A new firmware 

SFOS 19.0.0 GA-Build317 is available. We strongly recommend that you upgrade the device.

Version
 SFOS 19.0.0 GA-Build317

News
 Feature Release
.
 Xstream SD-WAN profiles support multiple WAN link options including VDSL, DSL, cable, LTE/cellular, and
MPLS

 Performance-based SLAs automatically select the best WAN link based on jitter, latency, or packet-loss
 Zero-impact re-routing maintains application sessions when link performance falls below thresholds and a transition
is made to a better performing WAN link

 SD-WAN monitoring graphs provide real-time insights into latency, jitter and packet loss for all WAN links
 SD-WAN routing information has been added to the logs along with a new SD-WAN log viewer module allowing
you to focus on log entries specific to SD-WAN routing and health

 Xstream FastPath acceleration of IPsec tunnel traffic that automatically puts IPSec VPN traffic flows on the
FastPath through the Xstream Flow Processor.

 Per Connection Authentication - In explicit proxy mode authentication can now handle multiple different users
coming from the same source address.

 Enables the use of the Tenant Restriction feature of O365 to restrict which domains user can login to by adding
headers to outbound HTTPS requests to enable Microsoft Azure AD to enforce restrictions.

 X-Forwarded-For Header allows the source IP address to be passed up-stream to load balancers or proxies.
 Supports DHCP IPv4 and boot option configurations in the UI web console.
 A new intelligent Search box with auto-complete now appears at the top of the main menu and allows you to find
any screen or feature in the system

 Significantly enhances the user experience when searching for a network object or service for inclusion in rules.
Includes a free-text search option which enables searching by label or value.

 The navigation and user interface for various VPN administration options has been reorganized to make it easier and
more intuitive.

 Significant performance enhancements (nearly 5x) to SSL VPN capacity thanks to the addition of multi-instance
support

 Custom policy support for IPSEC RA helps address a potential PCI compliance issue with the default IPsec RA
policy, enables the configuration of a custom rekey time to avoid regular MFA prompts every four hours, adds a
new option to increase idle timeout from 10-minutes up to 6-hours.

 Added support for static multicast routes for RBVPN.

 Added support for traffic selector in RBVPN to automate configuration of XFRM interface and performs route
management even in case of RBVPN for selected host.

 A new log viewer module selection for VPN is available making it easy to monitor and troubleshoot VPN
connections for both remote access and site to site type tunnels using either IPsec or SSL.

 Enables the easy import of AWS VPN Connector from AWS.

 Improves authentication performance that will be appreciated most in high-load situations with thousands of users.
  Global IPS Switch – A new global switch has been added to the Intrusion Prevention > IPS policies tab to enable or
disable IPS. This switch will be set automatically when migrating to v19, if you were previously using IPS it will
be set to ON.

 Enhanced the user interface and layout of the flow monitor to make the headers persistent and eliminate horizontal
scrolling.

 Multi-Factor Authentication – Improved security, workflow, and usability with the option to enable One-Time-
Password MFA access to webadmin for the default admin account.

 Synchronized Security – an update to Lateral Movement Protection to guard against the use of spoofed MAC
addresses to disrupt legitimate traffic.

 Log suppression – Repetitive firewall logs within a given module are aggregated into one event with a repeat count
to improve troubleshooting as well as optimize logging scalability and storage efficiency.

 Zero-Day Protection – An additional data center location for cloud-based machine learning file analysis is available
in Asia Pacific- Sydney, Australia. This adds to the existing data center locations in Japan, Germany, the UK,
and the USA.

 Device and Management Identity – The device hostname is now shown in the browser tab and the active user ID in
the upper right corner of the management console which makes managing multiple firewalls and admin accounts
easier

Resolved issues
 NC-87665 [API Framework, UI Framework] Pre-auth RCE (CVE-2022-1040)
 NC-79468 [Authentication] Outdated users stuck in Live Users on XG
 NC-83114 [Authentication] Web Authentication does not work in HA mode while AUX node is rebooting
 NC-84281 [Authentication] The status column is not visible on GUI under section Authentication -> Users
 NC-81768 [Backup-Restore] Failed to restore due to Key (key)=(config CPULIMIT_RULE) is duplicated
 NC-83159 [CM] Serial Number Disclosure (CVE-2022-0331)
 NC-89079 [CM] fwcm-eventd agent is not listening the IP Address UP event
 NC-83392 [CM (Join to Cloud)] Backup is not getting generated with [] brackets
 NC-87165 [Core Utils] OpenSSL DoS vulnerability (CVE-2022-0778)
 NC-51929 [DDNS] DDNS does not apply to some new gTLD
 NC-80660 [DHCP] DHCP IP lease Issue
 NC-66163 [Email] Report received with garbled characters
 NC-69997 [Email] Notification test mail has wrong encoded subject when web admin GUI language set to
Traditional Chinese or Simplified Chinese.

 NC-71379 [Email] MTA doesn't provide the full certificate chain

 NC-74228 [Email] Cannot display quarantine due to \x1E? in subject
 NC-81069 [Email] Import fails for the entity 'MtaBlockedSenders'
 NC-83347 [Email, FQDN] Not able to add lx63.hoststar.hosting to email server under notification settings.
 NC-73975 [Firewall] FP fw_fp_track_conn and fw_fp_reclaim_conn errors seen during httperf conn rate test - (flow
2)

 NC-81517 [Firewall] Policy test for firewall not showing correct results
 NC-82215 [Firewall] Device freeze issue (0010:queued_spin_lock_slowpath+0x14b/0x170)
 NC-82332 [Firewall] Kernel panic - unable to handle kernel NULL pointer "ip_route_me_harder"
 NC-82566 [Firewall] Kernel crash after update to v18.5MR2 - RIP:0010:_raw_read_lock_bh+0x14/0x30
 NC-83470 [Firewall, VFP-Firewall] Unable to handle kernel NULL pointer dereference at 0000000000000003 in
XG750 during Connection Rate Test

 NC-83581 [Gateway Management] Need correction in the spelling

 NC-81974 [IPS-DAQ] Snort soft lockup and device reboot
 NC-83065 [IPsec] ping: sendto: Operation not permitted when upgraded from v18.0MR3 to later firmware on Direct
connected network

 NC-84935 [IPsec] Uploading of Amazon VPC is not working

 NC-85345 [IPsec] Button needs to a different color on add ip host, add ip host group
 NC-83177 [IPS Ruleset Management] Unable to toggle IPS switch in 18.5MR2
 NC-84951 [Network Utils] Webadmin - Diagnostic - Route lookup is broken
 NC-85412 [PPPoE] PPPoE issue on v18.5 MR2
 NC-78401 [RED] RED keep-alive logic improvements
 NC-83430 [RED] RED causing massive network traffic after upgrading with SF 18.0 MR6 / SF 18.5 MR2
 NC-80784 [SDWAN Routing] SD-WAN monitoring shows a graph from incorrect interval
 NC-83366 [SDWAN Routing] Disabling the captcha on VPN zone not working for RBVPN with SD-WAN routing
 NC-71761 [Security] Resolved multiple XSS vulnerabilities (CVE-2021-25267)
 NC-85339 [Security] Resolved multiple XSS vulnerabilities via company name (CVE-2021-25268)
 NC-82590 [Synchronized App Control] Central Registration does not work
 NC-82569 [UI Framework] Cloud application screen not displayed proper
 NC-78563 [WAF] WAF not redirecting page to proper domain when there are multiple domains listed in WAF rule
 NC-87798 [WAF] Upgraded Apache to 2.4.53+
 NC-74847 [Web] Snort crashing with a segfault due to a blank conf file
 NC-76553 [Web] Memory Leak in Skein
 NC-76554 [Web] Process Crash in Skein
 NC-76555 [Web] Protocol Injection in Skein
 NC-79417 [Web] SSL/TLS rules cannot be seen on GUI
 NC-83662 [Web] Alert message in Users page – Administrator account unprotected by Multifactor authentication-
what number represents

 NC-84158 [Web] Central logging 'admin out' of XG console when clicking on 'Add' user button
 NC-84218 [Web] Cannot enable OTP for admin user that is not userid 3
 NC-81956 [WebInSnort] http/s traffic to internal server on 8080 is dropped by ips tcphold
 NC-83584 [WebInSnort] IPS segfault in libnsg_tcphold_preproc
 NC-84861 [Wireless] Disconnected access point still has the status "Active" and e-mail notification is not sent
 NC-85549 [Wireless] SFOS goes in bad state after boot if time based SSID is configured