Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

  • Hi,

    I think there's two separate issues here. 

    WAF is based on Apache, and Apache needs an IP address and port combination to bind to. So you cannot have a WAF rule on an interface that doesn't have an IP address, it would result in an incorrect configuration and Apache won't start. That might be what you see.

    The second one, WAF not working until you remove the protection policy might be the result of a known issue, where the WAF configuration becomes corrupt during upgrade or backup/restore if you use static URL hardening, form hardening or cookie signing in the protection policy. This corruption will prevent Apache from starting up. You can check log/reverseproxy.log on the device and look for errors there, a clear indication of this problem is a line saying 'invalid encrypted key'. If you see that, you can reach out to support, they have a workaround ready to handle this case. Or you can disable these features in the protection policy, that should also allow WAF to start.

  • I have a really interesting problem with my updated Sophos XG

    Previously i updated to V18.5 MR4 the problem is still exists in SFOS 19.0.1 MR-1-Build365

    The problem:

    WAF is not working reliably, for you to understand after the upgrades i needed to remove any kind of protection policy to make it working again or if i had any interface what didnt have an ip address or disabled and this interface has attached to a WAF policy the whole WAF has stopped working (ALL OF OUR INTERNET FACING WAF RULES)!
    Now if i create a new WAF policy they simply just dont work, they dont respond to any requests!
    One interface that attached to some waf policies is working normally.

    This is happening after reboots or after these upgrades.


    Has anything been changed in the firmware that would affect these?

    The setup is:

    3 WAN

    Example WAF1: #Port1
    Example WAF2: #Port2
    Example WAF2: #Port3


    Now only the Port2 variant working

    if i use curl to try a request just a "Connection refused" what i get.

    This is not happened before V18.5 MR4 or V19

    Thanks for any kind of suggestions about this!

  • Have imported (not restored) from XGS2100 to SFV, all works, except WAN gateway manager is red, and I cannot save it, when I try to edit:

    Any reason why? :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • It looks as expected. As mentioned, you have now a indicator of the hostname with the "@hostname".

    __________________________________________________________________________________________________________________

  • hostname is always firewallname.internal.domain

    On our 18.5 machines only username@internal.domain is shown on dashboard. I send you a PM with a screenshot that shows, that this has changed in v19

  • What is your Hostname? 

    Essentially: We are using the Username (likely username@domain) @ your fwhostname (likely firewallname.internal.domain). So in your scenario this is correct. 

    __________________________________________________________________________________________________________________

  • The username on top right of webadmin is malformed and truncated when using synced AD user as admin.

    it shows as username@internal.domain@firewallname.internal.domain

    I've never seen such a strange formatting elsewhere

  • Yes, I would need to open a new case. Once you are back and ready to pick up, please send me a DM and I will provide you a new case ID.

    Best,

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • I fixed that typo. That's what I wanted to say ^^

  • We didn't re-release a new version of v18.5 MR4, you would need to upgrade to v19.0 MR1 (the re-released version, build 365) to get this fix.