Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 101 replies
  • Subscribers 53 subscribers
  • Views 30547 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR1: Feedback and experiences

LuCar Toni

V18.5 MR2: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

https://community.sophos.com/sophos-xg-firewall/f/discussions/131468/sophos-firewall-v18-5-mr2-feedback-and-experiences

Release V18.5 MR1 Post (326): https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr1-is-now-available 

https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.5

EAP(318) Blog Post: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v185-mr1-eap

"Old" MR3 Thread: https://community.sophos.com/xg-firewall/f/discussions/123403/xg-firewall-v18-mr-3-feedback-and-experiences

"Old" MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/124771/xg-firewall-v18-mr-4-feedback-and-experiences

"Old" MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences



MR2
[bearbeitet von: LuCar Toni um 7:43 AM (GMT -8) am 30 Nov 2021]
  • 0 in reply to Chris Luthe

    That is a major feature to implement and would be listed in the new feature, if this would be implemented. 

    __________________________________________________________________________________________________________________

  • 0 in reply to WizardofCOR

    There should not be any import or creation of any firewall rules? Or did you upgrade from V17.5? 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    Do you mean the Exception List within Web and not the local TLS List? Because the exception List will be used all the time. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Is there a release date for the IKEv2 Remote Access VPN? I've been waiting for this feature for a long time too.

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    I do not have a ETA for this feature. Question would be, if ZTNA is a solution for this kind of challenge? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Cloud services are not our preferred choice. We prefer an integrated VPN client in Windows. But I can take a look at ZTNA.

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    ZTNA is not cloud. ZTNA is something, which works "Per app VPN". Basically you can build a ZTNA gateway, which will be your "VPN Gateway" and will take responsibility to do a "per app" VPN. You get a Tunnel per application you want to use. You want to do a https:// request? It will take this and authenticate you to forward it to the service (on prem or cloud). You want to do RDP? It will take this and forward it. Without the need of VPN. VPN has some issues within the deployment = What about 100 Clients? How do you publish this? ZTNA will be integrated into the endpoint this year.  You can simply deploy the ZTNA client to the client and it will authenticate you vs the ZTNA gateway. Therefore you can simply RDP vs a Public DNS and get to the resource --> Secure and authenticated without the need to have a IP or anything within your network. 

    __________________________________________________________________________________________________________________

  • 0

    Has there been any regression on v18.5 MR1 related to port sharing (443 TCP) with WAF and SSLVPN?

    After the updated the SSLVPN stopped and gave this error:

    Wed Jul 28 10:17:00 2021 [9983] TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Wed Jul 28 10:17:00 2021 [9983] Exiting due to fatal error

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Can you give me the steps to reproduce this? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    There's not a lot to do to replicate this, It happened after I updated to v18.5 MR1.

    • On v18.0 MR5, Create a WAF Rule on a Local Port which uses 443 for HTTPS.
    • Change the SSLVPN configuration to use Port 443 at TCP. (Will work as expected)
    • Update to v18.5 MR1 EAP.

    After this the SSLVPN Service will stop and the error message above will show at /log/sslvpn.log.

    *I will try to reboot my firewall later on to see if It fixes anything.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Unfiltered HTML