Next EAP release date?

Any word on when a EAP 2 refresh 1 or EAP 3 will be out?

This random reboot and loss of connection is killing me .

  • Any news about next release? We will have EAP 3 refresh, EAP 4 or GA version? Any date?

  • In reply to darnoK:

    If you can, go back to v17 maybe ?

    Paul Jr

  • In reply to Big_Buck:

    At the moment, your advice is worth considering ;-)

    For now, EAP "eats" a lot of CPU and RAM resources, which eliminates the possibility of upgrading on older devices. Unless SOPHOS is focused on new customers who already buy new equipment. The second thing is that the devices in DPI mode work smoothly, unfortunately you need to add most of the traffic to TLS Exclusion. Does that make sense?

    I wonder if there is a chance for SOPHOS to scale the software to the capabilities of its devices? Is there a chance that the DPI engine will work flawlessly?

    These are just a few loose thoughts ...

    PS If UTM had an IMAP scan, I would stay with this solution. In my opinion, it has everything you need.

    Cheers ;-)

  • In reply to darnoK:

    I will not install v18 at my lob.  Just unworkable.  I have to do IT moves in May this year.  We already moved away for mails and WEB scanning in such a manner that our firewalls are now empty shells.  EndPoints have been moved partially back to Symantec.  So maybe we will stay with v17 just for the sake of doing very basic firewall and VPN duties.  Up until another supplier bring to market an integrated solution that’s worth moving.  It is my current thinking Sophos will not achieve a workable solution within this decade.   I will continue to monitor v18 at home and see 3 to 5 years from now ...  Sophos is just too time consuming.

    Paul Jr

  • In reply to darnoK:

    darnoK

    Any news about next release? We will have EAP 3 refresh, EAP 4 or GA version? Any date?

     
    There is an EAP3 refresh in the works right now that is focused on DPI performance improvements and lower memory usage.  I don't have an ETA for release to customers.
     
  • In reply to Michael Dunn:

    Thank you for the information. I hope that you will not only look at the consumption of RAM, but also the CPU and calibrate the product for your hardware platforms. There is something to fight for. Good luck!

  • In reply to darnoK:

    I was satisfied by the answer given in another thread so won't rehash it again here but a couple of points about DPI...

    Snort like any other daemon has its limits... ie you can only pass so many packets before dropping the packets or bypassing the daemon. The problem with XG implementation is that you can't drop packets like you can on an IPS if the daemon gets overwhelmed so the more traffic you pass, the harder the cpu will be taxed and the quicker you will reach the top limit of the traffic processed.

    Instead of putting DPI and proxy as separate entities, they probably should have done some programming magic so that snort handles all the traffic but the traffic falls back on proxy automatically if the cpu usage is getting too high or snort is getting overwhelmed. 

    Not only that, I am not a fan of tweaking the same firewall rule at different places simply to pass traffic. The current implementation is too cumbersome. Choose between proxy or DPI, create exceptions for proxy or DPI, look at the logs for proxy or DPI. For a geek like myself this is really fun to tinker with but to be honest, I wouldn't want to mess with this much complexity if I was administering hundreds of users.

    Sophos has really moved away from security made simple. It is security with too many half baked options maybe but definitely not simple.

    This is my personal opinion and is not meant to offend anyone at sophos or other fanboys that think I keep hating on sophos.

    Regards

  • In reply to Billybob:

    Billybob

    Snort like any other daemon has its limits... ie you can only pass so many packets before dropping the packets or bypassing the daemon. The problem with XG implementation is that you can't drop packets like you can on an IPS if the daemon gets overwhelmed so the more traffic you pass, the harder the cpu will be taxed and the quicker you will reach the top limit of the traffic processed.

    For reference:
    On the Control Center page there are now two new stats: Decryption capacity and Decrypt sessions.
    SSL/TLS inspection rules > SSL/TLS inspection settings > When SSL/TLS connections exceed limit

  • In reply to Michael Dunn:

    Hi folks,

    I know there have been public holidays and al those good things, but nearly a month has passed without sings of EAP 3 refresh 1.

    Looking forward to some fixes in DPI because i have had to revert to proxy.

    Ian

  • In reply to rfcat_vk:

    DPI will work the way it is in a foreseeable future.  Any changes in that is extremely heavy and will require months or years to fine tune.

    You will get performances boost or things like that.  But if it just does not work for your application, it will not work anytime soon.

    There's a price to pay to deliver machine with only 4 gig, or even less.

    Paul Jr

  • In reply to Big_Buck:

    EAP3-refresh is released internally.  After soaking it in for a bit it will be released to customers.

    My understanding is that on larger boxes, DPI performance is very good.  On smaller CPU boxes it is not yet ideal.

     

    After this refresh there are still numerous bugs that need to be fixed for GA.  The GA release date will depend on the bug count.  I know you all want to use the GA product, but I also know you don't want us to release software with lots of known defects.  All teams are focused on quality and stability right now.

    Please keep the bug reports and feedback coming.

  • In reply to Michael Dunn:

    Hi Michael,
    high resource consumption on small devices, specifically the processor, also is very high when using proxy mode, e.g. on the 115 Rev. 2.

  • In reply to Michael Dunn:

    A stupid question : Why call that EAP3 Refresh ?  Could not be called EAP4 ?

    Paul Jr

  • In reply to Big_Buck:

    V18 EAP3 refresh is needed urgently, currently having issues with more and more sites failing SSL check even when using the web proxy.

    I have for the moment disabled https decrypt and scanning to connectivity for some failing sites, eg iinet.net.au an Australian ISP.

    Lots of broken sites, but nothing in the logs. This is occurring g on MBP and W10 machine Everytinh works fine when i use the phone as a hotspot, secure connections etc.

    ian

  • In reply to rfcat_vk:

    v18 is in BETA.  The notion of "urgency" does not apply here.

    Paul Jr