Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 242 replies
  • Answers 6 answers
  • Subscribers 81 subscribers
  • Views 64088 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.0 MR1: Feedback and experiences

LuCar Toni

Re-Release: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_190_rn.html

"Old" V18.5 MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/134965/sophos-firewall-v18-5-mr4-feedback-and-experiences

V19.0 GA Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/134009/sophos-firewall-v19-0-ga-feedback-and-experiences



This thread was automatically locked due to age.
Parents
  • 0

    I have a problem with firewall rules. Since I upgraded from 19.0 GA to 19.0 MR1, my WIFI rule is not working anymore, nothing is let through. No ping, no TCP connection from LAN zone to WIFI zone:

    As you can see, 0 bytes sent/received. When I switch back to 19.0 GA it all works again and counters go up. I have no explanation why this is happening, any idea where to look for in the logs?

    Edit: Same seems to be the case for Rule #11 SMTP.

  • 0 in reply to EdmundSackbauer

    Why do you use a rule without Logging? 

    Check the packet capture - There you should see the used Firewall/NAT Rule. 

    Maybe another rule picks up the traffic. Automatic VPN Rule is something, which could potentially cause issues. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    OMG. Now as I recreated the zone on 19.0 GA I have the same issue!

    I could finally resolve it by deleting the wireless network including its DHCP range, and do it from scratch.

    Then a new firewall rule and it starts working and is accepting.

    So I was hopeful to try the same thing on MR1, but unfortunately this didn't do the trick. So it really seems something has changed regarding wireless routing (as in separate zones, bridging is working).

    I will send you the access ID.

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    Why do you use a rule without Logging? 

    Lucar? The more important question is: Why is "log firewall traffic" not checked by default?

  • 0 in reply to Nafets

    It is per design not enabled. If you want Default Drop logged, you can create a own Rule, which does this for you. You cannot enable Default drop logging. docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    It is per design not enabled. If you want Default Drop logged, you can create a own Rule, which does this for you. You cannot enable Default drop logging. docs.sophos.com/.../index.html

    It is not about logging default drop.. it is about creating a new firewall rule and having to enable logging every time... Why could sophos not check the "log firewall traffic" per default? it makes absolutely no sense to leave it unchecked...

  • 0 in reply to Nafets

    It is quite simple. The rule you see is is not a actual firewall rule, which could be potentially be edited. It is simply a placeholder to present to the admin, there is a default drop in place. It is not like this rule actually exists within the system. Default drop is a rule within the system and cannot be edited at this time of being. So you cannot "simply add logging to this rule", as there is no rule. Default drop is a principle, which the core system does, if there is no rule in the first place. So there is no logging enabled in this scenario. If you want to have a logging, you can do this by your own by creating your own rule. 

    To enable the default drop logging per default is something on the roadmap for a future release, but there are other items, which are more compelling than revamping the default dropping due the fact, you can simply enable this by using your own rule. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It's not about the default rule. It's about the 'actual' firewall rules.

    When I manually create a new firewall rule, logging is not enabled by default. I have to manually enable this.

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    The rule you see is is not a actual firewall rule, which could be potentially be edited

    Sorry but again: Edmund sent a screenshot of his firewall ruleset. It was a custom created rule. And you asked why he is using a rule without logging. Because logging is disabled on new rules per default. I understand that there are other more important things to be fixed in SFOS.. but implementing, that "log firewall traffic" is checked in new rules should be not that impressive to code...

  • 0 in reply to Nafets

    Ah now i understand. Actually interesting, as this was the case some versions ago. Maybe there was a reason/regression why this was removed. Let me check back with the team. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    If that's the case, then it must be ages ago. As far as I remember  I've never seen a new rule created with logging enabled by default and I use XG for at least 5 years now.

  • 0 in reply to Dreamcatcher

    I agree. Log Firewall Traffic was always an option to be enabled by admin.

Reply Children
No Data
Unfiltered HTML