New Thread to cover changes / feedback / experiences about MR5.
MR5 was Re Released. New Build number: 586
"Old" MR3 Thread: https://community.sophos.com/xg-firewall/f/discussions/123403/xg-firewall-v18-mr-3-feedback-and-experiences
"Old" MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/124771/xg-firewall-v18-mr-4-feedback-and-experiences
Release Notes: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/xg-firewall-v18-mr5-is-now-available
rfcat_vk said:The classification process is still broken - ntp, Imaps.
Is there any reason at all on why the Firewall can't detect NTP traffic as Its own application?
Creating a application signature…
Reports are still bad, yesterday's download of mr-5 to my mac does not show.
The classification process is still broken - ntp, Imaps.
Mail scanning is still broken, over 6000 messages for two people in one day.
Creating a application signature for NTP shouldn't be that hard.
If a post solves your question use the 'Verify Answer' link.
Just FYI - We could reproduce the issue with NTP and will fix this soon with a pattern update.
NTP has a category but it fails sometimes to get this matching. NTP =/= NTP in some cases.
The newest App pattern should include the NTP Traffic as correctly verified as NTP.
Is "18.18.25" the latest pattern update for IPS/App?
Most of my NTP traffic still isn't being identified correctly.
Can you share a screenshot of this traffic?
I've only managed to get a single NTP sync identified correctly as NTP App by the Firewall.
(Interesting enough It has a Windows machine, everything else on the Log Viewer is either Android/Linux/IOS)
(I've also manually triggered a NTP Sync on two Linux VM, still didn't got identified. (Used both Systemd-timesyncd, and ntpdate))
Here's how It currently looks in the Log Viewer:
Will do a packet capture later to see If It's an issue on my end.
Thanks for the update!
The pattern was released ~12:00.
My windows clients are getting correctly verified:
Whats the client, you are seeing?
07:18:13, Jun 15 2021 has the time "18.18.25" got applied on my Firewall. (Different Time-zones.)
Both Android 10 & 11.
Single iPhone 11 on latest IOS.
EDIT: Only on Windows the NTP Traffic gets identified correctly. (Note: On Windows the Source UDP Port is also 123, meanwhile on everything else It uses >1024 ports.)
Let me get back to the Labs Team to verify this.
Still not classifying my NTP traffic, also doesn't classify all Imaps traffic.