Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 GA: Feedback and experiences

Release Post:  Sophos Firewall v19.5 is Now Available 

Old v19.0 MR1 thread:  Sophos Firewall: v19.0 MR1: Feedback and experiences 

EAP Sub thread:  SFOS v19.5 Early Access Program (Read Only) 

EAP 19.5 Thread:  Sophos Firewall: v19.5 EAP1: Feedback and experiences 



This thread was automatically locked due to age.
  •  Like wise Dev team would like to investigate this setup too. Can you share access details and info as above for your installation in private message to me.

  • Others of us still having the issue, so please don't be so eager to wipe this part of the discussion out. I do not have multiple choices, I only have a single choice as I only have one firewall of one type with one license, so it's not possible for me to pick the wrong one as far as I can tell.

    The only download .sig file that I'm offered is:

    HW-19.5.0_GA.SF310-197.sig

    Not sure if that's for the XGS87 or not. (I suspect so because previous .sig files that worked were SF310 but that's just a naming convention and the contents might not match the name.)

  •    in addition to above, if we can get full backup and complete logs from /log that will help.

  • Found the fix and disabled the assistant.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • On my xg115w the update took a long time, then the reboot time is around 8 minutes.

    the selection menu is not user friendly. When you enter your license, then you click on your licence which then offers you software for your device.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Ian,

    As I communicated to you earlier (around Oct timeframe), your issue is being tracked with NC-108057.

    As per investigation done that time, this is not 19.5 specific issue but there since older releases.

    We will try to work on it in upcoming MRs.

    Regards,

    Sanket Shah

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Thank you for the update and refresh. I posted because the GA does not kill the interface like the EAP version.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Memory usage dropped after upgrade, sitting stable around 75% for the last 24h.

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • Mine is sitting at 80%, usually takes a couple of days to settle down.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • **We are currently investigating the problematic scenario/use case under NC-109623 as we have not faced such issue internally during our testing.

     We worked with Jaroslav Faldik and able to resolve the problem with additional configuration of “no bgp network import-check”.  This will help overcome extra validation performed by the BGP service before advertising network that specific network should be available in RIB before advertising to peer.

    E.g.

    BGP Network Configuration:

    !

    address-family ipv4 unicast

      network 100.100.0.0/16

       maximum-paths 15

    exit-address-family

    !

    How to check if specific network is advertised to peer? 

    bgp# sh ip bgp 100.100.0.0/16

    BGP routing table entry for 100.100.0.0/16, version 18

    Paths: (1 available, no best path)

      Not advertised to any peer

      Local

        0.0.0.0 (inaccessible) from 0.0.0.0 (200.0.0.8)

          Origin IGP, metric 0, weight 32768, invalid, sourced, local

          Last update: Fri Nov 18 09:06:38 2022

    Basically, when you are seeing configured BGP network is not getting advertised to any peer, which stopped working after migration/upgrade to v19.5:

    1. Interface link is down where this subnet is configured. 
    2. Interface subnet mismatch compared to network configured in BGP e.g., in case interface subnet is “100.100.100.0/24”, and configured network is “100.100.0.0/16”.

    One can try the additional CLI command no bgp network import-check” in BGP to overcome these validations.