Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 86 replies
  • Subscribers 57 subscribers
  • Views 21688 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall v18 MR-5: Feedback and experiences

LuCar Toni

New Thread to cover changes / feedback / experiences about MR5.

MR5 was Re Released. New Build number: 586

"Old" MR3 Thread: https://community.sophos.com/xg-firewall/f/discussions/123403/xg-firewall-v18-mr-3-feedback-and-experiences

"Old" MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/124771/xg-firewall-v18-mr-4-feedback-and-experiences

Release Notes: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/xg-firewall-v18-mr5-is-now-available

https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_180_rn.html



This thread was automatically locked due to age.
Parents
  • 0

    I want to save you some time: 

    SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP). WAF is always TCP, so you can use SSLVPN UDP on the same Interface/IP. You can also use SSLVPN on TCP. There is no Interface selection in SSLVPN, it will be activated on every Interface. If there is a WAF/DNAT, it will overwrite the SSLVPN. 

    SSLVPN (Sophos Connect) needs a User Portal settings. In XG, user portal and SSLVPN can share the same interface (Both TCP 443 for example). But User Portal runs on TCP and will block the WAF. So thats not possible to run on TCP443. 

    About the Missing Heartbeat: The switches to setup this missing heartbeat config: 

    console> system synchronized-security
    delay-missing-heartbeat-detection      suppress-missing-heartbeat-to-central
    console> system synchronized-security delay-missing-heartbeat-detection show
    60
    console> system synchronized-security suppress-missing-heartbeat-to-central show
    0  

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    But not the same protocol (UDP/TCP).

    Couldn't the Sophos Devs use the "port-share" parameter for OpenVPN? This would allow both WAF and SSLVPN to share the same TCP port.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Reply
  • 0 in reply to LuCar Toni
    LuCar Toni said:
    But not the same protocol (UDP/TCP).

    Couldn't the Sophos Devs use the "port-share" parameter for OpenVPN? This would allow both WAF and SSLVPN to share the same TCP port.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Children
  • 0 in reply to Prism

    Thats not possible. The Packet flow does not work in XG that way. WAF/DNAT will be first. Hence the Portshare would require to be implemented within the WAF (Kernel) to share this to the openVPN stack. OpenVPN port-share is a option, which will forward certain traffic to another instance. That would require a complete revamp of the architecture. 

    __________________________________________________________________________________________________________________

Unfiltered HTML