Central Management 2020.08 Released

What's New in Central Management 2020.08

With this latest Sophos Central Management release we’re excited to announce that we’ve added a set of features to allow admins to manage firewalls in groups, rather than one at a time. This allows admins to create groups of like firewalls running XG v18 or newer, and more efficiently create and edit policies for multiple firewalls at a time.

  • Firewall groups
    Create groups, add firewalls, and apply configuration to more than one firewall at a time.
  • Nested groups
    Groups may contain up to two levels of child groups, for selectively applying rules, objects, and policies to only some members of a parent group.
  • Task queue
    Task Queue allows admins to monitor and troubleshoot configuration conflicts from firewall group configurations.
  • Dynamic objects
    Create dynamic zones to map equivalent but differently named zones on any firewalls, in order to simplify group configuration.
  • Additional new features
    • Improved Firewalls page layout
    • Automatic list refresh
    • Search on Firewalls page
    • Integration to Central Firewall Reporting

Known Issues in Central Management 2020.08

Component Issue Workaround

Configuration (Firewall Rules)

Unable to create WAF Rule when we are having HTTPS Certificate of hosted server

Customer can configure this via single device management

Configuration (Firewall Rules)

Editing of FQDN hosts/Country Group/Services in Firewall Rule twice will lead to error message “Duplicate entry not allowed”

Instead of editing mentioned objects in firewall rule page, admin can edit these objects in their respective pages

Zero touch

Firewall device shows connected state on firewalls group page even XG side process is not completed.

There is no impact, only UI shows state as “Connected” instead of “Waiting”

Configuration (Firewall Rules)

Clone firewall rules will not clone all the properties of firewall rules.

Customer can configure this via single device management

Configuration (NAT Rules)

“Add NAT Rule” button is partially overlapped in Safari Browser UI.

In other browsers, admin will not face this issue.

Configuration (NAT Rules)

When admin create Loopback and reflexive NAT rule, success message text is wrong, it displays “Couldn’t add NAT rule”

There is no impact, Both the rules create and pushed in firewall successfully.

Configuration(Hotspot)

When admin create hotspot in firewall group then it will create a default firewall and Nat rule which can impact firewall rule ordering.

Firewall and NAT rule ordering can be corrected once admin deletes the auto-created rules(created by hotspot configuration)

Nested Group

Some parent group settings(ex: Web proxy, notification lists) will not be visible in child groups UI

Issue is with UI only, all the settings will be pushed successfully in parent as well as child group firewalls.

Firewall Groups UI

“Something went wrong” pop-up seen in Firewall group page when admin expanded all groups

No impact, pop-up will come and go, after page refresh/tab switch admin won’t see this pop-up again.

Full Sync

Firewall transaction failed for existing Host groups and other entities present in Firewall after joining Firewall device to Group

Error reporting in Task Queue is there to identify which object caused the failure so the admin can manually delete the erring object and retry the full sync operation which will pass

Default Objects

Unable to delete referred default FQDN hosts even after we remove reference from FQDN host group

No workaround as it’s a pre-existing issue

 

Known Behaviour in Central Management 2020.08

Component Behaviour
Full Sync In some firewall devices, it has observed that firewall CPU Usage will spike to 100% during full-sync. It will not impact anything, once full-sync is done, CPU usage of firewall will back to normal. It depends upon Firewall device hardware specs and availability of the resources in Firewall device to apply the configurations in Firewall device.
Configuration (Firewall Rules) When firewall local admin changes the position of Central pushed rules(ex. Firewall rule, NAT rule, SSL rules) then the rule ordering may impact if central admin wants to push again some rules, it leads to opcode failure.
Full-Sync/Configuration

When firewall local admin create/edit objects(ex: FQDN hosts) and central admin want to push the same hosts with different name then it will lead to opcode failure and local admin has to revert his changes.

Through error reporting in Task Queue, Central admin can identify which object caused the failure so the Local admin can manually edit this object in Firewall and retry the full sync operation which will pass.

Nested Group Only parent group allowed to change the group settings.
Firewall Groups UI Rename of firewall name is removed from 2020.08 onwards. Admin can change the firewall hostname from XG and same hostname it will reflect in Firewall Groups page UI.
Firewall Groups UI “Manage Firewall” link is removed from 2020.08 onwards. Admin can click on the firewall name/serial number to open the Firewall device via reverse proxy.
  • Been using this since EAP and its a great addition but ive got a question, is there a way to pull configurations from added firewalls yet so that it gives you a quick starting point for Group Policies??  Reason i ask is because ive had to skip the Group management on a couple of occasions as I found that unless you create group policies matching whats already on an imported firewall to go into a group ive found on a couple of occasions that the Central Group Policies have overridden my firewalls local policies?  I know this was in the old CFM i used to use until the new Central interrogations for firewalls but i dont seem to be able to see anything similar in Centrals Firewall Group management anywhere?  Could somebody point me to where i might find the option to pull Configs / policies from firewall ends pls if its actually there that is??

    Many thanks and please keep up the great work as i really love these recent Central additions.  (Also if any new EAP's are out or coming soon pls PM me an invite pls I'd be ever so grateful)

    JK

  • Great work guys!!!! Really!

    I'am using it since the first EAP.

    One thing I'am still missing:

    When I create a dynamic object interface, it would be nice to use it in the Firewall Rules.

    The dynamic zones are electable in  firewall rules.