Sophos Firewall: v19.0 GA: Feedback and experiences

only in specific modules or completely? Our WAF is still freezing 1-2 times a day for about 2 minutes... That is something we have since version 18.0 and the beginning of our time with Sophos XG WAF.

I have been running V19 on my personal firewall's since the public beta started. Here are my thoughts so far. I also upgraded a cluster of XG230's to test on tomorrow as well.

* Performance-Based Link Selection

Works great until the firewall is under load. When the CPU starts getting above 60-70%, this feature doesn't work as it should. The firewall itself will start inducing latency and jitter on links as it gets loaded down, which give false information to the service responsible for the SD-WAN routing. It seems Sophos does not have any type of CPU prioritization in SFOS to guarantee the firewall will have enough core resources to do what it is supposed to do, even if the CPU is approaching it's max.

* Zero-Impact Transitions

Again, great feature and it seems to work really well, but not when the firewall is under load.

* DPI

No performance improvements on non XGS hardware. It actually increased RAM and CPU utilization slightly on 2 different units. Still no way to disable the DPI engine from looking at inter-vlan traffic and slowing it down, like encrypted SMB that is going across VLAN's at a small site that utilizes the XG as the layer 3 device. Sophos still thinks SMB should have a layer 3 switch for inter-vlan routing, instead of just making a feature to allow the admin to exclude certain traffic from all forms of inspection. The "other guys" allow this. Hopefully Sophos will at some point. It's disappointing because it's nice to know what is flowing between VLAN's, but to do it at true wire speed of let's say 1G, you'd need an XGS 2100 at least, if it's encrypted traffic.

Overall, I do think it's a great build, but I do wish they would close some product gaps a lot sooner than they do (like the logging that still sucks and the lack of a live flow monitor like UTM. Live Connections isn't even CLOSE to UTM's flow monitor).

I will post another update once I have a cluster of XGS devices updated to see how they do. I will probably wait until MR1 though.

Mike

Picking up issues with NAT. I have multiple public IP's configured on a singe port all using the same Gateway which is the ISP's router. I need some outgoing traffic to come from a specific IP configure on the port.

For this I used NAT rules and translated the source to the IP specific public IP address I want the traffic to come from. Since v19, traffic is now translated to the IP of my ISP's router, in other words, the gateway for the port.

Hi,

please review linked Nat rules to see if they might be useful.

ian

Hello, how does the locking manifest? Maybe I have the same problem...

Hi LHerzog: I have raised this internally with Dev and PM and we are tracking it internally with ID NC-93926 to work on it.Thanks.

Routing between vlans don't work during freeze and everyone is offline.
Other problems haven't been noticed yet.

I have an issue with the Sophos Connect VPN - so random - its dropping some websites but not all. The remote user is connected and we do Full Tunnel - they can access resources on LAN / WAN and surf sites etc - then 2 websites will not load. Both worked v18 and both work if on the local LAN - but when VPN its between remote client and XG - no logs generated on the XG either.

No clue what makes these few sites different to the others though:

https://login.saleslogs.com

https://toyotafinanceonline.com.au/

All others seem OK......

DNAT rules don't work anymore. Inbound traffic gets completely broken, FW rules ignored. Hopeless...