Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall v18 MR-3: Feedback and experiences

Hi all,

Shall we start this new thread with the looks and feels of XG v18 MR-3?

community.sophos.com/.../xg-firewall-v18-mr3



This thread was automatically locked due to age.
Parents
  • DPI TLS/SSL engine is still a mess.  After upgrading to MR3, I enabled a firewall rule to use DPI instead of web proxy to test.  One of the users who hits the rule called me to tell me he couldn't access a site (AOL mail) today.  The error Chrome gives him is "ERR_CONNECTION_RESET."  I looked in the logs, the TLS/SSL logs show no errors related to this site, in facts shows successful decryption.  The Policy Tester shows it is allowed.  No errors shown on the Control Center page under the TLS/SSL Connections widget.  It just doesn't work with no explanation given at all on the XG.  Add the URL as a Local TLS Exception and it works perfectly.  I should add, the traffic works fine and is decrypted properly using Web Proxy engine.

    I still can't believe this "feature" is in wide use in actual medium to large scale businesses.  The web is vast and I can't imagine administrators sitting around all day chasing down broken sites to exclude due to the the DPI engine.

    Oh, and FLOW_TIMEOUTs are still plentiful in MR3.  

Reply
  • DPI TLS/SSL engine is still a mess.  After upgrading to MR3, I enabled a firewall rule to use DPI instead of web proxy to test.  One of the users who hits the rule called me to tell me he couldn't access a site (AOL mail) today.  The error Chrome gives him is "ERR_CONNECTION_RESET."  I looked in the logs, the TLS/SSL logs show no errors related to this site, in facts shows successful decryption.  The Policy Tester shows it is allowed.  No errors shown on the Control Center page under the TLS/SSL Connections widget.  It just doesn't work with no explanation given at all on the XG.  Add the URL as a Local TLS Exception and it works perfectly.  I should add, the traffic works fine and is decrypted properly using Web Proxy engine.

    I still can't believe this "feature" is in wide use in actual medium to large scale businesses.  The web is vast and I can't imagine administrators sitting around all day chasing down broken sites to exclude due to the the DPI engine.

    Oh, and FLOW_TIMEOUTs are still plentiful in MR3.  

Children