Sophos Firewall: v18.5 MR4: Feedback and experiences

Try: community.sophos.com/.../troubleshoot-a-broken-application-in-sfos

Thanks for your post and writing that linked article! Will go through that.

I just found PolicyID 3 is the manual drop+log rule. Showing as green. I don't mind, that is a long known issue.

I doublechecked the correct fw rule for the accesspoints uses the correct hosts, ports and zones exists and matches. it does. re-saving the skipped firewall rule does not help so far.

will report back.

It was XGS's wildcard DNS name resolution issue. We allow:

that *.prod.hydra.sophos.com resolves correctly.

That's a screenshot of the IPs resolved to the wildcard FQDN host:

But the firewall rulehas not been hit by the traffic, it ran through the rule set until the block+log rule.

So I created a new FQDN host for the full FQDN wifi-cloudstation-eu-central-1.prod.hydra.sophos.com, no wildcard

We can see the same IPs in that new created object.

Added it to the firewall rule above and only seconds after saving the rule, the APs showed online in central.

Central:

So SFOS has issues with wildcard FQDN of Sophos.

Updated our main XG430 from MR3 to MR4.

There we have the same issue with two central managed AP320X.

wifi-cloudstation-eu-central-1.prod.hydra.sophos.com/

is not reachable although we have configured access to *.prod.hydra.sophos.com in a firewall rule. Traffic runs through the ruleset and finally hits our drop rule.

APs were online for about 45minutes after the upgrade but then went offline and we could notice the same issue in log viewer ->  webfilter.

Policy 5 is our block+log rule.

Can Sophos explain what is happening here, please?

Hi,

Since the update from 18.5.3 to 18.5.4 we have problems installing new IPS and Application signatures

pt_dload_checker: Callback u2d_pt_installed failed for ips, version = 18.19.42.
pt_dload_checker: Setting status 'fail' in DB and reverting link for ips to old version = 18.19.32.
pt_dload_checker: IPSSwitch: u2d_pt_installed failed

Regards,

Markus

Hi Dreamcatcher, a new Development ID NC-98258 has been assigned to investigate this issue of poor SPAM detection rate even after upgrading to 18.5.4. We will update this thread as we know more.

Um, because it's a feature set of the firewall and there's a subscription option for it?

Also stop with the up-sell of Central Email. Yes, of course it's far more capable than what's available in an edge device - as it should be.

The point here is that SASI was put into SFOS without any real effort made to ensure the protection offering matched the existing antispam engine. It was put in without even ensuring the engine actually worked. It's just another example of negligible QA processes in place for release engineering,

 If it's a deliberate case of deprecating antispam capability in SFOS (unlikely; incompetence nearly always trumps malice) then an effort should be made for existing subscription holders to transition to Central Email at a discounted rate.

Your comment about offloading Intelix decisions all the time is odd. E-mail isn't interactive, so any delays incurred by waiting for a cloud response aren't going to make a huge difference, unlike Zero-Day Protection kicking in and making people wait for the download to start, or interfering with scripted downloads that are expecting the actual file rather than a Sophos intermediate page.

has there been any movement on this? I show last response about a month ago and a similar chain on the xg v19mr1 with no resolution either. We have noticed this new poor anti spam detection as well and have been consequently upgrading to latest MR in hopes it would get fixed but nothing yet.

No progress so far, 19.0 MR1 is as bad as 18.5 MR3/MR4. I have a case open with Sophos, but so far it doesn't seem to go anywhere in the near future. They just want me to send them spam mails that got through so they can submit them to Sophos labs. My customers get super obvious spam mails with the corresponding mail headers showing a SASI spam probability between 10-20%, it's ridiculous.

We've noticed this as well but have not generated a specific ticket for it, yet - mainly because we found another issue related to email security we'd like support to address first related to SPF, or lack thereof.  I really hope Sophos starts to get things turned around for maintenance/breakage items and less on enhancements as the list of things breaking is growing.