Sophos Up2date

Posted By admin  On 01.05.21



Important Notes

Simulation of an up2date install is useful in determining why an update is failing. The output will appear in the standard /var/log/up2date.log file or for an individual test by sending to a file will make examination easier. This article describes how to upgrade your UTM via the automatic Up2Date system. The following sections are covered: What to do; Related information; Applies to the following Sophos products and versions Not Product Specific What to do. Note: This procedure may require a reboot. If so, it will indicate this prior to updating. The Up2Date installer is used to install both system and pattern up2dates. It will by default install all available Up2Date packages first (and records whether a restart of the UTM is required). If a restart is required it will schedule the restart until the successful installation of the last available Up2Date package.

The initial UTM 9.703 release was pulled back. More information and RCA can be found in the KBA at: https://community.sophos.com/kb/en-us/135383.

The code change for “NUTM-11173 [Basesystem] IPsec doesn’t re-connect on DHCP interface after firmware upgrade” is reverted and a new version of UTM 9.703 is available at their download server.

There are two update packages available:

Blog
  • One for users, who are still on UTM 9.702 (u2d-sys-9.702001-703003.tgz.gpg) and
  • One for users, who have already updated to 9.703-2 (u2d-sys-9.703002-703003.tgz.gpg).

Both update will be available via their Up2Date server later.

Sophos Up2date

Up2Date Information

News

  • Maintenance Release

Remarks

Sophos Up2date Cluster

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Sophos Up2date Prefetch Failed

Issues Resolved

  • NUTM-9381 [Access & Identity] WebAdmin user getting an error while browsing ‘Sophos Transparent Authentication Status’ tab
  • NUTM-11258 [Access & Identity] [SAA] Wrong version of SAA displayed in Windows with MSI installer
  • NUTM-11578 [Access & Identity] Patch strongSwan (CVE-2019-10155)
  • NUTM-11589 [Access & Identity] [SAA] Add TLS 1.2 support for Windows client
  • NUTM-11590 [Access & Identity] [SAA] Add TLS 1.2 support for macOS client
  • NUTM-11675 [Access & Identity] Patch PPTP and L2TP pppd (CVE-2020-8597)
  • NUTM-11109 [Basesystem] Status lights blinking green constantly on SG 1xx and XG 1xx series
  • NUTM-11255 [Basesystem] Fix “Internet IPv6” binding in case of multiple IPv6 uplinks
  • NUTM-11417 [Basesystem] SG115rev3 HA eth3 interface flapping after update to 9.7
  • NUTM-11645 [Basesystem] Patch libxml2 (CVE-2019-19956, CVE-2020-7595)
  • NUTM-11561 [Configuration Management] Unable to load certificate list in WebAdmin when large number of certificates present
  • NUTM-10803 [Email] S/MIME signed mails have an invalid signature if 3rd party CA is used
  • NUTM-11240 [Email] Recipient verification fails due to incomplete LDAP search query
  • NUTM-11662 [Email] Bad request for release mails out of the quarantine report after update to 9.7 MR1
  • NUTM-11485 [Kernel] Patch Linux Kernel (CVE-2019-18198)
  • NUTM-11288 [Localization] AWS Current Stack link is incorrect
  • NUTM-11081 [Network] Up-link balancing not clearing conntracks when interface goes down
  • NUTM-11218 [Network] ulogd restarting/core-dumps
  • NUTM-11614 [Network] Increase GARP buffer
  • NUTM-11676 [Network] Patch pppd (CVE-2020-8597)
  • NUTM-11573 [RED] RED interface doesn’t obtain IP after UTM reboot
  • NUTM-11467 [RED_Firmware] RED15w WPA/WPA2 enterprise cannot connect
  • NUTM-11822 [RED_Firmware] RED15 firmware update might fail if flash has bad blocks
  • NUTM-11378 [Reporting] Top5 Malware won’t be displayed in Executive Reports if those are sent as PDF
  • NUTM-11220 [Sandstorm] When opening Sandstorm activity which contains Korean characters for example, you get this error “cannot decode string with wide characters at encode.pm line 174”
  • NUTM-10202 [UI Framework] [SAA] Live user table doesn’t scale with very long names
  • NUTM-11084 [UI Framework] Webadmin Information popup not visible
  • NUTM-11191 [UI Framework] Can’t download certificate in WebAdmin when name contains apostrophe
  • NUTM-11584 [UI Framework] Replace FTP Up2date download link in WebAdmin with HTTPs
  • NUTM-11598 [UI Framework] Internal Server Error alert thrown with initial Webadmin request after installation
  • NUTM-11725 [UI Framework] Update prototype
  • NUTM-11130 [Web] Add configuration for savi_scan_timeout
  • NUTM-11346 [Web] Warn page proceed fails due to missing parameters
  • NUTM-10269 [Wireless] SSID stops broadcasting
  • NUTM-11581 [Wireless] User with “Wireless Protection Manager” rights is unable to change wireless settings if mesh is configured

Related Posts

Having had mixed results with the Sophos XG, and having hardware that just can’t keep up with the latest updates for it, I’ve reverted back to the Sophos UTM9. This still plays nicely with my PIA VPN setup whereby a pfSense router is placed in front of a UTM interface to anonomise traffic however I do miss the highly granular way policy based routing could be done in the Sophos XG.

For example, in the XG it is possible for each ACL rule to define a gateway and failover gateway as well as NAT’ing policies.

Within the UTM9 I’ve had to create ACL rules, NAT rules and Policy Routes separately – no big deal but it certainly needs more clicking around and isn’t as clear how the Policy Routes would handle an interface down situation – will it stall on the rule or move to the next valid rule for that traffic?

Sophos Up2date Files

Anyway – after setting everything up I was quickly able to get traffic flowing outbound through the pfSense gateway as well as out through the Virgin Media router direct depending on the traffic type. Likewise, getting my PRTG server published outbound was a doddle using Webserver protection. However, try as I might I was not able to update the UTM via the Up2Date process.

018:02:19-00:00:14 utm9 audld[12540]: no HA system or cluster node
2018:02:19-00:00:14 utm9 audld[12540]: Starting Up2Date Package Downloader
2018:02:19-00:00:24 utm9 audld[12540]: patch up2date possible
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 79.125.21.244 (status=500 Can’t connect to 79.125.21.244:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 107.21.214.248 (status=500 Can’t connect to 107.21.214.248:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 54.214.16.252 (status=500 Can’t connect to 54.214.16.252:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 175.41.132.12 (status=500 Can’t connect to 175.41.132.12:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 79.125.21.244 (code=500 500 Can’t connect to 79.125.21.244:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 107.21.214.248 (code=500 500 Can’t connect to 107.21.214.248:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 54.214.16.252 (code=500 500 Can’t connect to 54.214.16.252:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 175.41.132.12 (code=500 500 Can’t connect to 175.41.132.12:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: >
2018:02:19-00:00:27 utm9 audld[12540]: All 4 Authentication Servers failed
2018:02:19-00:00:27 utm9 audld[12540]:
2018:02:19-00:00:27 utm9 audld[12540]: 1. Modules::Logging::msg:46() /</sbin/audld.plx>Modules/Logging.pm
2018:02:19-00:00:27 utm9 audld[12540]: 2. Modules::Audld::Authentication::_handle_failure:235() /</sbin/audld.plx>Modules/Audld/Authentication.pm
2018:02:19-00:00:27 utm9 audld[12540]: 3. Modules::Audld::Authentication::start:66() /</sbin/audld.plx>Modules/Audld/Authentication.pm
2018:02:19-00:00:27 utm9 audld[12540]: 4. main::main:174() audld.pl
2018:02:19-00:00:27 utm9 audld[12540]: 5. main::top-level:40() audld.pl
2018:02:19-00:00:27 utm9 audld[12540]: |
2018:02:19-00:00:27 utm9 audld[12540]: id=”3703″ severity=”error” sys=”system” sub=”up2date” name=”Authentication failed, no valid answer from Authentication Servers”

Sophos Up2date Blog

Strangely I could connect fine to the addresses in the log such as https://175.41.132.12:443 I could ping them and resolve DNS records such as v8up2date3.astaro.com all from my PC behind the UTM. After messing for a couple of hours reviewing logs, forum posts and trying various changes including removing all policy routing and going straight out via a non-VPN’d route I finally found out the root cause… the UTM does not follow the rules of Policy Routes!

I’d set up routes to 192.168.0.1 (VMRouter) and 192.168.10.1 (pfSense) for administration of those routers, with HTTP(S) and ICMP to go via the VPN’d pfSense route.

Sophos Up2date Command Line

So while I had no default gateway as such on the interfaces I had instead setup a catch all policy route which sent all traffic not hitting an above rule via the non-VPN’d gateway. Unfortunately the UTM doesn’t follow this and absolutely requires a tick box against “IPv4 default GW” in the interface.

Sophos Up2date Download

After ticking this the updates flowed in 🙂