Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html
"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/
"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences
Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US
The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much…
Installed and all our workstation Heartbeats are missing (after rebooting workstations).
Quite an issue as heartbeats are required for all workstation connectivity. Had to physically connect to the XG to put a temporary access rule in.
Seems to be faster, less having to refresh pages to get all inserts.
No improvements to IPv6.
Added:- still have the heartbeat service failure.
Probably a bit harsh with the no improvements in IPv6, seeing there is a fix listed.
The FQDN tab still does not recognise IPv6 addresses, so when will this be fixed?
XG115W - v19 GA - Home
1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.
If a post solves your question please use the 'Verify Answer' button.
Also have the heartbeat error.
I also get the following message under --> System --> Sophos Central.
Security Heartbeat is not available due to licenses. Check your licenses. Please contact your Sophos partner to update your Sophos Central or Sophos Firewall licenses.
The license is okay, though. Re-registering the XG in Central did not help either.
If it is indeed a certificate issue, your endpoints need access to the internet and a DNS server to be able to update their certificate. This is the problem for us, because without a heartbeat, our endpoints are blocked on our network, so they can't update the certificate. I have to change our firewall rules so they can get the certificate and then they got there Heartbeats and I could change the firewall rules back.
Not sure if you have the same sort of setup so I don't know if this will help you resolve your issue.
Same here with the licence issue. @lucar-toni do we have a solution to this yet?
What do you mean? The License shown as invalid? Do you have a valid license?
Of course I do have a valid XG licences :-) But I do also have one Endpoint expired licence in Central. But this should not be related as it worked until MR-2.
"Security Heartbeat is not available due to license issues, verify licenses. Please contact your Sophos Partner to update your Sophos Central or Sophos Firewall licenses." vs. Licensed subscriptions: Xstream Protection bundle
I will not upgrade the remaining boxes to MR-2 for now.
And a small sidenote... I'm with XG since v16 and the road to v18.5 is quite a ride. Basic things like Let's Encrypt support still missing, new releases break things and issues reported as fixed are still not working (I need to reopen a ticket for iOS IPSEC vpn not working, which should be fixed with NC-76400 in MR-2)
Could you create a Support case for this? Because actually this should not occur. Do not forget - MR2 is a "Softrelease". We are not expecting issues, but there could still occur problems, thats the reason for a soft release.
Will do sometime today. I understand, I was aiming for NC-76400 which should resolve my another support ticket from March, yes March 2021 so 9 months :-/
I have the same problem: heartbeat dead in the GUI after the upgrade from 18.5.1_MR-1-326 to MR2.
In /log/heartbeatd.log I have this error:
[2021-12-01 14:26:36.814Z] ERROR HBSessionHandler.cpp:256 dbCallbackEncryptedPassphrase - Decryption of passphrase is failed
[2021-12-01 14:26:36.814Z] FATAL HbdModuleBuilder.cpp:143 intializeAndRunHbd - Password missing to decrypt the key
[2021-12-01 14:26:36.814Z] INFO HbdModuleBuilder.cpp:148 intializeAndRunHbd - Heartbeat daemon halted
On my box it's about missing crt files :-/ ...
[2021-12-07 12:31:30.639Z] INFO HbdModuleBuilder.cpp:96 intializeAndRunHbd - Heartbeat daemon starting[2021-12-07 12:31:30.987Z] INFO HbdModuleBuilder.cpp:225 neededFilesMissing - blocking until missing files exist:[2021-12-07 12:31:30.988Z] INFO HbdModuleBuilder.cpp:227 neededFilesMissing - /conf/sysfiles/heartbeatd/server.crt[2021-12-07 12:31:44.721Z] INFO HbdModuleBuilder.cpp:225 neededFilesMissing - blocking until missing files exist:[2021-12-07 12:31:44.721Z] INFO HbdModuleBuilder.cpp:227 neededFilesMissing - /conf/sysfiles/heartbeatd/server.crt[2021-12-07 12:32:21.137Z] INFO HbdModuleBuilder.cpp:303 operator() - Got SIGNAL so daemon is going to stop[2021-12-07 12:33:05.044Z] INFO HbdModuleBuilder.cpp:202 initLogger - Word size of architecture: 64
Hi Martin Hampl and Alessandro Abolis Can you please DM me your Support Access ID?
Info from support:
In version v18.0.MR5 there is no passphrase encryption feature for server.key, and the encryption is enabled in v18.5MR2, As part of passphrase encryption we check whether the central account used for registration of Firewall has valid Syncsec/EP license or not, so if the central account doesn't have valid license we do not encrypt the passphrase, and the Heartbeat daemon will be in DEAD state. You will not see this issue if you use a valid Central account with licenses in v18.5MR2.This is expected behavior and as a result you will have the below logs: "Security Heartbeat is not available due to license issues, verify licenses. Please contact your Sophos Partner to update your Sophos Central or Sophos Firewall licenses."
Ok I guess, but wrong from UX point of view. Because we do not use Endpoint Protection, our box will have RED Services icon and will report a DEAD service in Status frontpage? Seems to me that this change was not prepared well enough. I see myself checking the services quite often just to be sure it's only the heartbeat service. Because how can I now see after login if any other issue is there?
I have managed to fix this issue on my machine.
For some reason, after the 18.5.2 MR2 upgrade, the files /conf/sysfiles/heartbeatd/server.key and /conf/sysfiles/heartbeatd/server.crt get deleted.
After a lot of fussing around, I found this fix works. Get to the Device Management Shell (#) and run the following,
cp /conf/certificate/internalcerts/ClientAuthentication_cert.pem server.crt
cp /conf/certificate/internalcerts/ClientAuthentication_cert.key server.key
chown root:heartbeatd server.*
service heartbeat:restart -ds nosync
service enhancedappctrl:restart -ds nosync
If you now look in /log/heartbeatd.log everything is working just fine.
Hope this helps,