Sophos Firewall: v18.5 MR1: Feedback and experiences

There is a commitment to implement it to SFOS. But there are high priority items to get implemented first. DHCP-PD is somehow a more regional feature. Regions struggling with IPs are start to implement the DHCPv6 ISP implementations, while other regions are moving towards eBGP and other systems. And most of my peers are working with a "extra payment service to get a static IPv4". So they are not affected as well. 

As far as i know, this is currently planned to get implemented in a version next year. 

Hi foks

more experimentation. I disabled the default SSL/TLS inspection rule and created my own with decrypt enabled.

What logviewer shows is the exception list is still active even though the description of the list says for the default SSL/TLS rule. So how do you disable the default exception list? Also somewhere there is hidden an SSL/TLS rule 0 which is used for Sophos software updates to at least APX120 connected to CM.

Ian

Hi folks,

Dynamic DNS is still updating twice eg sending two registrations at the same time. No, the WAN interface is not changing.

Ian

Still an issue in 326.

FYI: Updated the KB with the latest information. https://support.sophos.com/support/s/article/KB-000041253?language=en_US

Looks like all FW rules and NAT broke.  Don't want to have to recreate them, but looks like I may have to.

Hi.

please be a bit more specific. What did you do, upgrade from which version? Do you have a backup that you can restore to after the upgrade?

Ian

SFOS 18.0.5 MR-5-Build586.  None of the firewall/NAT rules work anymore.  I have regular backups, but reverting a version doesn't seem optimal.  Then again, neither does having to completely rebuild FW rules and corresponding DNAT port configurations.
They really shouldn't have messed with rules/NAT, IMHO.
Now I have a TON of work ahead of me, to recreate what was already in place and working.

Hi,

I wasn't suggesting a rollback of version but to use a backup and restore function.

As far as I can tell there was a fix to the NAT regarding hairpin function but nothing else appears to have changed from what I can seen my system.

You might consider starting a support case?

Ian

Looks like there was some sort of automated import function for FW rules and NAT, but it obviously didn't work for me as expected.
Now I have a mess of imported rules and NAT entries, on multiple pages filled with configuration drop-downs and links - many of which are grayed out.
Not happy with whomever managed this update.

Has there been any progress with enabling IKEv2 for remote access (NC-14133 I believe)? I haven't had any luck with getting L2TP working and IKEv2 is the new standard anyway, and I have it working for site-to-site. I can't see the ticket in either the resolved or known issues in the release notes.