User Portal disabled across multiple XG firewalls by CLI user

This morning we found many of our XG firewalls had the User Portal disabled on the WAN zone, causing problems for users trying to download the VPN client while working remotely. Anyone else experience this issue? How are you providing users with the ability to download the VPN client when they are not in the office?

  • Hi,

    which version of XG are you using?

    Ian

  • In reply to rfcat_vk:

    The problem is not specific to a firmware revision or model, different firmware versions and models affected simultaneously

  • In reply to S248:

    Hi,

    okay are we talking all v17 or some v18?

    If they are all v17 does the notification at the top the forums apply?

    Ian

  • Same here for > 20 devices with V17.x

  • Hi S248

    As a general best security practice to reduce attack surface wherever possible, Sophos recommends disabling any unused services on the WAN interface.

    Until recently, the user portal was enabled on the WAN interface by default for XG firewall. From v17.5 MR12 and v18 MR1 the default value was changed from enabled to disabled for the brand new installs. For any customer upgrading an existing deployment to these releases (or later), the current settings remained unchanged.

    In a recent hotfix, Sophos performed a one-time update to disable the User Portal on the WAN interface if it was not actively being used by customers. This determination was made on-box.

    If it has been disabled, and you actively need/use it, please enable it and it will remain enabled.

  • In reply to PMParth:

    We're also starting to see our customer's XGs disable the User Portal for deployments that do use this. Do you know how are Sophos working this out to then apply this change?

  • In reply to PMParth:

    Hello Parth,

    Sophos should absolutely not be dictating how things should be done by just doing it themselves and pushing out hidden hotfixes or changes which modify the functionality of our Customer firewalls without express notice. A vendor should only make recommendations and best practices on how the firewalls should be configured, if you want to take this route of modifying Customer firewalls without their or the Partners express consent, then you need to be far more up front.

    I have 4 firewalls in the past 24 hours that have had the User Portal disabled, of which two were my own where I use to access my home and cloud servers via the RDP bookmarks and to get my SSL VPN configuration. Another Customer distributes SSL VPN via their User Portal. These are just the first 4 I had access to.

    What was the criteria and why was there not notification in the message center? You cannot take liberties with my Customer firewalls.

    I am now going to have to send out an email to all our Customers asking to double check their User Portal if it needs to be accessible from the WAN and re-enable due to this brazen action by yourselves wherein the criteria is not obvious and was not expressly stated, this was extremely unprofessional from Sophos and the decision makers. Unfortunately, at this time, the only "official" communication is from you.

    I will be raising this as a complaint and adding any of our Customer names who wish to follow this up to it as well.

    If you wish to follow this up privately, please feel free to email me.

    Emile

  • In reply to PMParth:

    How was that determination made? What was the criteria? Users were impacted within hours of the change being applied. Making this change in mass across customer firewalls, without any notification at all, is absolutely unacceptable. Instead you've left it up to XG customers to react to end users being affected, and for XG admins to work out what happened on their own. An e-mail in advance would be better. Or send us an advisory with the recommendation rather than just making the changes on our firewalls without warning. 

  • In reply to PMParth:

    Ok.  But we need far more explanations on what's happening behind the scene to first judge if that was necessary.  But also, and most importantly ascertain risks we face if we ever put Users Portals enabled again.

    The CVE linked posted by Sophos is actually inexistent.

    We can’t work blinded that way.

    Paul Jr

  • We're seeing 2 major issues with this hotfix.

    • User Portals are being disabled when they are in heavy use as our student body is heavy relaying on them during COVID.
    • The SSL certificate being returned now is a completely and utterly random certificate (not even installed on the Sophos), and not what is installed or selected in Administration > Device Access > Certificate.

    For one of our appliances, we are now getting back one of our vSphere certificates.

    What the hell Sophos?

  • In reply to Michael Pasqualone:

    Hi Michael, 

    Thanks for your feedback.

    I will send you PM to follow up and investigate further.