Sophos Firewall: v19.0 MR1: Feedback and experiences

Question

Re-Release: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-is-now-available 
 Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_190_rn.html 
 "Old" V18.5 MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/134965/sophos-firewall-v18-5-mr4-feedback-and-experiences 
 V19.0 GA Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/134009/sophos-firewall-v19-0-ga-feedback-and-experiences

Thomas_XG · Accepted Answer

Hi BAD, 
 first you have to activate "Use static IP Addresses: 
 
 Second go to your user and there will be a new "SSL VPN IP address IPv4" box: 
 
 The IP can only be in the range of the "Static IPv4 address range" which is noted on the SSL VPN global settings. 
 LuCar Toni Maybe the SSL VPN IP address box can be placed to the other static entries with the same behaviour (Enable / Disable) - so that the setting for static [any kind of vpn] ip could be the same.

LuCar Toni · Answer

Re-Release: community.sophos.com/.../sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available

sanket.shah · Answer

Hi rfcat_vk, 
 
 I am Sanket Shah from Sophos engineering side. 
 I have requested few questions on private message. 
 
 Regards, 
 Sanket Shah

LuCar Toni · Answer

Fall into the same "trap". 
 After the recent change of SSLVPN in V19.0, you need to specify the subnet range correctly. 
 See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/132121/ssl-vpn-ipv4-lease-range-changes-in-sfos-v19 
 Because likely your network above in the SSLVPN Range is not a range IP, instead it is a IP. Change it to .0, and you can save.

MarekDalke · Answer

Temporary workaround provided by Support Engineer which I believe I can share here. 
 You need to modify the timer value in /sys/class/net/<affected_interface_name>/bridge/ageing_time from 0 to 30000. In my case: # echo 30000 > /sys/class/net/wlnet3/bridge/ageing_time 
 After above modification traffic started to hit the firewall rule as before the upgrade to v19.0.1 MR-1.

LuCar Toni · Answer

LuCar Toni · Answer

Just to wrap up: 
 NC-100681 
 Increase in snort memory with ATP pattern updates

KingRolo · Answer

Hello Dejan! 
 As I can see its true that new build is prepared: 
 
 bobbylam 4 days ago in reply to rfcat_vk

That's correct. We are going to release a new version for MR1, which will include a few additional fixes. We are targeting to release that next week. 
 Issues fixed in the re-release of v19 MR1: 
 
 NC-100681 [IPS Engine] Increase in snort memory with ATP pattern updates 
 NC-94019/ NC-100737 [Wireless] Inbound traffic for hosts connected on Wi-Fi SSID on Separate zone is dropped by firewall rule ID 0 , and outbound traffic may experience slowness 
 NC-100971 [IPsec] Migration fails from v19.0 GA to v19.0 MR1 Build 350 
 NC-81131 [Reporting] Last access time is not generated when there is user present with username that has xss payload 
 NC-100679 [CDB-CFR, Reporting] "INSERT INTO available_login_eventv6%" error in postgres.log causing conf partition to rise 
 
 community.sophos.com/.../sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available

SPandya · Answer

Hi Mike , Sophos have confirmed a migration bug (from 18.5 MR4 to 19.0 MR1). One could hit this issue if one have uploaded certificate (in 18.5 MR4) signed from new CA added in 18.5 MR4 and then attempt migration to 19.0 MR1. Sophos have released a hotfix for affection version (which is 18.5 MR4). 
 
 Thank you very much for feedback.

Sophos Firewall: v19.0 MR1: Feedback and experiences

Top Replies