This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 GA: Feedback and experiences

Release Post:  Sophos Firewall v19.5 is Now Available 

Old v19.0 MR1 thread:  Sophos Firewall: v19.0 MR1: Feedback and experiences 

EAP Sub thread:  SFOS v19.5 Early Access Program (Read Only) 

EAP 19.5 Thread:  Sophos Firewall: v19.5 EAP1: Feedback and experiences 



This thread was automatically locked due to age.
Parents
  • i installed SFOS 19.5.0 GA-Build197 on an XG310 today and since the upgrade the client computers loose internet access every few minutes and only browser activity seems to get it back working.
    Before the upgrade there was no issue with this.

    STAS "enable user inactivity" is off. according to Authentication log most users are authenticated trough AD SSO or CTA.
    all clients have Sophos Endpoint installed.

  • Hi Moritz, 

    When the clients lose internet access, do you see any entries (e.g. blocks) in firewall log? 

  •   
    i see some Invalid Traffic Denied entries. the one in the bottom is to the XG Firewall and the other ones are Microsoft IP's. 

  • I mean when the clients lose internet access, do you see entries from those client IPs in the Firewall log? 

    I wonder if somehow those clients are losing their authentication, and is then matching another FW rule which denies/blocks access? 

  • above is the firewall Log from one single client. otherwise i could not see anything in the firewall log.
    for the time when internet access is lost i also dont see anything in the authentication log.

    But on the authentication log for other times (not during internet block) i see that Heartbeat logon always fails which is probably because heartbeat is using a username with domain in the end. any idea how to fix this?
    Actually, the above invalid traffic and below failes heartbeat i also have on 19.0 but the internet dont drop because of this. 
    I just rolled back to 19.0 as users could not work like this and no drop out now, but i can test 19.5 in the weekend again.

  • The above FW log shows traffic (port 80 & 443) from this client passing through the firewall, so presumably at this time the client has internet access. 

    Are you saying when the client doesn't have internet access, you don't see any logs from that client's IP in FW log? 

    When you reproduce the problem this weekend, is it possible for you to take a tcpdump on the client when it doesn't have internet access? Do you have Synchronized Security enabled in the FW rule, if so what is it set to? 

  • it did not have internet access at that time, or at least partially.
    before the default WAN rule are some Rules with exemption that for example all clients even without user authentication or security hearbeat can always connect to Sophos services.

    on default WAN rule security hearbeat is on as below.


    i can try do to a TCP dump on the weekend

Reply
  • it did not have internet access at that time, or at least partially.
    before the default WAN rule are some Rules with exemption that for example all clients even without user authentication or security hearbeat can always connect to Sophos services.

    on default WAN rule security hearbeat is on as below.


    i can try do to a TCP dump on the weekend

Children
  • We need to narrow down what traffic from the client is being blocked/dropped, as according to the screenshot above at least port 80 & 443 traffic from that client is reaching the FW and getting through. 

    So when you do the tcpdump, it would be very helpful to also know what traffic is not working.