Category Archives: Sophos UTM

Sophos UTM – How To Create And Import Users

This article explains how to create new users or import existing users into the Sophos UTM.

These users can then authenticate on the UTM for key services such as Client Authentication, Web Filter, End-User Portal, SMTP Proxy, Hotspot, and STAS.

Manually create users

    1. Navigate to Definitions & Users > Users & Groups.
    2. Click on + New User.

    1. Fill out the basic information for the account, as shown in the image below;

 

Create users automatically

    1. Administrators may choose to have user objects automatically created when the user first authenticates through the UTM with one of the supported backend authentication methods.
    2. Navigate to the Definitions & Users > Authentication Services > Global Settings tab.
    3. Under the Automatic User Creation heading check the tick-box beside Create users automatically, then click Apply.
    4. Under Automatic User Creation for Facilities, administrators may choose which system services newly created users will automatically be added to. If a user is not added during the creation process, they can be manually added later.
    5. Click on Apply after checking the tickbox next to the facilities.

Note: For any user object to be created they will need to log in through the UTM with one of the supported services. Servers can be added at Definitions & Users > Authentication Services > Servers tab. Users authenticated with Active Directory Single Sign-On will not be added automatically.

Prefetch users from Active Directory

One of the easiest ways to import users is to prefetch individual users or groups from Active Directory.

    1. Navigate to Definitions & Users > Authentication Services > Advanced.
    2. Scroll down to the Prefetch Directory Users heading.

  1. At the Server option, click on the drop-down menu and select the Active Directory Domain Controller.

    Note:
    If the server has not been added then you will need to navigate to Definitions & Users > Authentication Services and go the Servers tab.
  2. Select a prefetch day and time, if the process is to be automated. Alternatively, administrators may choose to only prefetch manually with the Prefetch Now button at the bottom.
  3. Under the Groups title, click on the folder icon and select the AD users or groups to prefetch.

    Note:
    Do NOT use Domain Users as this group will not prefetch correctly. If necessary make a group and name it UTM Users and put only users who need to access UTM facilities in that group.
  4. Click on Apply.
  5. The users will now be prefetched, view the live log to watch them as they are imported or just wait and check the list at Users & Groups > Users.





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos SUM Up2Date 4.308 Released

Sophos have released SUM Up2date 4.308, the SUM will need to be rebooted during the install process.

As per standard update procedure this update can be installed fromthe “Up2date” section on the Sophos UTM SUM.

Sophos UTM SUM Update Version 4.308

Bugfixes

  • NSU-192 – [accd] Missing validation for URL Filtering Categories on empty Sub-Categories
  • NSU-270 – [gateway manager] Import of file extensions for a filter action fails on SUM





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM Blacklist Removal

You may have an issue for example where you have a website published on your Sophos UTM but certain users are unable to connect to it.  This maybe because the client IP address is on a Sophos UTM Blacklist.

If this is the case check the reverseproxy.log from the command line or the Web Application Firewall log direct from the UTM GUI.

If this is the case you will see authz_blacklist:warn in the log as well as the list that it is blocked on, for example DNSRBL black.rbl.ctipd.astaro.local 

Sophos UTM’s use Cyren as their blacklist provider.

If the client is blocked in the logs check on the Cyren website, as it will probably show as suspect on there :-

http://www.cyren.com/security-center/ip-reputation-check

If this is the case, there should be an option on that page to unblock your IP address, this usually takes a few hours to apply, once applied on the website it may take an hour or so to update on the UTM.



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM 9.509 Released

Sophos have released UTM 9.509. The release will be rolled out in phases. In phase 1 you can download the update package from the FTP server, in phase 2 it will spread it via the Up2Date servers.

Up2Date Information

News

  • Maintenance Release

Remarks

  • System will be rebooted

Bugfixes

  • NUTM-9619 [Email] CVE-2018-6789: buffer overflow in base64d function in SMTP listener
  • NUTM-9698 [Network] After upgrade to 9.508 in VPC IPsec BGP status shows “state error”
  • NUTM-9713 [Network] BGP not advertising network to all neighbors





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM 9.508 Released

Sophos have released UTM 9.508. The release will be rolled out in phases. In phase 1 you can download the update package from the FTP server, in phase 2 it will be spread via the Up2Date servers.

Note: When installing the update packages manually, please make sure to upload both update packages 9.507 and 9.508.

Up2Date Information

News

  • Maintenance Release

Remarks

  • System will be rebooted
  • Configuration will be upgraded
  • Connected APs will perform firmware upgrade

Bugfixes

  • NUTM-8739 [Access & Identity] Argos segfault and coredump after update to v9.502
  • NUTM-9164 [Access & Identity] SSLVPN installation packages fail to copy user profile during installation
  • NUTM-9344 [Access & Identity] All users are locked when a lockout policy via GPO was set
  • NUTM-9047 [Basesystem] VLAN interface on the bridge doesn’t come up when slave becomes the master
  • NUTM-9296 [Configuration Management] Report Auditor is unable to open the dashboard in UTM
  • NUTM-9397 [Configuration Management] Log Remote Archiving via SCP fails when used with OpenSSH >= 7.0
  • NUTM-9497 [Documentation] ATP – Invalid status display on Webadmin for Japanese,Russian,Spanish language
  • NUTM-4174 [Email] POP3 spool cleanup does not work
  • NUTM-8794 [Email] Wrong MIME Type detection
  • NUTM-8937 [Email] Upgrade SMIME
  • NUTM-9046 [Email] SPX binary error with Office365
  • NUTM-9098 [Email] Mail stuck in work queue
  • NUTM-9252 [Email] Patch Exim for CVE-2014-2972 and CVE-2016-9963
  • NUTM-9259 [Email] POP3 Proxy coredump in “libc_start_main”
  • NUTM-9337 [Email] Selecting an AD Server for AD Recipient Verification in SMTP isn’t possible after update to v9.506
  • NUTM-9382 [Email] WebAdmin user not able to disable the “Recipient Verification” in SMTP Routing
  • NUTM-9303 [HA/Cluster] HA “max_nodes” option set to 3 causes named to fail to start
  • NUTM-9405 [HA/Cluster] Interface MAC addresses shouldn’t get replicated on slave node if virtual_mac is set to 0
  • NUTM-3497 [Network] BGP soft-reconfiguration not working
  • NUTM-8118 [Network] After upgrading to 9.500 “Service Monitor not running – restarted” notifications being received
  • NUTM-8432 [Network] Local Privilege Escalation via confd Service
  • NUTM-8604 [Network] Changing a bridge IP address causes bridge to go down when using vlans
  • NUTM-8887 [Network] DNS group objects doesn’t delete old IP addresses
  • NUTM-9064 [Network] Network monitoring daemon constantly restarts since upgrade to 9.503
  • NUTM-9177 [Network] Disabled static routes are being put into the routing table
  • NUTM-9465 [Network] Wrong/Old IPv6 Tunnel Broker URLs in Webadmin
  • NUTM-8759 [Sandboxd] Add support for Sandstorm’s Asia data centre
  • NUTM-9006 [UI Framework] Not possible to download different SSLVPN User Profiles in one Firefox session
  • NUTM-6955 [WebAdmin] Error text appears in dialog when trying to view user object usage
  • NUTM-8567 [WebAdmin] Update to ImageMagick-7.0.7-11
  • NUTM-9116 [WebAdmin] Object information can’t be displayed for specific objects
  • NUTM-9128 [WebAdmin] PCI Scan failing on UserPortal due to missing HSTS and CSP
  • NUTM-9430 [WebAdmin] Issue with X-Content-Type-Options header presented by UTM
  • NUTM-7201 [Web] HTTP Proxy connections hang in CLOSE_WAIT state
  • NUTM-8638 [Web] Add group visibility in log with unlimited AD groups
  • NUTM-8746 [Web] After changing group membership, old one is still available from winbind
  • NUTM-8886 [Web] TLS Input/output error when connecting to web site
  • NUTM-9113 [Web] HTTP Proxy coredump on 9.505
  • NUTM-9166 [Web] HTTP Proxy coredump on function deny_ntlm_auth
  • NUTM-9332 [Web] DNSExpire coredump causes slow browsing
  • NUTM-9416 [Web] HTTP Proxy coredump on 9.506 with signal SIGFPE Arithmetic Exception
  • NUTM-3127 [Wireless] AP55/100 connection issues – disconnected due to excessive missing ACKs
  • NUTM-6640 [Wireless] Fix visibility of Fast Transition option in different security modes
  • NUTM-7013 [Wireless] Frequent disconnects on guest wifi network after >1 week
  • NUTM-8243 [Wireless] Update dropbear SSH Server to fix CVE-2016-7409, CVE-2016-7408, CVE-2016-7407, CVE-2016-7406
  • NUTM-8299 [Wireless] UTM stops broadcasting SSIDs for the built-in wireless after upgrade to 9.5
  • NUTM-8781 [Wireless] W-appliance – wireless network connection issue with Bridge to AP LAN
  • NUTM-8827 [Wireless] Internal wireless not broadcasting SSID after updating to 9.503
  • NUTM-8832 [Wireless] Integrated wireless adapter can be deleted
  • NUTM-8930 [Wireless] Unable to see the SSID and connect to local wifi on 2.4 Ghz band
  • NUTM-8940 [Wireless] kernel: [ xxxx.xxxxx] CPU: 0 PID: 13902 Comm: iw Tainted: G W O 3.12.74-0.265397234.g263c982.rb6-smp64 #1
  • NUTM-8945 [Wireless] SG115w SSID not broadcasted since updated to 9.503

 

Up2Date Information for Wireless Firmware 11.0.003

As part of UTM 9.508, the wireless firmware is updated to 11.0.003.

Bugfixes

    • NUTM-9338 [Wireless] Client is not getting disconnected if MAC address is removed from whitelist





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM 9.507 Released

Sophos have released UTM 9.507. The release will be rolled out in phases. In phase 1 you can download the update package from the FTP server, in phase 2 it will spread via the Up2Date servers.

Up2Date Information

News

  • Maintenance Release for additional hardware support

Remarks

  • System will be rebooted

Bugfixes

    • NUTM-6920 [Basesystem] Support for new SG1xx(w) models
    • NUTM-9174 [WAF] Certificate dropdown is visible for virtual webserver using HTTP





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM 9 – Microsoft Office 2016 Updates Are Been Blocked By Web Filtering

To resolve this add the following exceptions to your system’s exception under Microsoft Windows Update:

This can be found under Web Protection – Filtering Options – Exceptions

officecdn.microsoft.com.edgesuite.net

^([A-Za-z0-9.-]*\.)?windows\.com/ (already manual added )

You can also add this exception for Microsoft Office 365 by pass:

officecdn.microsoft.com and officecdn.microsoft.com.edgesuite.net




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM 9.506 For AWS – Release Notes

Sophos has just released Sophos UTM 9.506 on AWS. They have added several new features specifically designed for customers in AWS. With this release, they have introduced the usage of an AWS Profile for deploying OGW, a new update page in WebAdmin, the reduction of permissions needed for Auto Scaling deployments, and included InSpec for checking the health state of a UTM instance. In addition to that, the failover time for the High Availability deployments has been significantly improved.

AWS Profile for OGW

To increase flexibility when it comes to permissions and roles used by the UTM on AWS Auto Scaling deployment, they have introduced the possibility to attach an AWS Profile to deploy and monitor the Outbound Gateway. This makes it possible for customers to establish privilege separation in their OGW installations. Please see the knowledge base article How to create an AWS profile for automatically deployed OGWs for further details.

Customers already using OGW will also need to follow the KBA to create a new profile and attach it to their existing OGW configuration. Without the profile the OGWs still work as expected and are listed in the WebAdmin, but managing them won’t be possible any longer.

New update page in WebAdmin

Sophos have restructured the update page in WebAdmin for the High Availability and Auto Scaling customers. They have learned that most of the customers use modified templates to deploy UTM on AWS products. In order to avoid overwriting of their modified templates, they have removed the automated update but added helpful details to the page to ease the process.

The page now shows the AMI ID, a link to the release notes as well as the option to directly navigate to the current stack in the AWS Management Console. In addition to that, links to the most recent template for the deployment type and the changelog are provided.

If no update is available, the WebAdmin page shows information about the current version as well as the details stated above.

Reduced permissions needed for Auto Scaling deployments

Sophos have listened to the customers who were stating that the permissions needed for the Auto Scaling deployment are too broad and potentially aggressive. Thus, they have further reduced the permissions needed for the Auto Scaling deployments in order to align with the principle of least privilege. Please see the changelog and the updated documentation of the permissions on GitHub for more details.




InSpec on UTM on AWS

In order to make it possible for the customers to verify that the UTM on AWS works as expected, they have introduced InSpec on the UTM on AWS. InSpec is an audit and test framework developed by Chef.

InSpec will be used to check whether:

  • S3 resources are available and accessible.
  • System services are running.
  • Important ports are accessible.
  • PostgreSQL databases exist and contain the correct schema.
  • System configuration files exist.
  • Log files do not contain any severe errors.

The knowledge base article How to use InSpec on the UTM on AWS covers the usage of InSpec as well as how to write custom profiles to extend the solution.

Faster failover for High Availability

Customers relying on our High Availability deployment will now see a reduced failover time resulting in lower downtime.

Disable backend pooling for the WAF on Auto Scaling

Sophos have disabled the backend pooling for the Web Application Firewall for the Auto Scaling deployment now by default. This supports scenarios where load balancers with quickly changing DNS entries reside behind the UTM on AWS.

Included issues

NUTM-8039 [AWS]               Conversion after updating to 9.501 was not possible
NUTM-7148 [AWS]              Conversion fails due to AWS rate limit exceeded
NUTM-7199 [AWS]              cloud.sh logs to own log file
NUTM-7741 [AWS]              Removing password from user data
NUTM-7891 [AWS]              awslogsd.log is being flooded with log messages
NUTM-7896 [AWS]              Better Messaging for Conversion Utility
NUTM-7979 [AWS]              Renaming of “Conversion” to “Conversion Utility”
NUTM-7995 [AWS]              Decreased failover time for HA
NUTM-8041 [AWS]              Restore overwrites applied license from license pooling
NUTM-8233 [AWS]              AWS Profile settings for CloudWatch are overwritten after update
NUTM-8388 [AWS]              Inspec on UTM on AWS
NUTM-8438 [AWS]              CloudFormation input can harm basic setup
NUTM-8626 [AWS]              New update mechanism and page in WebAdmin
NUTM-8874 [AWS]              dns-resolver stopped working after updating to 9.503 on AWS
NUTM-7608 [AWS]              Reduction of IAM permissions for Auto Scaling deployments
NUTM-8141 [AWS]              Disable backend pooling by default within the WAF on Auto Scaling
NUTM-8207 [AWS]              WAF statistics are inaccurate in Auto Scaling deployment
NUTM-8518 [AWS]              aws_resource_management is sometimes killed due to timing issue
NUTM-8785 [AWS]              Authorization token for OGW stated in the template is not validated
NUTM-8793 [AWS]              aws_egw_stack.log is not uploaded to cloudwatch
NUTM-9043 [AWS]              Backupd was not started

Sophos UTM 9.506 also includes bug fixes of the following general releases:

You can update to UTM 9.506 by running up2date for UTM Standalone or by updating your CloudFormation stacks for High Availability and Auto Scaling deployments. Let us know what you think about our new release by posting to our user community forums.



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM Up2Date 9.506 Released

Sophos have released Sophos UTM 9.506. The release will be rolled out in phases. In phase 1 you can download the update package via their FTP server, in phase 2 itwill spread via the Up2Date servers.

Note

  • System will be rebooted
  • Connected APs will perform firmware upgrade
  • Connected REDs will perform firmware upgrade

Bugfixes

  • NUTM-8651 [AWS] AWS Permission for “Import Via Amazon Credentials”
  • NUTM-7678 [Access & Identity] Pluto dies with coredump at L2TP connections
  • NUTM-8211 [Access & Identity] SSL VPN connection issue with prefetched AD groups
  • NUTM-8756 [Access & Identity] AUA debug log contains plain text passwords
  • NUTM-8889 [Access & Identity] ESPdump with algorithm GCM does not work
  • NUTM-8912 [Access & Identity] HTML5 VPN: keyboard input not working on Android devices
  • NUTM-7670 [Basesystem] Update to BIND 9.10.6
  • NUTM-8427 [Basesystem] postgres[xxxxx]: [x-x] FATAL:  could not create shared memory segment: No space left on device
  • NUTM-8769 [Basesystem] Small models of  SG105 / SG115 / SG125 / SG135 take over 5 minutes to accept network connection
  • NUTM-9063 [Configuration Management] Regenerating the Web Proxy CA breaks all SSL VPN clients
  • NUTM-8313 [Email] POP3 Proxy generate core dumps in versions v9.414 and v9.501
  • NUTM-8509 [Email] Remove 3DES and SHA1 from SMIME
  • NUTM-8645 [Email] MIME Type Detection 9.5
  • NUTM-9061 [Email] User cannot open the SMTP Routing tab
  • NUTM-8419 [Logging] “Search Log Files” has different search result in spite of same time frame
  • NUTM-8783 [Logging] SMBv1 still required for remote logging to a smb share
  • NUTM-8341 [Network] Network monitor core dump
  • NUTM-8685 [Network] Some clients display an “Unknown” vendor on the wireless client list
  • NUTM-8738 [Network] Error messages in fallback log about damaged static routes
  • NUTM-8838 [Network] Watchdog consumes constantly 100% CPU
  • NUTM-7396 [RED] UTM RED kernel log shows “seq invalid” messages
  • NUTM-6968 [REST API] Insert REFs of new objects into single REF node
  • NUTM-7981 [Reporting] WAF-reporter logs irrelevant information
  • NUTM-8359 [Reporting] SMTP log on Mail Manager is empty after upgrading postgres to 64bit
  • NUTM-7802 [Sandboxd] If using a ‘ character in the email address, postgres is not able to insert this to the TransactionLog (Sandbox)
  • NUTM-8715 [UI Framework] Unable to access “Manage Computers” page
  • NUTM-8061 [WAF] WAF still reporting virus found when AV engine on the UTM is updating
  • NUTM-8751 [WAF] Newly created web server listens on the slave node instead of the master node
  • NUTM-8806 [WAF] Issue with TLS settings for virtual webserver
  • NUTM-8861 [WAF] Leftover of shm files cause a WAF restart loop
  • NUTM-5964 [WebAdmin] Support Access: WebAdmin not properly displayed after login via APU
  • NUTM-8512 [WebAdmin] Can’t use string (“0”) as a HASH ref while “strict refs” in use at /wfe/asg/modules/asg_ca.pmline 1105
  • NUTM-8571 [WebAdmin] User with only “Report Auditor” rights receives strict refs error after login into WebAdmin
  • NUTM-8807 [WebAdmin] External link to Sophos UTM Knowledge Base is not correct
  • NUTM-8871 [WebAdmin] Year of Single Time Events cannot be later than 2019
  • NUTM-7994 [Web] Customized templates do not allow to accept quota and access site
  • NUTM-8037 [Web] HA: Low disk space alert from slave
  • NUTM-8107 [Web] CONFD.PLX is taking high CPU load
  • NUTM-8502 [Web] HTTP Proxy coredumps with CentralFreeList in v9.413
  • NUTM-8687 [Web] Segfault and coredump from HTTP proxy
  • NUTM-8691 [Web] Certificate error on accessing sites with https scanning enabled
  • NUTM-8752 [Web] NTLM Issue with AD SSO in Transparent Mode
  • NUTM-8771 [Web] Wrong country showing up in Web proxy requests
  • NUTM-8826 [Web] Teamviewer via Standard Mode with AD-SSO not possible since v9.502
  • NUTM-8834 [Web] iOS11 user agent string is not detected as iOS
  • NUTM-8849 [Web] Can’t download Traveler_90119_Win.zip with HTTP proxy in Transparent Mode
  • NUTM-3129 [Wireless] SG125w failed to create interface wifi0: -23 (Too many open files in system)
  • NUTM-4720 [Wireless] Issues with 2.4 GHz channel 12 and 13 / inconsistent channel availibility / AWE_DEVICE_CHANNEL_INVALID
  • NUTM-8288 [Wireless] Roaming issues with iPhone7 and RADIUS authentication
  • NUTM-8391 [Wireless] AP55C/AP100X disconnecting from UTM repeatedly





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Sophos UTM Up2Date 9.415 Released

Sophos has today released UTM 9.415. The release will be rolled out in phases.

In phase 1 you can download the update package from the FTP server, in phase 2 it will spread via the Sophos Up2Date servers.

Remarks

  • System will be rebooted
  • Connected APs will perform firmware upgrade

Bugfixes

  • NUTM-8987 [Basesystem] System doesn’t boot if Posgtresql database cannot start – UTM 9.4
  • NUTM-9021 [Wireless] WPA2 KRACK vulnerability fixes (Sophos details here)

Updates – http://download.astaro.com/UTM/v9/up2date/





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.