Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 86 replies
  • Subscribers 52 subscribers
  • Views 19948 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall v18 MR-5: Feedback and experiences

LuCar Toni

New Thread to cover changes / feedback / experiences about MR5.

MR5 was Re Released. New Build number: 586

"Old" MR3 Thread: https://community.sophos.com/xg-firewall/f/discussions/123403/xg-firewall-v18-mr-3-feedback-and-experiences

"Old" MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/124771/xg-firewall-v18-mr-4-feedback-and-experiences

Release Notes: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/xg-firewall-v18-mr5-is-now-available

https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_180_rn.html



This thread was automatically locked due to age.
Parents
  • 0

    Reports are still bad, yesterday's download of mr-5 to my mac does not show.

    The classification process is still broken - ntp, Imaps.

    Mail scanning is still broken, over 6000 messages for two people in one day.

    Ian

    XG115W - v20 EAP 1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk
    rfcat_vk said:
    The classification process is still broken - ntp, Imaps.

    Is there any reason at all on why the Firewall can't detect NTP traffic as Its own application?

    Creating a application signature for NTP shouldn't be that hard.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 EAP1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    Just FYI - We could reproduce the issue with NTP and will fix this soon with a pattern update. 

    NTP has a category but it fails sometimes to get this matching. NTP =/= NTP in some cases. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The newest App pattern should include the NTP Traffic as correctly verified as NTP. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Is "18.18.25" the latest pattern update for IPS/App?

    Most of my NTP traffic still isn't being identified correctly.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 EAP1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    Can you share a screenshot of this traffic? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I've only managed to get a single NTP sync identified correctly as NTP App by the Firewall.

    (Interesting enough It has a Windows machine, everything else on the Log Viewer is either Android/Linux/IOS)

    (I've also manually triggered a NTP Sync on two Linux VM, still didn't got identified. (Used both Systemd-timesyncd, and ntpdate))

    Here's how It currently looks in the Log Viewer:

    Will do a packet capture later to see If It's an issue on my end.

    Thanks for the update!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 EAP1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Reply
  • 0 in reply to LuCar Toni

    I've only managed to get a single NTP sync identified correctly as NTP App by the Firewall.

    (Interesting enough It has a Windows machine, everything else on the Log Viewer is either Android/Linux/IOS)

    (I've also manually triggered a NTP Sync on two Linux VM, still didn't got identified. (Used both Systemd-timesyncd, and ntpdate))

    Here's how It currently looks in the Log Viewer:

    Will do a packet capture later to see If It's an issue on my end.

    Thanks for the update!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 EAP1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Children
  • 0 in reply to Prism

    The pattern was released ~12:00. 

    My windows clients are getting correctly verified:

    Whats the client, you are seeing? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    07:18:13, Jun 15 2021 has the time "18.18.25" got applied on my Firewall. (Different Time-zones.)

    On Linux:

    • SUSE SLES 15.3 VM's (Systemd-Timesyncd) - (Chrony also doesn't get identified.)
    • Arch Linux (Systemd-Timesyncd)

    Both Android 10 & 11.

    Single iPhone 11 on latest IOS.

    EDIT: Only on Windows the NTP Traffic gets identified correctly. (Note: On Windows the Source UDP Port is also 123, meanwhile on everything else It uses >1024 ports.)

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 EAP1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    Let me get back to the Labs Team to verify this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Still not classifying my NTP traffic, also doesn't classify all Imaps traffic.

    Ian

    XG115W - v20 EAP 1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML