Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 GA: Feedback and experiences

Release Post:  Sophos Firewall v19.5 is Now Available 

Old v19.0 MR1 thread:  Sophos Firewall: v19.0 MR1: Feedback and experiences 

EAP Sub thread:  SFOS v19.5 Early Access Program (Read Only) 

EAP 19.5 Thread:  Sophos Firewall: v19.5 EAP1: Feedback and experiences 

This thread was automatically locked due to age.
  • Same. In the past it's sometimes taken two tries, but this time it failed on four so I cam here to post. No joy. I'd also note it takes a LONG time to upload, but then again it's on an XGS87. I'm only doing the upload to replace the penultimate (SFOS 19.0.1 MR-1-Build350) release, not attempting upload & reboot.

    The email notification I get from the XGS87 after it fails says:

    Firmware installation failed. Invalid firmware.

    For others who want to check the checksum, the several Mac-based checksum programs (chksum, shasum) don't give the proper checksum. You need to have OpenSSL installed and use `openssl md5 HW-19.5.0_GA.SF310-197.sig`, which does result in a match so the file is not corrupted on download.

  • Install/upgrade of GA SFOS went flawless!

    I do want to point out a bug that i have reported a long time ago and which still is not resolved.
    It concerns adding / editing Email exceptions:

    1. go to Email > Policies & Exceptions
    2. Add exception
    3. Tick box skip Greylisting
    4. For these sources / hosts
    5. Add FQDN hosts
    6. Save

    Now edit this entry, you cannont see nor edit the FQDN host.

    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • Did exactly that. Didn't work for me in four attempts to load into the XGS87 with two different downloads. (Which really didn't matter since they both had the correct checksum, but I downloaded again before checking the checksum.) The download offers me:

    and I select 19.5.0 and I get the correct checksum after download. Still get the Invalid Firmware error when I attempt to upload it to the XGS87.

    I just noticed that it makes a big deal about the difference between Installer and Firmware, but there is no Installer option anywhere in the choices below. It shows me only .sig, which is firmware and which choice has worked for me in the past. (Unless they are erroneously offering the Installer as if it were Firmware.)

  • Hi Ian, Thomas,

    DDNS log suppression was identified as valid improvement , however its not added to this GA. One of future maintenance releases in 19.5 series would pick that up. 

  • BGP not working. On my test device XG210 SFOS 19.5.0 GA-Build 197 does not work BGP with full BGP table. Firewall is not available via the advertised address. In the version of SFOS 19.0.1 MR1-Build365 works normally.

  • Is this a log-suppression issue? That is, are two processes reporting the same message but only one took action, or is it literally updating twice in quick succession? Probably doesn't make a huge difference, but if it's actually updating twice in quick succession but you hide this from us, there could be follow-on problems that occur with certain DDNS providers that we'll have no indications to pass on to Tech Support.

  • This is not a log suppression issue, but software bug issue,

    Please fix.

    log suppression in general is not a good idea because it can mask system faults and needs to be thought through very carefully before being implemented,


    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • WAN link manager is still broken though not as bad as in the EAP.

    I still need to reboot to get the WAN link manager to test the IPv6 link correctly. Just had a an issue where I needed to reboot to get new external addresses assigned.

    The WAN link manager behaviour is like it was added for a marketing reason, it certainly does not work in a production environment. A network break and a new address is assigned the WAN link manager just seems to ignore the test result or maybe the DHCP renew function ignores the fail message and fails to issue a DHCP renew?


    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  •   Dev team would like to investigate why BGP is not working in your setup.Can you share the support access for your device/s in  Private message to me? Meanwhile some quick info on this setup will help us - Is this migration or fresh install for 19.5 GA? What is the remote end /neighour device for BGP.   The devices provide us 1. config from /conf/routing/ 2. Logs: /log/csc.log , /log/bgpd.log , /log/zebra.log 

  • We had a major problem with bgp. Had to roll back. Will post more tomorrow