Sophos Firewall: v18.5 MR4: Feedback and experiences

Since I can't wait for Sophos to release v19 MR1 and v18.5 MR4 won't fix the SASI hassle that's going on, I decided to downgrade to 18.5 MR2. However, this seems to be a problem sometimes.

I have a XGS126 that was upgraded from 18.5 MR2 to 19 GA. I could downgrade it back to 18.5 MR2 without any problem.

After that I tried to downgrade a XG210 that was upgraded from 18.5 MR3 to 19 GA. When uploading 18.5 MR2 or MR4 to the firewall it said "The firmware will boot the device with factory default configuration. Are you sure you want to continue?". Since I can't stand all the spam, I did it anyway and booted the uploaded 18.5 MR2. It indeed came up with factory defaults loaded. I tried to restore the latest config backup from 19 GA, but it just said that the firmware is not matching, so I restored an old backup from a time the firewall had installed 18.5 MR2, which worked. After that I just booted up the still present 19 GA firmware and the firewall came up with the restored MR2 config. I restored the latest 19 GA backup and booted the 18.5 MR2 firmware. I expected the firewall to come up with factory defaults again, but it still has the latest config running.

So thats the processes that work:
18.5 MR2 > 19 GA > 18.5 MR2/MR4 without factory reset
18.5 MR3 > 19 GA > 18.5 MR2/MR4 with factory reset  > 19 GA > restore latest config from 19 GA > 18.5 MR2/MR4 without factory reset

Why do I need a factory reset if 18.5 MR3 was previously installed, but not if I skipped it? In both scenarios I go 19 GA > 18.5 MR2 in the end.

I do not have the answer to this point but MR2 will go End of Life soon. Per definition of the lifecycle policy: https://support.sophos.com/support/s/article/KB-000035279?language=en_US#xgfirewallsoftware

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-lifecycle-policy-changes-end-of-life-announcement-for-older-sfos-versions

So i assume, it is not smart to go back in time to MR2. 

So do you use the reputation filter in MTA or not? You did not answer this question.

And also which kind of RBL do you use? 

Hi, 

The filter works in legacy mode.

RBL:
dnsbl-1.uceprotect.net
pbl.spamhaus.org
sbl-xbl.spamhaus.org

I don't see how this is even relevant, since the settings have not changed but the Spam Engine has. Anyway, reputation filter is enabled and I use all RBLs provided by Sophos + zen.spamhaus.org

Hi Kajetan Dudczak,

Do you still have an open support ticket?

Hi, 

Yes of course.

I'll send you the number in a private message.

Here you have a comparison of one week MR2 vs. one week MR4:

The detection rate is just plain bad and I highly doubt that you guys did any propper testing before releasing this to your customers!

Hi Dreamcatcher, a new Development ID NC-98258 has been assigned to investigate this issue of poor SPAM detection rate even after upgrading to 18.5.4. We will update this thread as we know more.

has there been any movement on this? I show last response about a month ago and a similar chain on the xg v19mr1 with no resolution either. We have noticed this new poor anti spam detection as well and have been consequently upgrading to latest MR in hopes it would get fixed but nothing yet.

No progress so far, 19.0 MR1 is as bad as 18.5 MR3/MR4. I have a case open with Sophos, but so far it doesn't seem to go anywhere in the near future. They just want me to send them spam mails that got through so they can submit them to Sophos labs. My customers get super obvious spam mails with the corresponding mail headers showing a SASI spam probability between 10-20%, it's ridiculous.

We've noticed this as well but have not generated a specific ticket for it, yet - mainly because we found another issue related to email security we'd like support to address first related to SPF, or lack thereof.  I really hope Sophos starts to get things turned around for maintenance/breakage items and less on enhancements as the list of things breaking is growing.

We've noticed this as well but have not generated a specific ticket for it, yet - mainly because we found another issue related to email security we'd like support to address first related to SPF, or lack thereof.  I really hope Sophos starts to get things turned around for maintenance/breakage items and less on enhancements as the list of things breaking is growing.