Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 



This thread was automatically locked due to age.
Parents Reply
  • Hello ddcool,

    as I wrote before, this feature has been supported for many years. It is naturally also supported in SFOS version 19.5.1 MR-1-Build278.

    I won't send any screen shot because you can try it trivially easily yourself. You need one FQDN for this, which you enter in the Source Network / Host field in the Local service ACL exception rule window.
    That is all.

    Regards

    alda

Children
  • Really?!?

    I don't know about you, but it works for me.

    Regards, alda

    Wink

  • I guess you just created IP host objects with FQDN in its name, but IP addresses as content. That is not an FQDN object, as it does not resolve anything

  • Hello ddcool,

    yes, you're right, sorry, I forgot that I have hosts records defined like this as FQDN.


    Well, again, all the more reason that I started using another firewall solution a long time ago. Something like that obviously works there, sorry...

    Regard

    alda

  • There are plans to implement a FQDN Support for ACLs - Generally speaking: Using Services like Central for Access from external instead could be a good approach to access the firewall. 

    There are even plans to build a SSO Access as a Partner directly to the SFOS Firewall of a customer (Partner Dashboard). 

    Other approach could be using VPN Tunnels (To ensure a access). 

    __________________________________________________________________________________________________________________

  • All of them are valid points, but there are scenarios and customer whishes, which would benefit from having this feature. In general I think every object type should be usable within all modules of the firewall if possible.

  • Yes - every kind of objects should be consistently avaliable through all of Sophos firewall. This is a must-have!

  • Overall, this release is not to tackle the way, how Customers/Partner work today. So if you are doing access to your firewall like that "today" it will not change anything.

    It is only to automatically increase the security of all customers, who do not use it at all. If you are not using WAN for 90 Days, likely you wont use it at all. So customers will get a setting removed, which highly reduce there attack surface at no cost. 

    Sophos is working on a way to improve the product in the future for partner access and customer access. And there are multiple approaches to this situation, like described above. 

    But those approaches are not covered in this Release, it is only to reduce the attack surface for all customers, who are currently not using it. 

    __________________________________________________________________________________________________________________

  • Do you mean SSL VPN access? The way this update reads to me, if nobody connects to the User Portal in 90 days, that user portal will have WAN access turned off. And the User Portal is necessary for Sophos Connect. Plus, I don't like turning on SSL VPN on firewalls that don't need it, as, well... It's a security risk, after all.

    Or do you mean access over IPSec tunnels? I really don't want to make > 1000 tunnels manually. Plus then I have all my customers cross-connected, so, that's a pretty big security risk.

  • Using the Access means a successful Login. 

    SSLVPN and IPsec VPN is not impacted by this change. 

    Sophos Connect does not need User Portal. The User Portal is only needed, if the OVPN does not work, or you need a OVPN in the first place (It will connect to the User Portal and download the OVPN). This process will be reworked in the next major release. 

    __________________________________________________________________________________________________________________