This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.0 MR2: Feedback and experiences

LuCar Toni over 2 years ago

Release Post: Sophos Firewall OS v19.0 MR2 is Now Available

Old v19.0 MR1 thread: Sophos Firewall: v19.0 MR1: Feedback and experiences

https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_190_rn.html

Keep in Mind: V19.5 GA cannot be "downgraded to V19.0 MR2".

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 2 years ago in reply to JuergenB +1 suggested

BTW: there is a keep alive / timeout value in SFOS for some time: Configuration of ssh timeout But i am not getting logged out. Check the packet capture on webadmin on port 22.

0 JuergenB over 2 years ago

Hi "Downgraded" my XG106W from 19.5 GA to 19.0 MR1 and upgraded to 19.0 MR2 ...
I switched from 19.5 to 19.0 MR1 first...

Now i can´t access the firewall through SSH, i get kicked out of console every 4-5 seconds.
Is there any log, where i can see the reason?

19.5 GA and 19.0 MR1 had a stable SSH Login ...
- 0 Vivek Jagad over 2 years ago in reply to JuergenB
  
  Yes, under the log viewer > Admin logs !
  
  Thanks & Regards,
  _______________________________________________________________
  
  Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
  
  Log a Support Case | Sophos Service Guide
  Best Practices – Support Case | Security Advisories
  Compare Sophos next-gen Firewall | Fortune Favors the prepared
  Sophos Community | Product Documentation | Sophos Techvids | SMS
  If a post solves your question please use the 'Verify Answer' button.
- 0 LuCar Toni over 2 years ago in reply to JuergenB
  
  BTW: there is a keep alive / timeout value in SFOS for some time: Configuration of ssh timeout
  
  But i am not getting logged out. Check the packet capture on webadmin on port 22.
  
  __________________________________________________________________________________________________________________
0 SG001 over 2 years ago

Upgraded vom V19MR1 to V19MR2 and all https/ssl traffic was blocked due to Application Control.

SSL/TLS decryption on Port 80 and 443 is activated.

We were using a customized App definition filter which is not longer working.

Then we tried to use the pre defined filter "Block very high Risk (Risk Level5) but traffic was also blocked.

After using the pre defined filter "Block filter avoidance apps" the traffic was passed.
- 0 Michael Dunn over 2 years ago in reply to SG001
  
  I'd like to investigate, please see DM.
  - +1 Michael Dunn over 2 years ago in reply to Michael Dunn
    
    Issue is confirmed, related to Sophos Central pushing templated Application Filter Policy to firewall groups. Not related to 19.0 MR2.
0 BrucekConvergent over 2 years ago

So we had an interesting experience with an upgrade from 18.5.something to 19.0 MR2 at a customer site earlier this week; when we applied it none of the wifi (APX320, 740s, etc.) clients could connect; in the DHCP log (with the firewall providing DHCP for most of these) we saw constant lease activity on some test devices. These are all wifi networks provisioned using the separate zone method. As this needed to be working and in production, we rolled back to the old 18.5 firmware, and function returned. Didn't have time for a support case, etc. but thank goodness for the rollback function!

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
- 0 BrucekConvergent over 2 years ago in reply to BrucekConvergent
  
  Forgot to mention this was on XG hardware, not XGS.
  
  CTO, Convergent Information Security Solutions, LLC
  
  https://www.convergesecurity.com
  
  Sophos Platinum Partner
  
  --------------------------------------
  
  Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
  - 0 JuergenB over 2 years ago in reply to BrucekConvergent
    
    Ask Sophos about NC-114092 and try this workaround, i received this from sophos
    
    Workaround 1:
    
    If you are facing this issue then remove and re-add the affected separate zone SSID from AP/APX.
    
    Workaround 2:
    
    If you are facing this issue then restart the awed service. Please note that all the connected AP/APX will be disconnected and connected back.
    
    service awed:restart -ds nosync
  - 0 BrucekConvergent over 2 years ago in reply to JuergenB
    
    Interesting, so a known issue.... We'll probably just wait until this is actually fixed. Is it fixed in the recently released 19.5 MR2?
    
    CTO, Convergent Information Security Solutions, LLC
    
    https://www.convergesecurity.com
    
    Sophos Platinum Partner
    
    --------------------------------------
    
    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
0 LuCar Toni over 2 years ago

V19.5 MR1 was released! Sophos Firewall OS v19.5 MR1 is Now Available

Sophos Firewall: v19.5 MR1: Feedback and experiences

__________________________________________________________________________________________________________________
- 0 BrucekConvergent over 2 years ago in reply to LuCar Toni
  
  Sorry, I meant 19.5 MR1. Looking at the release notes it doesn't seem to mention the wifi issue I described above -- is this not an issue in 19.5 MR1?
  
  CTO, Convergent Information Security Solutions, LLC
  
  https://www.convergesecurity.com
  
  Sophos Platinum Partner
  
  --------------------------------------
  
  Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
  - 0 LuCar Toni over 2 years ago in reply to BrucekConvergent
    
    No, this is not addressed in V19.5 MR1.
    
    __________________________________________________________________________________________________________________
  - 0 BrucekConvergent over 2 years ago in reply to LuCar Toni
    
    So is a fix for this planned in the next MR release for v19 and 19.5?
    
    CTO, Convergent Information Security Solutions, LLC
    
    https://www.convergesecurity.com
    
    Sophos Platinum Partner
    
    --------------------------------------
    
    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
0 Nafets over 2 years ago

Hi,

since we upgraded from 19.0.1 MR1 to 19.0.2 MR2 in the firewall rules the object "##ALL_IPSEC_RW" is not hitted anymore.
So we have to edit all firewall rules for our homeoffice users connecting via sophos connect client.

I thought, using this objects is recommended instead of using network objects?

Is this a general problem? Or i am the only one having this problem as everytime i have a problem?
- 0 Nafets over 2 years ago in reply to Nafets
  
  Update: It seems like the first leased IP-Address from connect client range is not included in ##ALL_IPSEC_RW ... ?! wtf.
  All other connected users have no problems. only the guy with the first ip...
  
  Configured range:
  
  User with IP 172.27.72.10 has problems.
  
  Policy Tester:
  
  Second IP of Lease:
  
  I have now done a quick and dirty workaround: I created a dummy vpn user and assigned a static ipsec remote address... so the first range ip is never leased...
  
  @ SOPHOS: Please check this scenario if this is a general problem in 19.0.2-MR2
  
  EDIT: Please also check ##ALL_SSLVPN_RW too...
0 MysteriousDT over 2 years ago

Hi!

The followings are really annoying:
1., LAG interface creation, you need to assign an IP-address, You cannot create LAG interface without IP-address assignment. ( Use-case What if just want to use VLANs on the LAG device, why need to assign ip address in the first place ? ) WHY?
2., Not possible to disable the IP-ALIAS on the interface: The only way is to remove/delete, but it casues "remove all" assoicated NAT rules. WHY ?
3., DHCP Server: You define the IP-Pool, then save it. You want to add static leases within the IP-Pool. You cannot add, because you can only add "static lease" outside the IP-POOL. WHY?
4., Interface changing the MTU/Speed causes to remove all the "ip addresses" from the interface and resets back to "empty". WHY ?
- 0 LuCar Toni over 2 years ago in reply to MysteriousDT
  
  Most of those point will be addressed soon.
  
  __________________________________________________________________________________________________________________