This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall v18 MR-5: Feedback and experiences

New Thread to cover changes / feedback / experiences about MR5.

MR5 was Re Released. New Build number: 586

"Old" MR3 Thread: https://community.sophos.com/xg-firewall/f/discussions/123403/xg-firewall-v18-mr-3-feedback-and-experiences

"Old" MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/124771/xg-firewall-v18-mr-4-feedback-and-experiences

Release Notes: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/xg-firewall-v18-mr5-is-now-available

https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_180_rn.html

This thread was automatically locked due to age.

Top Replies

Prism over 3 years ago in reply to rfcat_vk +3

rfcat_vk said: The classification process is still broken - ntp, Imaps. Is there any reason at all on why the Firewall can't detect NTP traffic as Its own application? Creating a application signature…

0 rfcat_vk over 3 years ago

Waiting for the user to stop, so I can try out the update.

ian

installed. I still can’t get yahoo mail to verify. Yahoo smtp server fails certificate checks. More testing tomorrow morning and see what joy the reports bring.

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago

I want to save you some time:

SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP). WAF is always TCP, so you can use SSLVPN UDP on the same Interface/IP. You can also use SSLVPN on TCP. There is no Interface selection in SSLVPN, it will be activated on every Interface. If there is a WAF/DNAT, it will overwrite the SSLVPN.

SSLVPN (Sophos Connect) needs a User Portal settings. In XG, user portal and SSLVPN can share the same interface (Both TCP 443 for example). But User Portal runs on TCP and will block the WAF. So thats not possible to run on TCP443.

About the Missing Heartbeat: The switches to setup this missing heartbeat config:

console> system synchronized-security
delay-missing-heartbeat-detection suppress-missing-heartbeat-to-central

console> system synchronized-security delay-missing-heartbeat-detection show
60

console> system synchronized-security suppress-missing-heartbeat-to-central show
0

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Cancel
0 Prism over 3 years ago in reply to LuCar Toni

LuCar Toni said:
But not the same protocol (UDP/TCP).

Couldn't the Sophos Devs use the "port-share" parameter for OpenVPN? This would allow both WAF and SSLVPN to share the same TCP port.

If a post solves your question use the 'Verify Answer' button.

Ryzen 5600U + I226-V (KVM) v20 GA @ Home

XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Prism

Thats not possible. The Packet flow does not work in XG that way. WAF/DNAT will be first. Hence the Portshare would require to be implemented within the WAF (Kernel) to share this to the openVPN stack. OpenVPN port-share is a option, which will forward certain traffic to another instance. That would require a complete revamp of the architecture.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Bill Roland over 3 years ago

On my XG Home system MR-5 took an enormous amount of time to boot post upgrade (30 minutes) whereas usual MR updates take 5 minutes or so. I am using the software version of course. Other than that everything seems ok.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Bill Roland

You mean the upgrade process after the reboot took long time to get to the stable mode? Do you have a serial output of this?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Bill Roland over 3 years ago in reply to LuCar Toni

Yes after reboot it took 30 minutes to come back up. I have no serial output, just an observation.

EDIT: Upgraded an XG135 hardware appliance, it worked fine, several minutes to reboot after update and come online. Guess it was just something with my home rig.
Cancel
Vote Up 0 Vote Down

Cancel
0 Henrik S over 3 years ago in reply to LuCar Toni

Is there any reason that SSLVPN will be activated on every interface? Why is it not possible to use different external IPs for WAF and SSLVPN/User Portal, so that both can use 443 TCP on their own interface/IP?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Henrik S

SSLVPN + WAF is not the issue. It will work like you explained. Only the User Portal can cause issues, as it cannot be used in such deployments on 443. User Portal will blocked by the WAF and cannot be selected on a specific port.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 3 years ago

Reports are still bad, yesterday's download of mr-5 to my mac does not show.

The classification process is still broken - ntp, Imaps.

Mail scanning is still broken, over 6000 messages for two people in one day.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel