Sophos Utm Up2date

Posted on by admin



Sophos UTM (formerly Astaro Security Gateway) offers an integrated software solution that provides superior performance in an all-in-one firewall. Its hardened operating system, stateful packet inspection, content filtering (virus & surf protection), application proxies and IPsec based VPN provides a powerful solution to today's security issues. Sophos UTM has the capability of providing Quality Of Service (QoS) for the traffic that passes through it. Because QoS is a generic term, let’s start with what it means. Wikipedia defines QoS as: The overall performance of a telephony or computer network, particularly the performance seen by the users of the network. Sophos heeft een nieuwe versie vrijgegeven van zijn Unified Threat Management, UTM in het kort, met 9.701-6 als versienummer. Deze software wordt zowel op fysieke hardware als in een soft.

Sophos released UTM 9.704. The release will be rolled out in phases.

In phase 1 you can download the update package from their download server, in phase 2 they will spread it via their Up2Date servers.

Up2Date Information

News

  • Maintenance Release

Remarks

  • System will be rebooted
  • Connected REDs will perform firmware upgrade
Up2date

Issues Resolved

  • NUTM-11829 [Access & Identity] L2TP connections fail when many users are connected
  • NUTM-11928 [Access & Identity] Hardening of Authentication Server configuration page
  • NUTM-11559 [Basesystem] Update i40e driver
  • NUTM-11966 [Basesystem] Patch binutils (CVE-2018-17985)
  • NUTM-11982 [Basesystem] Patch BIND (CVE-2020-8616, CVE-2020-8617)
  • NUTM-12007 [Basesystem] Patch OpenSSL 1.0.2j (CVE-2019-1547, CVE-2019-1551, CVE-2019-1563)
  • NUTM-12041 [Basesystem] Patch UTM kernel (CVE-2019-3701, CVE-2019-15916, CVE-2019-20096 CVE-2020-8647, CVE-2020-8648, CVE-2020-10942, CVE-2020-11494)
  • NUTM-11664 [HA/Cluster] Error message “send_ha_msg(ECHO_MASTER): sendto(255) errno = 22”;
  • NUTM-11113 [Logging] Log archiving to SMB share fails to connect
  • NUTM-11846 [Network] Add confd option to enable multicast for IGMP
  • NUTM-11849 [Network] Syslogng fails to write if max concurrent connections is reached
  • NUTM-11936 [Network] DNS host object not updated/unresolved after fail-over
  • NUTM-11938 [Network] Unable to save the new profile in SSLVPN, it gives error “Warn: Client authentication cannot use more than 170 user and group networks at the same time”
  • NUTM-11779 [RED] RED site-to-site tunnel failover doesn’t always work
  • NUTM-11886 [RED] RED server restart notification sent from auxiliary node
  • NUTM-12040 [RED] RED20 is not forwarding tagged traffic like RED15
  • NUTM-12134 [RED_Firmware] Improve throughput for SD-RED WiFi
  • NUTM-12135 [RED_Firmware] Enable 802.11ac for SD-RED WiFi
  • NUTM-11972 [REST API] REST API: Invalid response on GET query for S/MIME component
  • NUTM-11681 [Sandstorm] Sandbox Activity tab uses the incorrect date formatter
  • NUTM-11685 [WAF] Let’s Encrypt renewal fails with HTTP->HTTPS redirection for IPv6 vhost
  • NUTM-11925 [WAF] WAF redirects some requests to the first domain of the virtual webserver
  • NUTM-11388 [Web] Httpproxy restarted due to segmentation fault and generated core dump
  • NUTM-11577 [Web] WebProxy not reliably deleting cached temp files
  • NUTM-11841 [Web] Proxy crash with coredump

RPM packages contained:
libopenssl1_0_0-1.0.2j-4.1.0.359236905.g3d7a90be.rb2.i686.rpm
libopenssl1_0_0_httpproxy-1.0.2j-4.1.0.359236905.g3d7a90be.rb2.i686.rpm
binutils-2.25.0-5.5.1984.g1d6623a3.rb5.i686.rpm
ctasd-5.00.0085-1.gadabaeb.rb3.i686.rpm
ctipd-4.00.0032-2.g4726759.rb3.i686.rpm
firmwares-bamboo-9400-0.359638673.ga30772a.rb2.i586.rpm
modauthnzaua-9.70-270.gcb78b67.rb97.i686.rpm
modauthzblacklist-9.70-372.gefe2089.rb5.i686.rpm
modavscan-9.70-359.g793e6f1.rb45.i686.rpm
modcookie-9.70-377.g63c8b0f.rb2.i686.rpm
modcustomblockpage-9.70-279.gbe16bc0.rb71.i686.rpm
modfirehose-2.5_SVNr1309567-14.g4ab2622.rb96.i686.rpm
modformhardening-9.70-367.g820d795.rb6.i686.rpm
modpcap-9.70-0.142961807.g994d6f0.rb96.i686.rpm
modproxymsrpc-0.5-121.gc7f8565.rb105.i686.rpm
modreverseauth-9.70-364.g469bdce.rb33.i686.rpm
modsecurity2-2.9.3-0.g2e3bf76.rb33.i686.rpm
modsecurity2_beta-2.9.0-460.g62b8fdb.rb100.i686.rpm
modsessionserver-9.70-0.247653793.g4179dcf.rb100.i686.rpm
modurlhardening-9.70-367.g820d795.rb6.i686.rpm
modwafexceptions-9.70-322.gd203205.rb49.i686.rpm
modwhatkilledus-2.01-0.258193062.g46092ac.rb100.i686.rpm
openssl-1.0.2j-4.1.0.359236905.g3d7a90be.rb2.i686.rpm
perf-tools-3.12.74-0.358283885.gbf77995.rb3.i686.rpm
red-unified-firmwares-9700-0.358343537.gd6f8f71.rb3.i586.rpm
ep-confd-9.70-786.g620a40fbd.i686.rpm
ep-confd-tools-9.70-754.g3b24b3514.rb8.i686.rpm
ep-init-9.70-16.g49a302b.rb4.noarch.rpm
ep-logging-9.70-10.gd29cd29.rb2.i686.rpm
ep-mdw-9.70-714.gc211cfe2.rb5.i686.rpm
ep-red-9.70-58.gdc75c10.rb3.i686.rpm
ep-restd-9.70-5.g6bebbd0.rb2.i686.rpm
ep-saa-mac-1.0.0-0.354241321.gabd3f41.rb3.i686.rpm
ep-sandboxd-9.70-63.g3db71a3.rb3.i686.rpm
ep-tools-9.70-27.g614d81d.rb2.i686.rpm
ep-tools-cpld-9.70-27.g614d81d.rb2.i686.rpm
ep-webadmin-9.70-769.g5bf086630.rb7.i686.rpm
ep-chroot-ipsec-9.70-8.g15ed089.rb3.noarch.rpm
chroot-bind-9.11.3-0.357158073.g9ca89fd.rb3.i686.rpm
chroot-ipsec-9.70-87.g0c734a9.rb3.i686.rpm
chroot-reverseproxy-2.4.39-44.g4535a68.rb2.i686.rpm
ep-httpproxy-9.70-266.gd33137cb.rb3.i686.rpm
kernel-smp-3.12.74-0.358283885.gbf77995.rb4.i686.rpm
kernel-smp64-3.12.74-0.358283885.gbf77995.rb5.x86_64.rpm
ep-release-9.704-2.noarch.rpm

Source: https://community.sophos.com/products/unified-threat-management/b/blog/posts/utm-up2date-9-704-released

Related Posts

Office 365 needs some IPs and URLs to be directly accessed without a proxy. Automate this with SophosEndpoints.

In this article we will cover the following points:

  1. Configure Sophos UTM (enable RESTful Api & add local user)
  2. Install SophosEndpoints
  3. How to use SophosEndpoints
  4. Configure AD for Group Managed Service Accounts
  5. Create scheduled task for automation

Configure Sophos UTM

In order to use the SophosEndpoints Module we have to enable the RESTful API and create a new API key mapped to a local user:

  1. Login to the WebAdmin GUI
  2. Go to Management > WebAdmin Settings > RESTful API
  3. Activate Enable RESTful API

Take a note of the URL of the API Endpoint (without the trailing slash), you are going to need this later.

To generate an API token, perform the following steps:

  1. Login to the WebAdmin GUI
  2. Go to Management > WebAdmin Settings > RESTful API > New API Token
  3. Map the token to a local Sophos UTM user (not an AD integrated account)
  4. (Optionally) under Advanced Settings create a whitelist with the IP of the machine you are going to use to run the scheduled task on.
  5. Click Save

Take a note of the API token, you are going to need this later.

If you don't have a local user account, create a new one:

  1. Login to the WebAdmin GUI
  2. Go to Management > Definitions & Users > Users & Groups
  3. Click on New User… and set Authentication to Local

The user must have administrative permissions.

Install SophosEndpoints

The SophosEndpoints Module can be installed from PowerShell Gallery. Open an elevated PowerShell on the machine you are going to create the scheduled task on. Run the following cmdlet.

Alternatively you can download SophosEndpoints from GitHub, unprotect the downloaded zip file and copy the SophosEndpoints folder to a folder in your PowerShell Path environment.

How to use SophosEndpoints

After installing the module you can use the cmdlet Set-EndpointsInUtm to update IPs and URLs used by Microsoft directly in Sophos UTM.

The most important parameters you are going to use are:

UtmApiUrl: This is the URL of the API Endpoint (without the trailing slash) and tells the cmdlet how to contact Sophos UTM.
Example value: https://sophos.testlab.live:4444/api
Default value (if you omit the parameter): https://sophos:4444/api

UtmApiKey: This is the API token we just created. This is needed to authenticate against Sophos UTM.
Example value: jHjhasjkhjhHUmqoPasdqN

TenantName: This is the name of your Office 365 tenant. It is the first part of your .onmicrosoft.com address. E. g. testlab.onmicrosoft.com. This is needed to customize some URLs like testlab.sharepoint.com
Example value: testlab
Default value: null

UtmIpPrefix: This is the prefix that is added to every network that is created by the Set-EndpointsInUtm. This should be unique, as this is used to identify the autocreated networks.
Example value: “Office 365 Endpoint”
Default value: “Microsoft365 Net”

Sophos Utm Up2date Not Enough Space

UtmExceptionPrefix: This is the prefix that is added to every exceptionthat is created by the Set-EndpointsInUtm. This should be unique, as this is used to identify the autocreated exceptions.
Example value: “Office 365 Exception”
Default value: “Microsoft365 Exception”

UtmExceptionDisabledChecks: This is an array of strings that represent the checks, that are skipped in the web protection exception. Possible values can contain: ‘av’, ‘cache’, ‘certcheck’, ‘certdate’, ‘check_max_download’, ‘content_removal’, ‘contenttype_blacklist’, ‘extensions’, ‘log_access’, ‘log_blocked’, ‘patience’, ‘ssl_scanning’, ‘url_filter’, ‘user_auth’
Example value: @{‘av’, ‘ssl_scanning’}
Default value: @{‘sslscanning’, ‘user_auth’}

LogFilePath: The Path to a logfile.
Example value: “C:logsSophosEndpoints.log”
Default value: null

Typically you would execute the following in PowerShell:

Sophos Utm Up2date Cli

Another example would be:

If you want to know more about additional parameters and settings run the following cmdlet:

Configure AD for Group Managed Service Accounts

In order to create a scheduled task that is not bound to your user account and automatically changes its password, we use a group managed service account (gMSA). This is much more safe and better to maintenance than your ordinary user account. If you haven't done so already we must first create a KDS Root Key (once per AD forest):

On your Domain Controller - or Adminbox with the ActiveDirectory PowerShell Module installed - open an elevated PowerShell and run the folowing cmdlet:

This takes up to 10 hours to replicate, so be patient - the security gain is worth the wait ;-)

If you are in a test environment (and only then!) you can run Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10)) to create the key without waiting for replication.

Meanwhile we can create a global security group in AD and add the computer objects as members which will be allowed to use the gMSA. In our case the machines which will run the scheduled task. I created a group called SophosMaintainer and added the computer Adminbox as member.

You should restart the machines you added to the group, because group membership is evaluated at startup. Otherwise you won't be able to add the gMSA later on.

Now it is time to create the gMSA. On a DC open an elevated PowerShell and run the New-ADServiceAccount cmdlet. You have to specify a name (this is the sAMAccountName of the gMSA), an DNSHostName (this is the fqdn that the gMSA will be available under), the PrincipalsAllowedToRetrieveManagedPassword (this is the group we just created) and optionally some ServicePrincipalNames. In my testlab environment this is the cmdlet I used.

Sophos Utm Up2date Not Working

Next we can install the gMSA on the machine we want to configure the scheduled task. Open an elevated PowerShell on that machine and run the following cmdlets:

That's it, we successfully installed a group managed service account. In the next step we are configuring a scheduled task that runs in the context of this gMSA. In order to run the SophosEndpoints PowerShell the gMSA does not need any special permissions. However if you want to enable logging, you have to grant the gMSA permission to write to the folder in which you want to store the logfile. The gMSA can be referenced as a service account with name testlabupdateSophos$

Create scheduled task for automation

The last step is to create a scheduled task to automate the setting of networks and web protection exception for the Sophos UTM. As we are using a gMSA for the scheduled task we can't create a task using the GUI. We have to do this in PowerShell.

In order to create the task we have to define the action, trigger and principal of the scheduled task. In the action we are going to run a PowerShell script that executes the Set-EndpointsInUtm cmdlet. You should adapt this as explained in the section How to use SophosEndpoints. The trigger defines when the scheduled task will be run and the principal is the account used to execute the task. This is the gMSA we just created.

Sophos Utm Up2date Prefetch Failed

The content of C:scriptsrunSophosEndpoints.ps1 is in my testlab the following:

To create the scheduled task with these parameters run the following cmdlet.

Sophos Utm Up2date Ftp

After the first run you should check the status of the scheduled task. If you specified a LogFilePath you should also check the logs.

Sophos Utm Up2date Files

That's it, we don't have to worry about manually updating definitions for Office 365 anymore. The most current IPs and URLs used by Microsoft are automatically imported into Sophos UTM!