ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31691 9.202 Support IP address for SMC-Server ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31671 9.202 changing time steps of individual OTP tokens results in authentication failure ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31668 9.201 Policy tester returns wrong backend group ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31646 9.111 Hotspot drops Radius authentication requests ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.309 ID31644 9.201 Segmentation fault in serve_local_file from /usr/lib/libglib-2.0.so.0 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31627 9.201 REDs without connection to the provisioning server can't install the new firmware after up2date to 9.2 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31608 9.201 Websec reporting didn't work correctly after update to v9.201 ------------------------------------------------------------------------ Description: Websec reporting didn't work correctly after update to v9.201. In some cases web security reporting is not correct after the update. Wrong amount of users, Unrealistic amount of usage, etc. Workaround: Will be resolved in v9.204 Fixed in: 9.204 ID31599 9.201 coredump of vpn-reporter due to not parsing the username correctly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31594 9.201 Display of a SG Series shows 'HA Slave Status Error' ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.203 ID31582 9.201 Mails stuck in work queue due to duplicate key value violates unique constraint "primary_m" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31581 9.107 Up2date pattern rpm's fails to install if hostname contains '/' character. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID31578 9.201 Avira Scanner can not scan pop3 mail, Error index out of bound [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31571 9.201 Executive reports failed with error message "Bad file descriptor" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.203 ID31568 9.104 Winbind failed to accept socket - Too many open files [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31560 9.201 NTP for offline provisioned REDs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31541 9.201 "Web Protection Manager" role is missing necessary rights ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31539 9.201 Add support for PFS (Perfect Forward Secrecy) to Exim ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID31536 9.201 If a Endpoint client with WebControl is behind a UTM it doesnt belong to or is no UTM managed Endpoint at all surfing gets slow ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31534 9.200 Wrong date in executive report ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID31530 9.201 ulogd coredump caused by an error message from postgreSQL "integer out of range" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31527 9.201 [CVE-2014-2891] DoS vulnerability in strongSwan ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31518 9.004 [9.2] Regression from V8: Recipient Verification against AD not working with LDAP-SSL ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31508 9.200 [UBB] DynDNS: Wrong update URL for namecheap.com ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31495 9.109 UTM525r5 declared as software after copper module replacement ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID31479 9.201 Orphane Object in Filter Action - creating a whitelist/blacklist object ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31468 9.000 Possibly wrong numbers in the confd qos interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31460 9.201 Exception is detected but will be ignored on outgoing emails (when scan outgoing messages is active) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.203 ID31446 9.202 WAF: fallback hosts do not work with non-standard port numbers ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31443 9.202 WAF: HTTP/S redirection does not work with non-standard ports ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31439 9.200 Recheck for extensions when releasing Quarantine Message ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID31423 9.106 NTPd still fails to synchronize ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID31392 9.201 [SR] Saving blacklist/whitelist fails in User Portal ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31387 9.200 ad-sid-sync.pl is executed even if AD sync is disabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID31386 9.200 Regression: Wrong AD SSO backend group matching since 9.200 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31380 9.112 Reduce exceptions for Firefox Update [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.114 ID31374 9.200 Correctly account Confd ipsets consumed by user and group networks ------------------------------------------------------------------------ Description: When changing some settings in WebAdmin, the error "Client authentication cannot use more than 170 user and group networks at the same time." is displayed. This happens when Client Authentication is enabled for more than 170 user and group networks. Workaround: - temporarily disable client authentication in WebAdmin at Definitions & Users > Client Authentication > Client Authentication status - set Client Authentication status back to enabled - remove as many users and/or groups from the Allowed Users and Groups box as needed to get their number below or equal to 170. - hit the Apply button Fixed in: 9.202 ID31373 9.200 Form hardening exception match but doesn't work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID31368 9.200 CVE-2014-0160: TLS heartbeat read overrun [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID31367 9.100 CVE-2014-0160: TLS heartbeat read overrun [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.111 ID31357 9.200 [SR] IPS Rule Age not available for Subnodes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31355 9.200 Not possible to use a network range object as virtual IP pool for remote access ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID31342 9.200 Web Protection Manager cannot change exceptions if "bypass users" are configured ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31340 9.109 rsyncd not started after switching to master mode (slave node hangs in syncing state) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID31337 9.200 Too long hostname will break layout in dashboard ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID31320 9.200 httpproxy coredumps during shutdown time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31309 9.109 Make httpproxy more tolerant to invalid Content-Length value from Server ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31261 9.106 Support Japanese PDF version of Daily Executive Report ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID31259 9.200 High amount of httpd threads consuming complete swap ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31252 9.200 UMTS failover doesn't work after HA takeover ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID31238 9.100 mod_proxy_msrpc: segmentation fault on backend connection access [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31210 9.201 When restarting Master: Pop3 proxy not running - restarted ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.317 ID31175 9.100 Redirect with port number on backend leads to invalid Location header on frontend [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31174 9.200 Google Play store downloads should bypass the download patience page ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31173 9.109 SSL VPN Client crashes on 64 Bit Machines ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31164 9.201 [BETA] Routing domain wildcards aren't working for SMTP profiles. ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31160 9.109 Mail manager language does not use webadmin language ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID31131 9.109 UTM525r5 declared as software after copper module replacement [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31128 9.200 [Hyper-V] No link status reported with 'tulip' driver (legacy NICs) ------------------------------------------------------------------------ Description: Legacy network adapters are not supported in Hyper-V. From: https://technet.microsoft.com/en-us/library/cc770380.aspx The legacy network adapter requires processing in the management operating system that is not required by the network adapter. We recommend that you use the legacy network adapter only to perform a network-based installation or when the guest operating system does not support the network adapter. Workaround: Fixed in: ID31121 9.100 DHCP mapping comments gets lost by upgrading to 9.100 [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31118 9.200 httpproxy 'srcip' debugging does not contain all auth_transparent.c debug entries [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31116 9.200 Performance and scalability improvements of HTTP proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID31113 9.201 Make tunnel netmask settings consistent in RED deployment helper and in interface settings ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID31105 9.000 DynDNS: Add support for interface strategy for FreeDNS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID31103 9.000 Endpoint: Scheduled scans are not created on the client if the policy name on UTM contains a '_' ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID31100 9.201 Import of Filter Exceptions from UTM to SUM fails ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID31083 9.109 Remote SSL VPN view is empty in printable configuration ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID31080 9.200 import of hardware OTP secrets using PSKC files ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID31078 9.200 implement option for manual and automatic sync of time drift of hardware OTP tokens to UTM ------------------------------------------------------------------------ Description: If the time on a hardware OTP token differs for more than 1.5 timesteps from the real-world time (depends on the configured time-zone)- i.e. more than 45 seconds if time step is 30 sec - the generated OTP might be treated as invalid. This leads to the hardware token being not usable to authenticate against the UTM. Workaround: No workaround available, fix is planned for 9.202 Fixed in: 9.202 ID31077 9.200 increase window of allowed OTP tokencodes for the very first authentication ------------------------------------------------------------------------ Description: If the time on a hardware OTP tokens differs more than 1.5 timesteps from the real-world time(depends on the configured time-zone)- i.e. more than 45 seconds if time step is 30 sec - the generated OTP might be treated as invalid. This leads to the hardware token being not usable to authenticate against the UTM. Workaround: No workaround available, fix is planned for 9.202 Fixed in: 9.202 ID31027 9.201 FTP proxy active mode did not work and failed with the antivirus turned on ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.203 ID31013 9.250 DynDNS: Add support for service 'DNS-O-Matic' ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID31000 9.200 SMTP: different behavior for internal malware and spam dependent on scan outgoing setting ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID30951 9.200 Outgoing mails get quarantined as "UNSCANNABLE" although "Quarantine unscannable and encrypted content" is disabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30949 9.200 smtp scanner dies in combination with SPX and regular email encryption ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30945 9.200 ATP Dashboard Link & Reporting Issue (72h not visible) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30940 9.109 Wireless: Some SSIDs are shown as HASH(...) in WebAdmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30934 9.200 Incorrect Certificate used during Transparent HTTPS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30925 9.200 SPX: character sets other than UTF-8 break PDF and portal ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30898 9.200 OTP: Token may be created for wrong user if remote/local user differ in case ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30883 9.195 Graphs in Executive Report are only shown if "Daily executive report" option is enabled ------------------------------------------------------------------------ Description: If generating an Executive Report "Logging & Reporting -> Executive Report -> Generate report now", the graphics are only shown if the option "Daily executive report" is enabled. Workaround: Enable the option "Daily executive report": "Logging & Reporting -> Executive Report -> (Tab)Configuration -> Daily executive report" Fixed in: 9.206 ID30879 9.200 device-agent dies when mailsec.accu doesn't exist ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID30869 9.200 [BETA] DLP: Region selector of "Sophos CCL Rules" doesn't show the first element ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30863 9.107 PIM SM does not work between two networks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID30851 9.106 emailpki_generate_user fails if pkcs12 file contains a cert twice ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.275 ID30840 9.108 Static route using a pptp RAS IP not set by middleware after connection is estalished ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID30825 9.200 IPv6: Add support for DHCPv6 'rapid commit' ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID30800 9.195 [BETA] Some double byte characters aren't filtered by DLP custom rule and AntiSpam Expressions filter. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID30792 9.195 [BETA] DLP: Incorrect DLP behaviour when no routing domains are configured ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID30770 9.108 SMTP mailmanager hides filter summary and sorting text ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID30736 9.195 [BETA] AD SSO Transparent mode conflicts with WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID30735 9.195 OTP: User Portal can be disabled although WebAdmin-facility and auto-creation are enabled ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30723 9.195 RED 10 stops working while handling large packets ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30701 9.195 [BETA] SPX: labels of original message are not correctly encoded in spx reply ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30695 9.195 Hostnames with utf-8 characters are not shown in PDF executive report ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID30650 9.194 Lost site-to-site VPN configuration after up2date installation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.195 ID30640 9.107 Messages with reason "sender_blacklist" cannot be written to quarantine ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID30637 9.194 [BETA] Handling Filter actions used in multiple policies ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30635 9.194 Make ATP alert clearing configurable ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID30614 9.194 [BETA] DLP: invalid characters in CCL names and description ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID30571 9.200 Add option to disable OTP for Webadmin/SSH from front panel LCD of UTM appliance ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30561 9.193 [BETA] Username with \ is seen in sAMAccountName with \\ ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30522 9.193 [BETA] Tunnel broker Hurricane Electric broken ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID30509 9.000 Uploads via reverse proxy are limited to 128 MB when profile with 'XSS Filter' or 'SQL Injection Filter' enabled is in use [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.112 ID30504 9.193 Sometimes the sender_confd_profile is undefined in the profile object ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID30487 9.107 Sometimes the Proxy-Authenticate response-header is missing in HTTP 407 (Proxy Authentication Required) response ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID30478 9.004 System & UTM Backups ignore backup limits [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.112 ID30446 9.192 [BETA] SPX: some characters in mail subject lead to broken subject in pdf ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30441 9.191 [BETA] SPX encryption has higher priority than SMIME or PGP encryption ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30437 9.107 Multipath rule for VoIP does not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID30418 9.192 RED doesn't work in half duplex mode [9.2] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.194 ID30389 9.100 [BETA] http cache fills up partition ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID30332 9.107 Don't let INVALID traffic FORWARD over utm ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID30261 9.192 Change error handling for failed authentication in auth_form ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID30254 9.107 Import of non UTF-8 certificate breaks Webadmin access ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID30224 9.107 Parallel dns queries fail on identical source port ------------------------------------------------------------------------ Description: If more than one DNS request is sent on the same source port in a very short timefranme it might happen in rare cases that the request fails. Workaround: Exception for service DNS for IPS, APTP, AppCtrl Fixed in: 9.314 ID30195 9.192 It's not possible to edit a country blocking exception from a source exception to a destination exception ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.207 ID30151 9.107 Interface based policy routes don't work in some setups (9.107 regression) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID30142 9.191 [BETA] SPX: spx encryption can not handle some greek characters ------------------------------------------------------------------------ Description: Some characters (like some from greek, japanese, chinese, cyrillic fonts) may be wrongly displayed or missing in the generated PDF document of SPX-encrypted emails Workaround: - Fixed in: 9.303 ID30136 9.171 SAA icon not showing correct state on OS X ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.192 ID30127 9.191 [BETA] Strict TCP session handling ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID30106 9.107 /proc/net/ip_scheduler/multipath not updated after config changes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID30069 9.106 Transparent authentication in cluster mode shouldn't be balanced ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID30059 9.105 User Portal webpage doesn't get fully loaded while using Internet Explorer [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID30047 9.105 SSL VPN disconnects when transferring large amounts of data [9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID30016 9.107 Mix SSL and WAF and SharePoint 2013 will no longer allow you to save files (file is opened write protected) ------------------------------------------------------------------------ Description: Workaround: Configure an exception for path "/_vti_inf.html" and "yourpath/_vti_bin/cellstorage.svc/CellStorageService"(example: /sites/waftest/_vti_bin/cellstorage.svc/CellStorageService) and enable option "Never change HTML during URL Hardening or Form Hardening" Since the path is Sharepoint site specific (example: /sites/waftest/...) it is necessary to configure exceptions for all existing Sharepoint sites (it's not possible to use the wildcard * inside a path, so /sites/*/_vti_bin/cellstorage.svc/CellStorageService is not an option). Fixed in: 9.112 ID30013 9.190 Unblock (bypass) of blocked website does not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.191 ID30008 9.106 Problem with Remote IPsec access in case of ID type is ASN1 Distinguished Name and using static RAS IP ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID29981 9.100 Country blocking exceptions are not used in HTTP Proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID29957 9.150 Exchange 2013 OA and OWA didn't work with WAF (9.2) ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID29954 9.107 Endpoint: Not working anymore after update to 9.107 SR ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID29945 9.186 SPX password notification mails have no header and footer customization ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.353 ID29900 9.107 RED50 freeze after update to 9.107 SR ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID29843 9.108 [BETA] Changing AV Scanners cause memory spikes in http proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID29840 9.106 RED doesn't work in half duplex mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29824 9.105 Sometimes Apache not starting at boot time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID29792 9.106 Bridge: Allow IPv6 pass through has no effect ------------------------------------------------------------------------ Description: Workaround: As A workaround apply "Forward EtherTypes" first and then "Allow IPv6 Pass through" Fixed in: 9.108 ID29748 9.180 [BETA] changing OTP has no effect on WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID29709 9.106 NTPd fails to synchronize ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29663 9.106 Httpproxy coredumps every few minutes after update from 9.006 to 9.106 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29600 9.000 Add host tag to remote syslog messages ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29549 9.308 MAC addresses are not rewritten correctly if DNAT is configured on bridge interfaces ------------------------------------------------------------------------ Description: The UTM doesn't send the radius packets to the radius server if the AP and the radius server are in the same network and if there is bridge configured on the UTM including this network. Workaround: Put the bridge interface into the promiscuous mode. Example: ifconfig br0 promisc Please note: You have the enable the promiscuous mode again after an UTM reboot. Fixed in: ID29501 9.165 Transparent AD SSO conflicts with WAF (port 80) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID29483 9.106 [CVE-2013-2061] OpenVPN: non-constant time comparsion of HMACs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29446 9.170 [BETA] DLP: inconsistent dlp action identifier ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID29419 9.165 [BETA] Web Policy tester and http.log do not display modifications by local site list ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID29412 9.106 Wireless Security Manager Role can't accept new AP's ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID29356 9.165 [BETA] RED50 reconnects all the time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID29354 9.100 [Update Rule:] SSL VPN routes are not distributed correctly over OSPF ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.180 ID29326 9.165 [BETA] rephrase notifications for APT/IPS events ------------------------------------------------------------------------ Description: For a threat which comes from IPS the source is external, therefore in notifications, the keyword "Internal", should be changed. Workaround: Fixed in: 9.310 ID29283 9.107 UTM fails to verify signed emails ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29252 9.165 [BETA] Improve logging of SPX encryption ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID29217 9.165 [BETA] grey out Data Protection Tab if no subscription is available ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29216 9.165 [BETA] dashboard shows too many subscription when using BasicGuard license ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29215 9.000 Successful console logins are not logged [V9.1] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29175 9.106 HTML5 VPN SSL certificate fetch doesn't work reliably ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID29164 9.105 UTM failover although the syncing process is not finished (prefered master option enabled) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID29141 9.106 Input username is not updated to directory notation in case of custom user name attribute ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID29095 9.165 [BETA] improve reporting filter naming for ATP ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID29093 9.165 [BETA] drilldown for ATP reporting does not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID29092 9.165 [BETA] ATP detects Android user agent as threat ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29071 9.165 HTTP/S redirection on Fallback host results in empty ServerAlias ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29065 9.165 Replace spaces when using the frontend realm with frontend mode 'Form' ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID29060 9.160 [ALPHA] Installer: ASG220 rev.3 claimed unsupported but it should be ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29055 9.165 [BETA] Cannot enable Client Authenication/HTTP Proxy due to confd error ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29048 9.165 [ALPHA] SPX: reply portal not working with ipv6 interfaces ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29047 9.165 [BETA] PPPoE interfaces don't come up sometimes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID29030 9.106 Prevent ulogd coredumps in case of database issues ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID28998 9.165 WAF always sends frontend mode authentication data to backend ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID28978 9.165 firewall profiles display problems ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.190 ID28976 9.165 firewall profiles can be enabled without mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID28975 9.165 [ALPHA] Bug in SPX template edit form when turning on reply portal ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID28973 9.165 [ALPHA] SPX: Attachment names character encoding error during PDF generation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID28970 9.165 [ALPHA] "Include original body into reply" flag cannot be turned off. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID28968 9.165 [ALPHA] SPX Portal letter expiry does not work with 0 days given as period ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID28966 9.165 exceptions for Common Threat Filters do not work individually ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID28963 9.165 vhost status not adapted after up2date ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID28953 9.165 Object Changelog PopUp can not be closed in IE9 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID28949 9.106 Coredump from reverse proxy for Outlook Anywhere ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID28922 9.165 Generate one time password for spx-auth basic authentication. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.190 ID28919 9.200 After changing the cookie enryption secret users cannot log in unless they remove their cookie ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.190 ID28918 9.165 Fix Site Path display to show the Site Path name ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.190 ID28917 9.165 Make WAF session cache persistent across restarts/stops ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID28911 9.160 DynDNS DNSPark account shows status null ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.193 ID28866 9.106 Essential Firewall: Not possible to use HA reserved interface eth3 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.192 ID28851 9.165 Fix uniquness checks for reverse authentication realms ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.195 ID28846 9.106 Slow network throughput on BCM57810 (bnx2x) with kernel warning at net/core/dev.c:2029 skb_warn_bad_offload ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28842 9.106 HA takeover if master reboots takes too much time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID28673 9.106 Read-only user can delete quarantine mails in mail manager ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28652 9.160 Reverse Authentication page is active without a valid licence for that feature ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID28633 9.107 Update kernel and Intel drivers ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28627 9.106 Sender Blacklist works for Enduserportal but not for Webadmin -> SMTP -> Antispam -> Sender Blacklist ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID28608 9.160 [BETA] SPX: reply portal needs explicit firewall rules ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.171 ID28563 9.160 SPX: wrong default spx password notification text ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.190 ID28439 9.106 vpn site2site overwiev is missing ipsec respondOnly connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID28432 9.106 Display errors for hotspot vouchers in japanese language ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28413 9.105 Multipath is routing packets on wrong interface after one load balanced ipsec connection fails ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID28400 9.105 Syslog not started after ipsbundle pattern installation ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID28390 9.105 Not possible to activate more than 62 virtual webserver ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28383 9.105 SSL VPN disconnects when transferring large amounts of data ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.190 ID28360 9.105 Avira Scanner can not scan pop3 mail, Error index out of bound ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28327 9.105 HTTP Proxy segfault in PCRE match() ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID28323 9.105 Unable to create or change any additional address at the ASG ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID28261 9.160 Allow ICMP Forward for incoming ICMP packets on uplink interfaces ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID28241 9.105 Exchange 2013 OA and OWA didn't work with WAF ------------------------------------------------------------------------ Description: Exchange 2013 Outlook Anywhere via WAF works with MAC clients but not with MS Outlook clients. Outlook Web Access works with basic and form authentication via WAF Workaround: Fixed in: ID28226 9.105 Httpproxy reaches maximum number of open file descriptors due to header files in tmp (Windowsupdate) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28223 9.105 The websecurity manager is not able to change or create some proxy settings ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28212 9.200 Misc web reporting bug fixes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID28201 9.105 User Portal webpage doesn't get fully loaded while using Internet Explorer ------------------------------------------------------------------------ Description: User Portal webpage doesn't get fully loaded while using Internet Explorer. Workaround: Will be fixed in 9.200. Fixed in: 9.165 ID28164 9.105 OSPF and default route priority issues ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID28150 9.106 Sophos Authentication Agent does not work with MacOS X 10.6 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.192 ID28056 9.105 it's not possible to view or download large log files in the webadmin because root partition is too small ------------------------------------------------------------------------ Description: Workaround: The logfiles will be copied from /var/log to the root partition during the view or download in the webadmin. So the limiting factor is the size of the root partition Fixed in: 9.210 ID28055 9.106 Duplicated DHCP Leases ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.312 ID28053 9.105 swap partition did not get a UUID ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID28013 9.104 Its not possible to add more than 20 remote networks into the Sophos IPsec Client ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID28007 9.105 DynDNS: Username containing uppercase chars not working for FreeDNS ------------------------------------------------------------------------ Description: DynDNS: Username containing uppercase chars not working for FreeDNS Workaround: Use only lowercase chars for FreeDNS username Fixed in: 9.106 ID27928 9.160 mod_security fails to read response body if conten encoding is applied ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID27910 9.105 Unable to configure the HTTP default profile in the global section caused by AP connected via RED ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27905 9.105 [BETA] log the mac addresses human readable with leading zeros in the packetfilter log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID27887 9.105 [e1000e] Reset adapter unexpectedly ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27865 9.105 Transparent Split mode doesn't resolve names correctly on RED50 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27862 9.104 User accounts with less then 3 characters in the username are not consider from the reporting ------------------------------------------------------------------------ Description: Account names like "aa", "sp" or something like that with 2 characters only are not consider by the reporting so there is no entry about the traffic in the web usage. When the account name has 3 characters or more everything works fine. Workaround: Use account names with 3 characters and more. Fixed in: 9.107 ID27861 9.105 3G USB modem intermittently not assigned after reboot ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID27848 9.160 DynDNS: Add support for STRATO AG, No-IP.com, selfHOST & DNSdynamic ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.180 ID27814 9.104 Never selfmon aiccu [9.1] ------------------------------------------------------------------------ Description: An automated restart of aiccu cause excessive connections to the TIC servers and you will get be blocked from the TIC servers. Please take a look at the following pages: https://www.sixxs.net/faq/aiccu/?faq=tic https://www.sixxs.net/faq/aiccu/?faq=autostart Workaround: Please contact the support team and ask for a pre rpm. Fixed in: 9.111 ID27789 9.104 RED status overview not matching real tunnel status ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27788 9.006 Download of SSL VPN packages for Users via Webadmin does not work [9.0] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.007 ID27785 9.105 Download of SSL VPN packages for Users via Webadmin does not work ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.105 ID27780 9.160 DynDNS: Add support for OpenDNS dynamic IP update ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID27777 9.104 WiFi: Radius packets which should be going to a server routed via IPSec goes out on external interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27774 9.104 Remote access reporting shows incorrect information about duration of vpn user ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID27762 9.160 LWP Update breaks DynDNS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID27750 9.000 IPv6: Add support for DynDNS (Dyn & FreeDNS) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID27744 9.104 Routing issue in RED standard/split mode ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID27742 9.104 Standard mode in deployment helper incorrectly named ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.170 ID27692 9.160 Exception for Antivirus does not work with ModSecurity ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID27685 9.104 New Packetfilter block rules doesn't work for established connections ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27653 9.155 User should not get logged out of Browser auth if the logout window is opened ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID27647 9.104 aua does not work with facility http while installing basic guard license ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID27601 9.006 error message: Netlink message type is not supported in ulogd ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID27597 9.103 red_server dies after RED reconnect - no further connection possible until UTM reboot ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27588 9.103 Unable to fetch POP3 accounts on iOS devices via POP3 Proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.210 ID27580 9.103 audld.plx gets stuck and UTM is not able to download patterns anymore ------------------------------------------------------------------------ Description: Up2Date Downloader gets stuck and UTM is not able to download pattern/firmware anymore. To check if you're affected by this issue please check if your Up2Date logfile contains such messages: "Another instance of this process is already running, exiting" Workaround: Reboot the UTM solve the issue. Please make sure to upgrade to 9.105 as soon as possible which contains a fix. Fixed in: 9.105 ID27569 9.103 HTTP-Proxy breaks GET Request including a huge Cookie ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.106 ID27484 9.101 turning off RED client connection has no effect, tunnel will still be established ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID27481 9.104 Permanent openvpn daemon restarts after installing UTM 9.104 soft release ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.104 ID27479 9.103 mdw died on UTM100/110 if QoS is enabled without a selector ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27474 9.103 Teamviewer via Basic-Auth Webproxy requires creds even if those are stored in the settings ------------------------------------------------------------------------ Description: Teamviewer via Basic-Auth Webproxy requires creds even if these are stored in the settings. Workaround: Fixed in: 9.108 ID27473 9.103 Visit of ZDF mediathek will cause a display bug in websec reporting. ------------------------------------------------------------------------ Description: By visiting the ZDF Mediathek the IP address in reporting will be displayed not correctly. Example: "193.443" instead of "87.248.193.47:443" Workaround: Fixed in: 9.107 ID27463 9.103 Cablemodem interface does not renew interface address after modem reboot ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID27455 9.103 Adding an additional interface to PPPoE interface takes it down ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27421 9.104 Disabled RED devices are always able to establish a connection to the UTM ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27362 9.103 SAA doesn't work for AD users ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27348 9.103 Memory allocation errors in Webfilter for FTP requests ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID27313 9.103 AFC Rules does not work while using http proxy (transparent) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.304 ID27295 9.104 Two processes of repctld run on slave after switching preferred master, and therefore it is still shown as syncing ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.105 ID27287 9.102 Outlook anywhere connection with WAF didn't work for Mac Clients ------------------------------------------------------------------------ Description: Outlook anywhere connection with WAF didn't work for Mac Clients Workaround: At the moment, we do not support Outlook Anywhere connections for Mac clients Fixed in: ID27257 9.103 RED50 frequently reconnecting because configuring an Additional Address as UTM-Hostname is not supported ------------------------------------------------------------------------ Description: It is not possible to connect a RED device to an additional IP address configured on an UTM. This is a limitation of the kernel code using by the RED feature. Workaround: Fixed in: 9.210 ID27253 9.100 Search Engine reports do not work if uppercase domain name is used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27198 9.103 Not possible to decrypt an email if there are more than one empty lines between header and body ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID27084 9.103 high cpu load from postgres. Caused from pfilter reporter ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26933 9.102 hotspot doesn't work in an active active cluster environment ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26929 9.102 If username contains a '\' SSL VPN config is not stored correctly on the client ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26906 9.100 Update GPG for security fix [V9] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID26897 9.102 Don't show REF_AaaUseX user as a remote access online user ------------------------------------------------------------------------ Description: WebAdmin dashboard displays that one remote access user is online even though no user is using the remote access. Workaround: Fixed in: ID26850 9.101 Default gateway for PPPoE interface not set after reconnect ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26721 9.101 WiFi: Sometimes syslogd on AP is not running after AP booted up ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID26699 9.155 Fix Rewriting of Cookies (HTML Rewriting) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.180 ID26656 9.101 RAS Manager is not able to change or create SSL VPN Profiles ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26544 9.101 DNS host definitions with non-ascii chars and underscore cause dns-resolver to fail ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID26450 9.101 Upon upgrade, "The web filtering URL regular expression object with the name 'Any domain expressions' already exists" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26388 9.101 RED50 Traffic not possible, red_server reports "Unable to get proc entry" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26273 9.101 Improvement of Notification Information in notifier.log ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26225 9.006 Damaged graphic in the wireless reporting in French language ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID26130 9.100 DHCP mapping comments gets lost by upgrading to 9.100 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.112 ID26119 9.101 Wifi [ASG]: MAC Filter Whitelist not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.104 ID26077 9.100 WAF real server is switching to error state every 5-10 min without any known reason ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID26066 9.100 Show Frequency Band in the info of the Wireless Networks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.104 ID25987 9.100 Since update to 9.100 the websecurity reporting will not display correctly. ------------------------------------------------------------------------ Description: It could happen that the Web-Security Reporting doesn't list all browsed webpages although these information is stored in the database, which is bullshit, as the information is _not_ in the database, but whatever. Workaround: Will be fixed in 9.103. Fixed in: ID25981 9.155 Use pooled DNS request handling ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.155 ID25980 9.100 DHCP server does not provide IP address if address pools are used ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25952 9.100 Country blocking exception doesn't work ------------------------------------------------------------------------ Description: Workaround: - Don't use country blocking - Don't use random IP addresses for internal/ras networks - Don't use country blocking Fixed in: 9.155 ID25940 9.006 Several core dumps in __kernel_vsyscall (/usr/apache/bin/httpd -k restart) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25931 9.100 False Positive during WAF Upload ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25910 9.100 [e1000] Reset Adapter after Update to 9.100 and some Intel Interfaces ------------------------------------------------------------------------ Description: you can see Reset adapter log entries in the kernel.log e.g. kernel-2013-05-17.log.gz:2013:05:17-09:35:02 fw1-main kernel: [33094.832012] e1000 0000:0a:01.0 eth0: Reset adapter this is a known issue with some e1000 (not e1000e) based cards for example 82546GB https://bugzilla.redhat.com/show_bug.cgi?id=504811 The card may silently corrupt data if TSO is enabled. Workaround: disable TSO: ethtool -K ethX tso off Fixed in: 9.107 ID25787 9.100 SSL VPN autopacketfilter rules are not set for backend group objects ------------------------------------------------------------------------ Description: Workaround: Manually saving the (unchanged) SSL VPN remote access profile will update the attached auto-packetfilter object. Alternatively a cronjob with this command line will do the job for all profiles automatically: for ref in $(/usr/local/bin/confd-client.plx get_references ssl_vpn remote_access_profile | grep -o "REF_[^']*"); do /usr/local/bin/confd-client.plx change_object $ref; done Fixed in: 9.101 ID25657 9.100 Do not imply filename and next-server when specifying DHCP options 66/67 ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25572 9.100 Default gateway for DSL interface not set probably in link failover setup ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25492 9.006 Policy routing not working together with full transparent mode of HTTP proxy ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25476 9.109 Increase default WebAdmin logout time (for new installations) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.150 ID25459 9.006 WiFi Separate Zone: Suddenly it's not possible to process traffic via the AP due to incorrect RED peer address ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25323 9.006 Obviously wrong traffic counting ------------------------------------------------------------------------ Description: An issue in the flow update handling can lead to wrong traffic counting of the reporting. Workaround: Upgrade to 9.107. Fixed in: 9.107 ID25305 9.092 IE8: Some object tables remain empty ------------------------------------------------------------------------ Description: When using WebAdmin in Microsoft Internet Explorer 8 some object tables are not displayed correctly, the information about the objects is not visible. Workaround: Use a different browser Fixed in: 9.101 ID25244 9.091 Window is not closed for RDP sessions if "Stop session" is selected in the drop-down menu ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID25219 9.005 If Inline PGP decryption fails the customer is getting an empty mail ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID25199 9.091 Kernel Oops when lowering MTU for USB netcard ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.150 ID25191 9.006 awed (awed_ng) fails on missing rrd-metadata file ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID25190 9.006 pmacct has problems with the ipfix templates ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID25140 9.005 notications/snmp traps: wrong label in webadmin ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID24936 9.000 [9.0] gzip deflate compression not working at the WAF ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID24855 9.005 Hungarian keyboard layout get lost when starting a HTML5VPN RDP session ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.202 ID24739 9.000 cluster SMTP distribution not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID24679 9.005 Rescan for Virus when releasing Quarantine Message ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID24652 9.004 Wireless: Client is listed on wrong AP in Webadmin "Wireless status" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.150 ID24572 9.005 Automatic Monitoring shows Uplink Interface as ONLINE although it is down ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID24556 9.005 SAVI engine scan failed: Unknown SAVI error [0x80040237] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID24541 9.004 Queries on images.google.com, ca, uk, etc. bypasses SafeSearch ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID24540 9.200 User authenticates via portal over HTTPS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.150 ID24539 9.200 User unblocks sites by sending credentials over HTTPS ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.150 ID24479 9.005 Wrong packetfilter will be created with the internet object and one uplink interface is down ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID24430 9.005 Sporadic reboots probably caused from sip helper ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID24360 9.001 improve handling of rpmdb corruptions ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.206 ID24358 9.000 Manual speed settings have no effect on HA link ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID24331 9.070 [UBB][9.070] Mail Notification contain antivirus footer ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.160 ID24317 9.070 display of auto packet filter rules misses VPN profiles with backend membership groups ------------------------------------------------------------------------ Description: If you have VPN profiles configured with backend membership groups and "Automatic Firewall Rules", these rules are not shown in the "Display Auto Packet filter rules" view. Workaround: Fixed in: 9.101 ID24246 9.002 RED [RED10]: static IP address assignment does not work together with transparent/split mode [9.0] ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID24207 9.070 [UBB][9.065] Duplicate NAT entries in Service Definition ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID24156 9.070 Search Engine Report => Top 10 pie has label with HTML br tag in description. ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.070 ID24141 9.002 RED [RED10]: static IP address assignment does not work together with transparent/split mode [9.0] ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.006 ID24140 9.001 RED [RED10r2]: Split-Tunneling via UMTS is not working ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.006 ID24127 9.004 Full NAT from internal network to external address dropped on bridge interface ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.150 ID24059 9.004 Aua fails to handle customized user group attributes ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID23968 9.003 WiFi [AP10]: Signal strength of the AP10 is stronger in V8 as in V9 with 100% TX-Power (9.0) ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.006 ID23965 9.004 Prevent removing default network objects ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.310 ID23892 9.004 File extension blocking does not work if umlaut is used in filename ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.204 ID23810 9.004 System & UTM Backups ignore backup limits ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.155 ID23745 9.000 Remote Access: SSL VPN Graph no data ------------------------------------------------------------------------ Description: The 'SSL VPN Connections' graph at 'Logging & Reporting' >> 'Remote Access' >> 'Activity' shows no data Workaround: There is no workaround, the problem will be addressed in a later release. Fixed in: ID23727 9.060 Wifi: it should not be possible to set the same Mesh name twice ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.107 ID23713 9.060 [V9] Blocked HTTPS-Sites in Filter Action Mode 'Blacklist' doesn't match if Exception is matching on Categories ------------------------------------------------------------------------ Description: Workaround: Fixed in: ID23585 9.004 WiFi [ASG]: Wireless Client List misses modified clients that are not shown for a long time ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.108 ID23353 9.004 Pop3 mails proceeded during a pattern update are quarantined as "unscanable" ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.106 ID23348 9.004 Multipath for ftp over http isn't working when control and data connection use different path ------------------------------------------------------------------------ Description: If you create a multipath rule for ftp (port 21 tcp) to use wan1 and another multipath rule for all other traffic to use wan2. The control connection will use wan1 and the data connection on a high port use wan2. As a result of the control connection and the data connection are using different interfaces, the whole ftp connection will fail. Workaround: Create a multipath rule which sends the high ports > 1023 over the same external interface as the ftp port 21. Fixed in: 9.314 ID23333 9.060 Blocked application name on the block page is truncated ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.080 ID23268 9.004 Application Control: VNC traffic will be detected as Skype ------------------------------------------------------------------------ Description: The Application Control detects VNC traffic falsely as application Skype. While Skype is set to 'block' no more VNC connections can be established. Workaround: Temporarily allow Skype for clients who need to do VNC connections. Fixed in: ID22980 9.004 misrepresentation of information with wireless hotspot vouchers ------------------------------------------------------------------------ Description: HTML tags are not supported in hotspot voucher customization. Although they are displayed correctly, but when the voucher is printed as PDF the tags simply ignored. Workaround: Fixed in: ID22928 9.003 Issues with Live Connect Service in HA Environment ------------------------------------------------------------------------ Description: Issues with live connect service in HA environment - Connection to live connect service is broken, clients cannot be registered co Workaround: Fixed in: 9.004 ID22925 9.004 Heap-based buffer overflow in exim (CVE-2012-5671) ------------------------------------------------------------------------ Description: Workaround: Add the following line in file /var/storage/chroot-smtp/etc/exim.conf after the line with "acl_check_connect:", which is usually on line 307: warn control = dkim_disable_verify Fixed in: 9.004 ID22842 9.003 HTML5 VPN PF Drop Rule should actually say that its dropping traffic ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.308 ID22750 9.000 Swapon failed for explicit UUID ------------------------------------------------------------------------ Description: In some cases it happened that the swap partition was not set up correctly during installation and could not be mounted. Workaround: Change the entry for the swap partition in /etc/fstab to read LABEL=swap swap swap sw 0 0 The run swapon -a It should report no errors. Fixed in: 9.104 ID22728 9.100 RED [ASG]: red status id displayed online even if there is no traffic possible ------------------------------------------------------------------------ Description: If the link is not stable (e.g. a lot lost packets), the status of RED may be displayed as online, however no reasonable traffic could be passed through. Workaround: Fixed in: ID22468 9.001 HTML5 iptables rule doesn't match for IPSec-routed hosts ------------------------------------------------------------------------ Description: It's not possible to use IPSec-routed hosts within a connection of the HTML5 Portal. The connection will not be established. Workaround: Contact the Support Team to get a hotfix. Fixed in: 9.310 ID22437 9.001 HTML5 RDP: swiss keyboard not working with ALT-Gr-letters using Chrome ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.314 ID22371 9.001 The NAT rule object cannot use network group objects for the traffic destination attribute with uplink primary address ------------------------------------------------------------------------ Description: It isn't possible anymore to configure DNAT rules with uplink primary addresses since v 9.001. This was possible with v8 and also with v9.000 Error message in webadmin gui: "The NAT rule object cannot use network group objects for the traffic destination attribute when using this NAT mode." This will be possible again in one of the future releases. Workaround: Fixed in: 9.060 ID21957 9.000 DHCP server not working properly with large IP ranges ------------------------------------------------------------------------ Description: For each DHCP Range definition memory is reserved. If the memory reservation is too big dhcpd will die and being restarted by Selfmon. With a DHCP Range of a /8 network 3 GB would be reserved, while a /16 reservation needs 12 MB. Since DHCPD runs in a 32 bit userspace /9 is actually the biggest theroretically working range - if enough memory is free. Workaround: Use a smaller DHCP Range. Fixed in: 9.090 ID20980 9.000 IPS false positives candidates ------------------------------------------------------------------------ Description: Here you can see some candidates of IPS Fales Positives They appeared during downloading some podcasts with iTunes 4679 - WEB-CLIENT Apple Quicktime movie file component name integer overflow multipacket attempt 13316 - WEB-CLIENT 3ivx MP4 file parsing ART buffer overflow attempt 13317 - WEB-CLIENT 3ivx MP4 file parsing nam buffer overflow attempt 13318 - WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt 13319 - WEB-CLIENT 3ivx MP4 file parsing des buffer overflow attempt 13320 - WEB-CLIENT 3ivx MP4 file parsing cpy buffer overflow attempt 13626 - FILE-IDENTIFY Microsoft Office Access file magic detected 13917 - WEB-CLIENT Apple QuickTime MOV file string handling integer overflow attempt 15469 - WEB-CLIENT Microsoft Office WordPad and Office text converters integer underflow attempt 15517 - WEB-CLIENT Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt 16295 - WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields 17204 - WEB-CLIENT Adobe Director file file mmap overflow attempt 21484 - WEB-CLIENT ScadaTec ScadaPhone zip file name buffer overflow attempt SSL VPN: 16180 - WEB-CLIENT Windows CryptoAPI common name spoofing attempt Workaround: Fixed in: ID20900 9.000 IPS rule 15909 affects netflix streaming (vbr) ------------------------------------------------------------------------ Description: Netflix video streaming is influenced of IPS rule 15909. When streaming netflix video content through the ASG with an "Roku2"-box that uses variable bitrate streaming (HTTP based streaming protocol). Turning the IPS Rule 15909 off solved the problem. Workaround: Fixed in: ID20738 9.000 Sophos Endpoint Security and Control does not work with google Chrome ------------------------------------------------------------------------ Description: Endpoint Security and Control doesn't work with Google Chrome as default browser. If you click on one of the menus you get an error message. Workaround: Fixed in: ID19006 9.000 Internet Explorer still doesn't trust the webadmin certificate after importing the WebAdmin CA ------------------------------------------------------------------------ Description: After importing the WebAdmin CA into the Internet Explorer it's still not possbile to open the webadmin without a certificate warning. It doesn't matter if the CA is correctly imported and the hostname from the certificate match the webadmin site. Workaround: - Download WebAdmin CA Cert as Base64 - copy to /var/sec/chroot-httpd/etc/httpd/WebAdminCertCA.pem - add line SSLCA... in /var/sec/chroot-httpd/etc/httpd/vhost/httpd-webadmin.conf: SSLEngine On SSLCertificateFile /etc/httpd/WebAdminCert.pem SSLCACertificateFile /etc/httpd/WebAdminCertCA.pem SSLCertificateKeyFile /etc/httpd/WebAdminKey.pem -do the same for the following files: httpd-webadmin.conf-default httpd-portal.conf-default (if User Portal is activated, also in httpd-portal.conf) - after that "/etc/init.d/httpd restart" Fixed in: 9.075 ID17609 9.000 User Portal: whitelist is completely ignored if blacklist matches ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.150 ID16073 9.000 IPSec Remote Access: Too large IP-Pool consumes all CPU & MDW hangs/blocks ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.201 ID15854 9.000 Syslog error messages during logrotate ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.155 ID14503 9.000 Long webadmin sessions on the webadmin dashboard causes memory leak ------------------------------------------------------------------------ Description: When webadmin session's focus is kept on the webadmin dashboard for an extended amount of time, this will cause a memory leak until the session is closed. Workaround: Please enable the Option "Log out on dashboard" You can find this setting at: Management > Webadmin Settings > Advanced. Fixed in: 9.006 ID11903 9.000 Add DHCPv6 relay support ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 ID11018 9.000 iPhone L2TP Client does not support x509 certs ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.250 Closed Issues - VPN ======================================================================== ID26052 9.101 Performance problem in MiddleWare when generating SSL VPN configuration with many networks and users ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.104 ID26035 9.000 Can't handle a VPN signing CA which expires after 2050 [V9] ------------------------------------------------------------------------ Description: If you upload a VPN signing CA which has an expiry date after 2050, all user certificates generated from this CA will have a wrong expiry date of 19XX (with XX from the expiry date 20XX of the CA). Workaround: Use a VPN signing CA which expires before 2050. Fixed in: 9.106 ID22787 9.000 Cisco VPN not working with iOS6 ------------------------------------------------------------------------ Description: Cisco VPN with iOS6 devices doesn't work in some setups (NAT Gateway running in front of the UTM). It seems that Apple activates a Cisco specific feature called "IKE fragmentation" which is not implemented in strongswan. We have no workaround in the moment, you have to downgrade the iPhone. Workaround: Fixed in: 9.004 ID22539 9.002 Some buttons don´t work in HTML5 VPN. ------------------------------------------------------------------------ Description: Some buttons are not working in HTML5 VPN SSH for example: # ' ? + * - _ Occurs with all Browsers. Workaround: Fixed in: ID22499 9.000 SSL VPN Client doesn't work correctly on Windows 8 and Windows Server 2012 ------------------------------------------------------------------------ Description: The client can be installed but establishing a connection doesn't work. Workaround: Fixed in: 9.004 ID22375 9.001 Problem with double encoding in ssl vpn remote access client part ------------------------------------------------------------------------ Description: Problem with double encoding in SSL VPN remote access client part. If the server certificate contains UTF-8 and was generated with a version before UTM 9, the Sophos SSL VPN client cannot verify the subject DN, because it double encodes the UTF-8. Workaround: Fixed in: 9.004 ID21988 9.000 SSL VPN not working if username from AD backend contains special characters ------------------------------------------------------------------------ Description: In V9 there is a problem with SSL VPN access using special characters in the CN of a user account (prefetched from AD backend server). This only will happen after installing a V8 backup which contains that user account into a V9. Workaround: Delete the user account on the ASG and prefetch the user account again. Finally reload the SSL VPN config file from the user portal. Fixed in: 9.001 ID21960 9.000 HTML5VPN: Problems with dropdown menus ------------------------------------------------------------------------ Description: It's not possible to use dropdown menus on any website with the current version of the HTML5VPN Portal. Workaround: Fixed in: 9.002 ID21939 9.000 User can't view Log files of SSL VPN Client ------------------------------------------------------------------------ Description: User can't view Log files of SSL VPN Client The user can't view SSL VPN clients' log file (Log Informations), because he hasn't the rights to view the file. Workaround: Fixed in: 9.090 ID21520 9.000 User "möller" can't log in via Cisco VPN Clien ------------------------------------------------------------------------ Description: Users with non-ASCII characters (for example müller) can't login via Cisco VPN. In aua.log, the username is garbled like: mölle 2012:05:22-11:05:36 ich10 aua[22278]: id="3005" severity="warn" sys="System" su b="auth" name="Authentication failed" srcip="10.x.x.x" user="mölle" caller ="REF_IpsRoaForAdminToInter" reason="DENIED" Workaround: Fixed in: ID21423 9.000 SSL VPN not working after rebooting the UTM9 ------------------------------------------------------------------------ Description: In some cases the SSL VPN doesn't work after a reboot, because the OpenVPN daemon is not started correctly. Workaround: Manually restarting the OpenVPN daemon with /var/mdw/scripts/openvpn restart should reenable SSL VPN. Fixed in: 9.000 ID21374 9.000 HTML5 VPN Webapps: Popups are disabled ------------------------------------------------------------------------ Description: HTML5 VPN Webapps: Popups are disabled As of now, popups are blocked by the internal Firefox. The user will be informed when blocking has taken place. Workaround: Fixed in: ID20442 9.000 Amazon VPC broken in V9 ------------------------------------------------------------------------ Description: The connection to Amazon VPC doesn't work in UTM 9.000 Workaround: Fixed in: 9.001 ID17999 9.000 It's not possible to take over the internet explorer(8 &9) proxy settings with the openvpn-gui client ------------------------------------------------------------------------ Description: It's not possible to take over the internet explorer proxy settings with the SSL VPN Windows client. If you have configured the SSL VPN client to use the internet explorer proxy settings you will always get an error message like "can't take over MSIE proxy settings." Workaround: Fixed in: 9.060 Closed Issues - Web Application Security ======================================================================== ID34426 9.306 Since few days dnsbl.proxybl.org is not reachable anymore ------------------------------------------------------------------------ Description: dnsbl.proxybl.org is not reachable anymore. WAF uses this DNSBL for the firewall profile option "Block clients with bad reputation". When this option is enabled, WAF appears unresponsive because every request is slowed down by the failing DNS lookup. Workaround: Enable "Skip remote lookups for clients with bad reputation" in the firewall profile or just disable the "Block clients with bad reputation" feature. Fixed in: 9.308 ID30502 9.193 Rev. Auth.: session management with multiple profiles ------------------------------------------------------------------------ Description: The session management in the Web Application Firewall does not distinguish between different Reverse Authentication profiles. There can only be one session per user. This could lead to inconsistencies with multiple Reverse Authentication profiles using differing values for the session lifetime and the session timeout. Workaround: Fixed in: 9.202 ID29963 9.100 profile mode 'monitor' does not work for Cookie signing ------------------------------------------------------------------------ Description: When using Cookie Signing in mode 'monitor', incorrectly signed cookies are dropped. The dropping of cookies is not logged. Workaround: Fixed in: 9.250 ID26002 9.100 Web Application Security: .docx files broken after upload and download ------------------------------------------------------------------------ Description: .DOCX are broken if the same file is first uploaded and then downloaded. Workaround: Contact Support for a RPM which fixes this issue. Fixed in: 9.104 ID24150 9.000 Slow file upload over WAF fails when only AV scan is enabled ------------------------------------------------------------------------ Description: For clients client that have only a slow upload link, uploads that take longer (3-4 minutes have been reported) than simple requests fail. The browser shows a "502 Bad Gateway" error after the upload. Without AV scanning enabled, the problem does not occur. Workaround: In the WAF profile, please enable additionally "SQL Injection Filter" or "Cross Site Scripting (XSS) Filter". Fixed in: ID23179 9.000 Form Hardening doesn't support image type input form buttons ------------------------------------------------------------------------ Description: Workaround: Replace the element with another type of input, e.g. "submit" Fixed in: 9.005 ID22947 9.000 Uploads via reverse proxy are limited to 128 MB when profile with 'XSS Filter' or 'SQL Injection Filter' enabled is in use ------------------------------------------------------------------------ Description: You can not upload files which are bigger than 128 MB via the Reverse Proxy because of a limit. Uploads are blocked with the following message in reverseproxy.log: ModSecurity: Request body (Content-Length) is larger than the configured limit (134217728) Workaround: Please contact the support-team Fixed in: 9.160 ID21899 9.000 [V9] Form Hardening blocks request due to missing token, although URL Hardening Exception should allow access ------------------------------------------------------------------------ Description: Form Hardening blocks request due to missing token, although URL Hardening Exception should allow access. Workaround: No Workaround. If possible disable Form-Hardening. Fixed in: 9.005 ID21825 9.000 Form hardening breaks 'XHTML 1.0 strict' compliance ------------------------------------------------------------------------ Description: The HTML modifications done by the Form Hardening Feature may break XHTML 1.0 Strict validity. Workaround: Fixed in: 9.060 ID21365 9.000 reverseproxy blocks webrequests during avira-pattern was updated ------------------------------------------------------------------------ Description: Reverseproxy blocks webrequests during avira-pattern is updated After an avira pattern update the WAF blocks webrequests for a very short time. The WAF seems to work normal after the cssd has the new pattern. Workaround: Fixed in: ID21170 9.000 Exchange 2010 OWA notifications don't work ------------------------------------------------------------------------ Description: Exchange 2010 OWA notifications don't work When using web application security to protect Outlook Web Access for Exchange 2010 SP2 RU2 users get the following error message when they click on the error icon in the top right corner: 'notifications couldn't be retrieved' Workaround: Fixed in: 9.206 ID20050 9.000 gzip deflate compression not working with WAF ------------------------------------------------------------------------ Description: When using a backend webserver with gzip deflate compression, the WAF delivers the content uncompressed to a requesting client (browser). Workaround: N/A Fixed in: 9.091 ID16010 9.000 Microsoft Sharepoint / NTLM Authentication doesn't work over WAF ------------------------------------------------------------------------ Description: WAF is not able to use NTLM authentication. Also not for WAF protected Microsoft Sharepoint server. Workaround: To use WAF protected Microsoft Sharepoint, enable Basic Authentication in the Microsoft Sharepoint configuration. Fixed in: ID15971 9.050 WAF Firewall profile: mode 'drop' does the same like mode 'reject' ------------------------------------------------------------------------ Description: Web Application Security profile mode 'drop' does the same like mode 'reject'. Workaround: Fixed in: ID15089 9.000 Support for Outlook Anywhere via the Webapplication Firewall ------------------------------------------------------------------------ Description: Workaround: Fixed in: 9.080 Closed Issues - Web Security ======================================================================== ID31878 9.200 Default exception for chrome updater/installer [9.2] ------------------------------------------------------------------------ Description: Chrome updater and installer triggered from internal clients will cause that the HTTP proxy is running on 100% CPU load, because the proxy is in a download loop. Workaround: Add an exception to skip Antivirus / Extension blocking / MIME type blocking / URL Filter / Content Removal / SSL scanning / Certificate Trust Check / Certificate Date Check for these URLs: ^http:\/\/[A-Za-z0-9.-]+\.google.com\/.*_chrome_installer\.exe ^http:\/\/[A-Za-z0-9.-]+\.google.com\/.*_chrome_updater\.exe Fixed in: 9.204 ID31236 9.109 'Force caching for Sophos Endpoint updates' still doesn't work correctly everytime ------------------------------------------------------------------------ Description: If the HTTP proxy has caching enabled, Sophos Endpoints sometimes don't see any signature updates. When they try to fetch updates, they see an outdated signature and believe they are up to date, even if newer signatures are available. Enabling the checkbox "Force caching for Sophos Endpoint updates" has no effect. Workaround: As a work around please create an exception to skip Caching that matches this URL: ^https?://[A-Za-z0-9.-]+\.sophosupd\.com/update/catalogue/ and hit the 'Clear Cache' button once. Fixed in: 9.202 ID26192 9.101 Since 9.101 Web Filter uses excessive amounts of CPU ------------------------------------------------------------------------ Description: There is a regression in Web Filter in 9.101 which can lead to excessive CPU usage by the proxy if RTMP traffic is filtered. Workaround: Fixed in: 9.102 ID24445 9.005 Windows Live-ID Sign In assistant breaks Kerberos authentication ------------------------------------------------------------------------ Description: If Windows Live ID Sign In assistant is installed on Windows workstations Kerberos authentication (AD SSO) will fail on this client for HTTP proxy in AD SSO mode. HTTP proxy reports the following error in the logfile: ...function="adir_auth_process_negotiate" file="auth_adir.c" line="1076" message="gss_accept_sec_context: An unsupported mechanism was requestedNo error" Workaround: Uninstall Windows Live ID Sign In assistant Fixed in: 9.202 ID23295 9.055 Safe search does not work for Yahoo search engine ------------------------------------------------------------------------ Description: The 'Safe Search' feature doesn't work for the Yahoo! search engine Workaround: Fixed in: 9.108 ID21950 9.000 IPv6 to IPv4 fallback does not work for SSL connections in mode standard ------------------------------------------------------------------------ Description: When you use the HTTP proxy in mode standard, the automatic fallback from IPv6 to IPv4 does not work for an SSL connection. If the destination web server is not reachable via IPv6, the HTTP proxy is then not able to establish a connection. Workaround: Depending on your setup there are multiple workarounds for this problem. You can either: -disable IPv6 on the ASG -add a DNS static entry for every affected site with only an IPv4 record -use HTTP proxy transparent mode instead Fixed in: 9.090 ID21944 9.000 Requesting an unreachable IPv6 address leads to an endless loop in the http proxy ------------------------------------------------------------------------ Description: A bug in the http proxy might lead to a slightly increased permanent resource usage (CPU, Memory) for every failed IPv6 connection. Workaround: Either disable IPv6 or manually restart the http proxy once you notice a noticeable drop in performance. Fixed in: 9.001 ID21928 9.000 SSL certificate exceptions do not work for urls with an IPv6 literal as hostname ------------------------------------------------------------------------ Description: SSL certificate exceptions do not work for urls with an IPv6 literal as hostname Creating an exception from the proxy 'Untrusted Website' error page fails if the URL contains an IPv6 address - while 'Add exception for this URL' is intended to create the proper exception in confd, this has no discernible effect. The reason is, that the square brackets in the exception are not escaped, so the exception matches a character class that does contain the square brackets. In order to fix this, the square brackets needs to be escaped by a backslash. Workaround: Fixed in: 9.055 ID21907 9.000 Yahoo mobile SafeSearch can be disabled on Homepage ------------------------------------------------------------------------ Description: You can disable Yahoo SafeSearch on Homepage if it is enable in Webadmin. Workaround: Fixed in: ID21785 9.000 Transparent Authentication does not work for IPv6 when SSL scanning is active ------------------------------------------------------------------------ Description: The transparent Authentication doesn't work for IPv6 when SSL scanning is active. Workaround: Fixed in: 9.005 ID21784 9.000 AD SSO doesn't work if username equals domain name and domain is not explicitly specified ------------------------------------------------------------------------ Description: The AD SSO doesn't work if the username is the domain name and the domain is not exactly right For example: AD SSO setup: domain "TEST" and with username "test" = the user have to change his username as "TEST\test",otherwise AD SSO doesn't work. Workaround: Fixed in: ID20840 9.000 Endpoint Protection cannot remove McAffee ------------------------------------------------------------------------ Description: Endpoint Protection is not able to remove old McAffee Central Security. Here you can see the error message during the installation: 17.03.2012,09:16:52,Information,Starting the install sequence., 17.03.2012,09:16:52,Information,Searching for third-party security software., 17.03.2012,09:16:57,Information,Return Code !d! from third-party security software removal tool., 17.03.2012,09:16:57,ERROR,Cancelled removal of third-party security software and installation of Sophos software. The software being removed may include a firewall or other component that is not being replaced. Make sure the package you are installing provides equivalent protection to the package being removed., 17.03.2012,09:28:57,Information,------------------ Installation program finishing with code 117 ------------------, Workaround: Fixed in: ID20778 9.000 Content blocked page, URL too long/wrapped ------------------------------------------------------------------------ Description: Content blocked page because of URL is too long and outside the margin. Workaround: Fixed in: ID20589 9.000 Quarantine Magic: SAV reports quarantined item - yet it's empty ------------------------------------------------------------------------ Description: Endpoint moved virus to quarentine - yet it is empty and shows nothing into the quarentine Workaround: Fixed in: ID19479 9.000 user-/group mapping does not work with identical user names in different domains ------------------------------------------------------------------------ Description: Web Filter stores the name and the corresponding SID for Active Directory user/groups in local SID cache. If users/groups in different Active Directory domains do have identical names, it won't be possible to differentiate between these objects. Web Filter does always return the first resolved SID/name for an Active Directory object. Workaround: Rename the affected users/groups. Fixed in: 9.160 ID18601 9.000 Checkbox 'Mime blocking inspects HTTP body' enabled does not work when Antivirus scanning is disabled ------------------------------------------------------------------------ Description: When AV scanning has been disabled, FTP downloads are always recognised as content-type="application/octet-stream", even when 'MIME blocking inspects HTTP body' is enabled. Workaround: Activating Antivirus scanning again fixes the issue. Fixed in: 9.065 ID16186 9.000 HTTP-Proxy: Single time event doesn't work correctly ------------------------------------------------------------------------ Description: 'Single time events' within the HTTP Proxy configuration doesn't work correctly. Cause of an issue with the daylight-saving, for example from 14.00 til 14.30 actually matches during 15:00-15:30. Workaround: Always increase the START TIME and END TIME about one additional hour. Fixed in: Closed Issues - Wireless Security ======================================================================== ID30320 9.192 WiFi: Client list lacks some data for clients not seen for a long time ------------------------------------------------------------------------ Description: The WiFi client list displays some "unknown" values for old clients (clients that haven't been seen for quite some time). Workaround: Fixed in: 9.204 ID25730 9.100 Wifi [AP50] mesh: space in mesh_id leads to a reboot loop ------------------------------------------------------------------------ Description: Workaround: Don't use spaces in Mesh IDs Fixed in: 9.101 ID22962 9.004 [WIFI] License downgrade may lead to confusing results ------------------------------------------------------------------------ Description: If you have the UTM100 license you can only work with one access point with two SSID's. In the WebAdmin you can configure more than the one allowed. If you have more than the allowed access points and wireless networks, only the first allowed Access Points will broadcast their associated wireless networks. Workaround: Delete all SSID's you don't want to use, except 1 or 2 Fixed in: ID22611 9.002 Access Points section is completely missing in spanish Webadmin ------------------------------------------------------------------------ Description: In spanish Webadmin the whole Access Point section is completely missing and you're not able to accept/configure APs. Workaround: Fixed in: 9.004 ID22563 9.003 WiFi [ASG]: SSID based reporting graphs are reset after update to 9.003 ------------------------------------------------------------------------ Description: All wireless reporting graphs will be reset when updating to 9.003, because from 9.003 the SSID based reporting is devided in two graphs. It isn't possible to display it in a single one anymore. Workaround: Fixed in: ID22521 9.001 Missing polish characters in Vouchers ------------------------------------------------------------------------ Description: Special characters of polish language are missing within the Hotspot Voucher text. Workaround: Contact the Support Team to get a hotfix. Fixed in: 9.090