Sophos Firewall: v19.0 GA: Feedback and experiences

I fully understand you can't revoke the entire build, and I understand that the issue wasn't known when the firmware was released, but what I'm saying is that if the Sophos does an upgrade and the device enters "failsafe" then when entering "failsafe mode" it should automatically mark the alternative image as default for the next boot of the device. That way, if a firmware update fails and breaks the device - for whatever reason - we can just tell the customer to power cycle the device and it will boot back in to the previous firmware.

I would have to agree with Ryan. At least put it in the release notes (you finally did) and notify users. This version has been out for almost 2 months, but you just added it to the release notes. This was a known issue but took weeks to document it, and IMO, it's not emphasized enough. I also don't agree with Sophos using a rolling release notes page that you just add to as you find issues. It makes it look like you notified end users before the upgrade, but a lot of "know issues" have been added after V19 GA was released. There should be addendums so users that already did the upgrade can decipher what is new. I really love the XG, but you guys do a terrible job of notifying end users of issues.

Riaan Sorry for the late reply. NAT issues have been on going for a long time in SFOS. I reported this back in the V16 days, but they never did anything about it. Every once in a while on upgrades of a few different clusters, some NAT rules would just stop processing. If you had custom NAT rules, the easiest fix is to just delete them, and recreate. I also specify interfaces in NAT rules and disable the default SNAT rule. It seems to help on upgrades.

Hi everyone,

several bugs for myself:

• one xg310 unit experimented a factory reset at reboot ; everything is now ok after importing a previous configuration backup.
• more annoying, problems with IPSec VPNs:
  • throughput is very, very reduced in only one way, outgoing
  • occurs with Sophos Connect and site-2-site VPN
  • reverting to previous firmware restores normal operation
  • seems to occur with XGS hardware, not XG

if you have, please share your case ID here https://community.sophos.com/sophos-xg-firewall/f/discussions/134670/sophos-connect---slow-and-freezing-connections-for-smb-and-rdp

if you don't have case ID yet, please create one.

I have my HomeLab vSFOS always on the latest version, also EAP. Running on Synology KVM with no problems.

As MSP, I have so far upgraded a small part of my test pool to the latest v19, each from the last or penultimate v18. No problems so far. On an XG210 cluster there is problem with HTTP-Enycrption and the CertCache, but may be related to another problem.

when you read this you get a little more fear for an update

Response from the L2 team:
"EdDSA is not supported on V19 and V18.5.4"

I a question the VPN value "conn-remove-on-failover" in the release notes are documented that the default value for new installed 19 MR1 firewalls are "enabled". If I check the value (on my migrated firewalls) it set to "non_tcp" and possible are "all" and "non-tcp". What is correct value for new boxes?

Hi Ben@Network  For New boxes “non-tcp” is the default value.