Sophos Firewall: v19.5 MR2: Feedback and experiences

Question

Release Post: Sophos Firewall OS v19.5 MR2 is Now Available 
 The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 
 To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue.

bobbylam · Accepted Answer

ACL rules for accessing WebAdmin are not affected by this, and would not be disabled automatically even if there's no activity. So if you want a persistent way to access WebAdmin over WAN, recommendation is to apply an ACL rule.

Giridhar Katti · Answer

Hi Enrico van Egmond1 
 When SSLVPN is configured with a static IP address, SSLVPN service sets nfmark mark on SSLVPN tun interfaces. 
 ip link set tun0 nfmark 0x300 
 ip link set tun1 nfmark 0x301 
 Note: Based on the number of OpenVPN instances SSLVPN service will have an equal number of tun interfaces. 
 
 So if SSLVPN static IP connections have a matching SDWAN route then the 0x300 mark is overridden by the SDWAN route, which causes SSLVPN connections to send traffic on the SDWAN gateway instead of the tun interface. 
 
 Where as for SSLVPN dynamic ip, when we assign the Dynamic IP to the user, we provision the route on the client, which is in the same network as tun interface. Hence there&rsquo;s no issue w.r.t the traffic.

Ben@Network · Answer

Hi guys, 
 I was able to isolate the problem with support. Shortly after the update, we had to set an SD-WAN route for a specific tunnel that overlapped with the IP scope of another tunnel (both via tunnel interfaces). To make this work we had to adjust the routing order. On the firewall, there was a forgotten config fragment that for specific networks (the exact networks it didn't work from), an SD-WAN profile should run Internet traffic over the WAN port with the least amount of jitter. By adjusting the routing order there was a collision with the DNAT rule. We disabled the SD-WAN route in doubt and now everything works as usual. 
 Thank you for the very quick analysis by Sophos support. So I can confirm that the MR-2 is running stable. 
 Cheers, 
 Ben

Giridhar Katti · Answer

Hi Enrico van Egmond1 - We had a discussion on this issue internally. Can you please disable this "any" "any" rule(3rd rule in the list) from the SDWAN routes ? It should solve your problem.

LuCar Toni · Answer

One up2date server seems to have served the update a little to early to all firewalls. This situation was resolved and the Firmware update is back into staging.

Giridhar Katti · Answer

JasP - Yes, that feature is being worked on and is planned for v20.0

Sophos Firewall: v19.5 MR2: Feedback and experiences

Top Replies