Sophos Firewall: v18.5 MR2: Feedback and experiences

Hi,

I think there was a comment about additional features in the software version, would that be the cause and what are the additional features?

ian

Same Issue here. Clients on the VLAN that does NOT require HB on the firewall rule that allows http/https to WAN work fine, clients are authenticated using HB. Clients on the VLAN that requires HB to access the internet cannot authenticate using HB and cannot access anything on the WAN. This was an upgrade 18.5.1 -> 18.5.2 on an XG flashed SG430.

After removing the HB and "match known users" requirement from the firewall rule the clients started authenticating using HB again.

Installed and everything worked fine. The reboot after the installation took over 20 minutes. The UI seems faster now. But I can't find the Sophos Assistant in the right corner.

You might need to widen your browser page, on my XG it is about 1/3 down on a very wide page.

Ian

Yes, MR2 regenerate a certificate on the firewall level. We will update all needed documents to reflect this and what to do. 

Additionally we are checking, why a client is not able to update in the state of missing hb. 

The time for the CLI logs such as applog, strongswan log and csc log have now changed to GMT from local time. However when running the date command in the CLI it is showing the local time as well as in the GUI. Was that intended?

Yes - There was a streamline process made to sync up all Logs. 

I would have thought that the issue (at least for us) was DNS. Even when we allowed internet access, certificates could not be renewed because we also require Heartbeat to access our internal DNS server (which isn't the XG). Unlike Heartbeat itself, which connects to a fixed IP, certificate renewal must use a URL. If you can't resolve that URL then you aren't going to be able to renew the certificate whatever internal firewall exceptions are present on the XG. Certificates renewed fine once we allowed access to our DNS without a Heartbeat.

Heartbeat should be able to cover after a one time internet connection of the clients. 

CPU increase seems to be a odd behavior, which i cannot comment on. We would need a support case to investigate this further. 

Please put a warning on the firmware details page stating that the firmware upgrade can lead to loss of connectivity when depending on heartbeat state and heartbeat authentication.

Which destinations need to be excluded to allow the communication from Sophos Central endpoints to Sophos Central for renewing/receiving the new certificate for Heartbeat communication?