Hi XG Community!
We've released SFOS v17.5.6 MR6 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from your MySophos account. We then make the firmware available via auto-update to a number of customers, which will increase over time.
Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.
Guidance on recently discovered security vulnerability in Exim email serverExim is used by XG Firewall v17.5, specifically if a customer has enabled Email Protection. On Friday 7 June 2019, Sophos released and automatically applied an over the air hotfix to all XG Firewalls with auto-updates enabled to address this issue. If your XG Firewall does not have auto-updates enabled, upgrading to 17.5 MR6 release could resolve the issue. Alternatively, you can review KB134199.
Radius SSO authentication between XG and APX
Wireless users can be authenticated using Radius SSO between XG and APX. Now supports framed IP addresses in client accounting messages.
To manually install the upgrade, you can download the firmware from the MySophos portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.
during the upgrade from 5.5 to 5.6 all went well. After the firewall was boot, it turned out the DHCP was completely broken. I removed the old DHCP config and created a new one but it did not help. The symptoms were: Clients did get and IP bit were unable to to to the internet. Clients did not get DNS and gateway addresses from the DHCP (these were configured). Removing and adding the gateway address and DNS addresses from the CLI to the DHCP config did not help. Eventually I had to restore the config from a previous backup file. This resolved the issue.
observations thus far
1. Firewall GUI rules still inconsistently display malformed
2. All traffic shaping rules lost during upgrade from 17.5.5 to 17.5.6
3. THIS IS THE BIGGY- Firewall stopped logging after a couple of days, once rebooted logging started working again. Reminisce of old 17.1.1 (or was is 17.0.x) logging issues.
Waiting hopefully Active Directory backend authentication for Hotspot.
EmileBelcourt Anything new on the guide :-D
twister5800 It's nearly there, just had a death in the family so everything has kinda been put on hold for now but i'll squeeze it out ASAP.
Ryan Partington , It's a v17.5.5 issue that came in: community.sophos.com/.../sophos-xg-firewall-17-5-logs-are-not-updating-on-the-gui-log-viewer
EmileBelcourt So sorry for you loss :-( - Don't stress anything with that guide, it's no near important for me anyway, just nice to have.
Lucar has just commented the KB article for it althought it's about as useful as a chocolate teapot because it is basically the exact same article as community.sophos.com/.../132912 but just has the RADIUS accounting delay start and the accounting switch enabled.
Unfortunately, right now I am getting:
MESSAGE Jul 01 14:15:12 : handle_radius_account_req: request received from radius client 172.16.10.10
ERROR Jul 01 14:15:12 : handle_radius_account_req: received radius accounting with status 1
ERROR Jul 01 14:15:12 : handle_radius_account_req: received radius accounting packet without login ip host
The XG is not delivering the logged in IP address, case raised.
Actually EmileBelcourt did you configure your NPS correctly? Because your KBA is only for Authentication, not Accounting. You have to specify a new Radius Server on Windows Server to redirect accounting Information back to XG.
LuCar Toni, it's not the NPS responsible for sending the IP address, it's the XG on the APs behalf (well forwarded and natted). As far as i can tell all systems I've tested are configured correctly but it is the RADIUS accounting packets that are missing the IP address.
Basically, NPS can never initiate Accounting packets because it has no acceas to monitor the APs so it relies on third parties to receive those details and forward them on.
If you want the case number to look at my pcap, pop me a pm.
We have had major issues with CPU util and HTTP scanning since moving to this. We had that many users complain we had to switch off HTTP scanning outbound. Also dashboard consistently breaks and doesn't show any metrics.
since 17.5.6 on XG310 is no Web Browsing anymore possible.
Surfing the web ist that much slow like Modem 56K 20 yars ago
For me the 17.5.6 is extrem buggy and not useable.
turned back to 17.5.3
DNS and Proxy is not working correct anymore.
still no upstrem Proxy is possible to set up with port 80
while internal Sophos Proxy uses Port 8080.
17.5.6 is still extrem full of Bugs...
HA seem to take longer than expected when fail-over after update to 17.5 MR6, before this used to be few ping to recover.
When i reed some comments it looks like the 15.5.6 is little buggy. Lost of DHCP, Performance Issues and lost of traffic shaping policy makes me not realy motivated to fo to 15.5.6. Are these problems realy confirmed ?