Options for replacing an XG SFOS 18.5.1 with something that can send email reliably?

Hello Mark,

Thank you for contacting the Sophos Community.

Sorry to hear you are having issues with the Sophos Firewall.

I checked some of your cases related to email, and they seem to be related to setup, "web mail, imap, pop3, Outlook https configuration"

Have you tried reaching or did you reach out to your Sales Engineer or Professional Services, to help you with your setup?

Regards,

Hello Mark,

Thank you for contacting the Sophos Community.

Sorry to hear you are having issues with the Sophos Firewall.

I checked some of your cases related to email, and they seem to be related to setup, "web mail, imap, pop3, Outlook https configuration"

Have you tried reaching or did you reach out to your Sales Engineer or Professional Services, to help you with your setup?

Regards,

Yeah, if only there was some documentation that actually had useful information in the context that I am looking for. I haven't been able to figure out the XG context.

We thought the setup issues were resolved and I moved on to set up site to site vpn's and that crashed the smtpd system. Apparently that piece of junk stores old config info that is unrelated to what is showing on the pretty web page and then your mail is all hung up. In reality, I think this may be at the root of the email problems I have been experiencing. When I think it is working and move on to finish the implementation of the XG, my email stops working again. The configuration is too brittle.

After another 5 hours with tech support (ticket 04523536) the email is flowing. A whole lot of hacking at the command level going on. I have absolutely ZERO confidence the mail system will move traffic through the night. Engineers are friendly and helpful, but I don't really want to be phone pals with them.

Sales Engineer? Sophos still has those? Mine disappeared last year and no one has reached out as a replacement. Given the rate I am burning up support time I would have thought someone would reach out but that would make too much sense. I've already concluded the best thing to do is show up early in the mornings and just go ahead and dial the Sophos support number and get in the queue. 

Professional Services? If you quote me a fixed price to set up email and fix it every time another config change blows it up I will consider it. It has been suggested I should work with one of my VAR's. Why would I pay them hourly to sit on the phone with Sophos looking for the same answers?

I'm not launching rockets here. My network and configuration are not complicated I've had Sophos tech support all over this firewall and the config. We have deleted everything and started over twice. But inevitably at some point everything goes off the rails.

Additional info;

Two fiber WAN connections, two internal mail servers, one internal web server, 30 internal network computers/clients. Nothing weird or exotic

Likely caused by the WAN Connections. Whats your SD-WAN PBR precedence and the rule for SMTP? Can you show them to us? 

What is an SD-WAN PBR and where do I find that *#$@.

What SMTP rule are you interested in? The MTA firewall rule that was autocreated with its linked nat rule, or the rule that Sophos created and turns on and off depending on whether they think that will help when they restart the smtpd service?

This may all be a moot point since I am back to a situation where this junk wont connect any site to site vpn I attempt. And why do the published instructions for setting up VPNs all specify using old, outdated, insecure protocols? Is that a hidden message I am missing? Sorry, I just really need something to work, anything to work, for more than 24 hours.

Hello Mark,

Thank you for the Feedback and the Case ID.

I have reached out to our Escalation Manager and your Account Manager, to discuss the options you have for Sales Engineer and Professional Services, so they can assist you with your setup and migration from UTM to XG. Most likely you’ll be hearing from them in the next 24 hours. 

Regards,

OK, you may have hit on the issue. I am dual wan connections, but I don't require both. It is a transitory period until I can get out to the remote vpn sites and adjust them to the new provider. Since I cant get any vpn's to reconnect to the XG on the old provider address I might as well cut it loose now and start the process of correcting the vpn configs at the remote end. The absolute last thing I want to add to the mix now is more configuration issues to support a dual wan config I don't really need.

First of all: Import this Object: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129512/xml-import-for-internetv4-objects 

Then go to Routing - SD-WAN Policy Based Routing (PBR). 

You create a rule like this: (Select all Internetv4 objects) 

Under Primary Gateway, you select your WAN Interface, which should be in your MX Record. 

Then you follow this KB: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122602/sophos-xg-how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses

This will lead you through the rest. The SD-WAN Rule is not needed, as this one here is much better.