Sophos Firewall: v19.5 GA: Feedback and experiences

Question

Release Post: Sophos Firewall v19.5 is Now Available 
 Old v19.0 MR1 thread: Sophos Firewall: v19.0 MR1: Feedback and experiences 
 
 EAP Sub thread: SFOS v19.5 Early Access Program (Read Only) 
 EAP 19.5 Thread: Sophos Firewall: v19.5 EAP1: Feedback and experiences

Michael Dunn · Accepted Answer

This is indeed expected behavior of the FCI feature. What follows is a Draft of a KB Article I'm writing (feedback welcome). 
 In XG 18.0 the DPI proxy was introduced, with many more SSL/TLS scanning options and certificate protection. There are some certificate security concerns with that are blocked in most configurations, however they are allowed without any warning when using DPI mode with the decryption profile "Maximum compatibility". In these cases the XG decrypts and re-signs, creating a new certificate with its own Certificate Authority that hides potential problems that the end user should know about which that would be blocked in other configurations. 
 In 19.0 a new feature was added called Forward Certificate Invalidity (FCI). This feature detects certain types of certificate invalidity and "forwards" (tells the user) about them. Because we cannot create a certificate with the same error, so we create one in a special way that we know will cause browsers to warn users. A CA is used that us unique and untrusted, and the certificate Common Name is used as the error message to tell the end user what the problem is. This changes the behavior of DPI mode with Maximum Compatibility. By signing it in the way, browsers will warn users that there is a certificate problem but will allow users to proceed and load the pages as they did in 18.0/18.5. 
 The most common issue that FCI catches on the public internet is websites that do not send their entire certificate chain. When a website provides their certificate, they usually provide the certificate, the CA that signed it (usually an intermediate CA), the CA that signed that one, up to the root CA. The root CA is trusted by the browser, and the browser can verify the entire chain. 
 However some websites do not provide the chain. They may provide only the certificate, or they provide the certificate and the root CA, but they do not provide the intermediate CA. While this is valid, it is not best practice and sites like ssllabs.com which rate sites will cap their score. 
 If a website does not provide the chain they usually implement AIA (Authority Information Access). This is a link within the certificate that says where to download the CA that signed it. 
 Some browsers (Chrome 58+, Edge, Safari) will automatically use the AIA to download the intermediate and store it for future use. Firefox 75+ uses a different mechanism called intermediate CA preloading ( wiki.mozilla.org/.../Intermediate_Preloading) . Older Android (pre Oreo) devices do not support any mechanism. The XG does not currently support AIA. 
 If the website does not provide the full chain, the XG behavior depends on the configuration. It is important to note that v19 did not introduce blocking of sites that do not provide the full chain. The XG has always blocked these sites when using normal security, and the resolution below has always worked. The difference is that when using a decryption profile that does not block self signed certificate, invalid issuers, or many other security concerns (such as "Maximum compatibility") we used to allow the connection and sign it in a way that made it appear more secure. Now we allow but sign it in a way that appears insecure. 
 
 How to configure the system to allow access to sites that do not provide a complete certificate chain. 
 Method 1 - Do not decrypt Configure the domain to not be decrypted. Adding the domain to the Local TLS Exclusion List is the best option for DPI mode. Adding it to a Web Exception will exclude it for both DPI and Proxy mode. 
 Method 2 - Add the Intermediate certificate to the XG CA store 
 Option 1: Test the site in www.ssllabs.com/.../ You should see that the grade is capped to B and the Certification Path includes an "Extra Download". In the section under Issuer there should be an AIA link. 
 Option 2: Use a browser that is not going through the XG, or is going through the XG with HTTPS not decrypted so that you get the original certificates as presented by the site. Ask the browser to display the certificate information and the AIA link should be there. How this is displayed is browser specific. 
 Once you have the AIA link, download the certificate to your computer. Then in WebAdmin go to Certificates > Certificate Authorities and Add. Choose the file. With the Intermediate in the CA store, the page will load in all configurations.

LuCar Toni · Answer

Just to inform everybody: Central should show V19.5 GA for every deployment since today.

Michael Dunn · Answer

This is now published as https://support.sophos.com/support/s/article/KB-000044776?language=en_US

Raphael Alganes · Answer

Hi Franz-Josef Heidkamp , 
 
 Good day and thanks for reaching out to Sophos Community. 
 
 The KB Link you shared is already updated and proposed a resolution already for the specific matter 
 Resolution

The issue has been resolved, and the fix will be deployed automatically in Sophos Central. The firmware upgrade will be available only after the staging phase is completed.

In the meantime, you can manually download SFOS v19.5 from the  Licensing Portal  and update individual firewalls manually.

Thanks for your time and patience and thank you for choosing Sophos. 
 
 Cheers,

LuCar Toni · Answer

There is a KB about this: https://support.sophos.com/support/s/article/KB-000044725?language=en_US

LuCar Toni · Answer

V19.5 MR1 was released! Sophos Firewall OS v19.5 MR1 is Now Available 
 Sophos Firewall: v19.5 MR1: Feedback and experiences

Alok · Answer

**We are currently investigating the problematic scenario/use case under NC-109623 as we have not faced such issue internally during our testing. 
 We worked with Jaroslav Faldik and able to resolve the problem with additional configuration of &ldquo; no bgp network import-check &rdquo;. This will help overcome extra validation performed by the BGP service before advertising network that specific network should be available in RIB before advertising to peer. 
 E.g. 
 BGP Network Configuration: 
 ! 
 address-family ipv4 unicast 
 network 100.100.0.0/16 
 maximum-paths 15 
 exit-address-family 
 ! 
 How to check if specific network is advertised to peer? 
 bgp# sh ip bgp 100.100.0.0/16 
 BGP routing table entry for 100.100.0.0/16, version 18 
 Paths: (1 available, no best path) 
 Not advertised to any peer 
 Local 
 0.0.0.0 (inaccessible) from 0.0.0.0 (200.0.0.8) 
 Origin IGP, metric 0, weight 32768, invalid, sourced, local 
 Last update: Fri Nov 18 09:06:38 2022 
 
 Basically, when you are seeing configured BGP network is not getting advertised to any peer, which stopped working after migration/upgrade to v19.5: 
 
 Interface link is down where this subnet is configured. 
 Interface subnet mismatch compared to network configured in BGP e.g., in case interface subnet is &ldquo;100.100.100.0/24&rdquo;, and configured network is &ldquo;100.100.0.0/16&rdquo;. 
 
 One can try the additional CLI command &ldquo; no bgp network import-check&rdquo; in BGP to overcome these validations.

PMParth · Answer

Newly announced firmware follows our standard firmware releases phases , and typically takes 2 to 5 weeks before the upgrade is available to all. 
 As many customers are unaware of phase-wise staging of new firmware, they feel it is some issue when they do not see the new firmware on their firewall even though it is announced on the community. They spend time debugging and calling up support to find out about release phases. 
 This is an informative message with appropriate links to assist customers when they do NOT see newly released firmware in UI.

Wayne Folta · Answer

Chris GER Please see: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/firewall-firmware-release-process-and-timeline

Kavan Modi · Answer

Hi Bill, 
 There is one parent table entry is missed which referred in one of the child table which cause this issue. 
 As you've restore backup in v19.0.1, all your entries gets corrected, hence we are not able to find root cause for this. 
 But I am sure now you'll not face this issue again in upgradation, at-least this same issue. 
 If you still have concern then you can raise support case.

Raphael Alganes · Answer

Hello Franjo, 
 It would be after the staging phase that it would be completely rolled out to all e ven though Sophos Central shows that the firmware has been upgraded successfully (but it did not been upgraded to the FW) . In the meantime, you can manually download SFOS v19.5 from the  Licensing Portal  and update individual firewalls manually if it has not been upgraded into your FW or CFM. 
 With regards to preparation, you can always refer to release notes, upgrade information, KIL etc https://docs.sophos.com/releasenotes/index.html before you proceed over with the upgrade and plan upgrade on window hours as this would require reboot and would cause downtime. 
 Hope this helps. Have a nice day and thank you for choosing Sophos 
 Cheers,

LuCar Toni · Answer

This news article has no relationship to the 19.5 release? What response are you looking for? 
 V19.5 was rather slow in deployment due the upcoming issues found in staging and addressed first.

André Kufner · Answer

As far as I know is the CVE already fixed in v19.0 if the automatic Hotfix Feature is enabled. This Heise Article links to a Sophos Articel which descibes how to check if hotfix is installed... 
 LuCar Toni Thanks for your reply! 
 LuCar Toni said: V19.5 was rather slow in deployment due the upcoming issues found in staging and addressed first. 
 This explaines why the v19.5 is not available to all devices, already.

Wayne Folta · Answer

SOLVED, for me: I disabled InterceptX and it uploaded and installed properly. This is related to InterceptX and web browsers: it got a bad checksum on upload from either Firefox and Safari. Though an SCP uploaded it perfectly. Finally disabled InterceptX (which I'd done before, but just for the download, assuming it was incoming corruption), and it uploaded and installed perfectly. 
 SO SOPHOS might want to investigate why InterceptX doesn't recognize its own software and in what manner InterceptX might be corrupting it. I've had issues in other circumstances with downloads being "corrupted" by the XGS sending the file for Zero-Day examination and so the file that results is something like HTML telling you to "click here" or something like that. I wasn't aware that InterceptX would do such things... unless the "corrupt file" was zero-length or something like that.

Chris GER · Answer

the update works like a charm. it takes a bit longer but workling well during my office hours.

emmosophos · Answer

Hello there, 
 It seems like you&rsquo;re affected by NR-9006 (The scheduled upgrade to SFOS with v19.5 using Sophos Central aren&rsquo;t working); the team has found the Root cause and is working on the solution. 
 Regards,

Rohan Golwala · Answer

Hi, 
 I am Rohan from Engineering. 
 
 "The inbuilt wifi does not allow me to select an interface and insists on creating it own AP group while using the AP network." 
 I am not sure if I get it right, but what I understood that you might be trying to add inbuilt wifi and Remote AP in single AP group. 
 
 However, SFOS keeps inbuilt wifi as separate AP group. It is not possible to add LocalWifi and Remote AP in single AP group.

Sophos Firewall: v19.5 GA: Feedback and experiences

Top Replies