Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

This thread was automatically locked due to age.
  • Where can info on disabling "19.5 MR2 will automatically disable web admin and/or user portal access from the internet (all WAN sources) after 90 consecutive days of inactivity." be found?. I do not want the firewall disabling access automatically. Yes I understand the reasons why this feature was added - and I still do not want it.

  • ACL rules for accessing WebAdmin are not affected by this, and would not be disabled automatically even if there's no activity. So if you want a persistent way to access WebAdmin over WAN, recommendation is to apply an ACL rule. 

Reply Children
  • And access to the user portal, and thus the VPN provisioning, can be ensured using the ACL exception rule described in the release notes?

  • This doesn't fully answer the question. Attempting to do so with Any as the source for an ACL still displays you cannot. 
    "You can't set the source network to Any when you select HTTPS service and WAN zone. The firewall doesn't allow web admin console access from all WAN sources. "

    I do agree that it is a good thing to have but I would still like to have this as a feature. 

  • Hello Tony Gaddis,

    Please go through release notes where it's mentioned that HTTPS access would require specific source to be selected. It won't work with "Any" source -  Sophos Firewall OS v19.5 MR2 is Now Available .

    Web Admin access for specific IPs:

    • We strongly recommend disabling web admin console access from all WAN sources (the Internet) to reduce the potential for a brute force or reconnaissance attack. Instead, we suggest that remote management of your firewalls be performed through Sophos Central which is free for all customers.
    • However, if you absolutely need to provide WAN access to the web admin console, v19.5 MR2 enforces WAN access from specific IP addresses and networks using an ACL exception rule (Administration > Device access > Local service ACL exception rule). It will no longer be possible to enable web admin console access from all WAN sources.


    Sanket Shah

    Director, Software Development, Sophos Firewall

  • You can use Internetv4 with all IPs in the Internet, if you want to go down that road.