Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

This thread was automatically locked due to age.
Parents Reply Children
  • I guess you just created IP host objects with FQDN in its name, but IP addresses as content. That is not an FQDN object, as it does not resolve anything

  • Hello ddcool,

    yes, you're right, sorry, I forgot that I have hosts records defined like this as FQDN.

    Well, again, all the more reason that I started using another firewall solution a long time ago. Something like that obviously works there, sorry...



  • There are plans to implement a FQDN Support for ACLs - Generally speaking: Using Services like Central for Access from external instead could be a good approach to access the firewall. 

    There are even plans to build a SSO Access as a Partner directly to the SFOS Firewall of a customer (Partner Dashboard). 

    Other approach could be using VPN Tunnels (To ensure a access). 


  • All of them are valid points, but there are scenarios and customer whishes, which would benefit from having this feature. In general I think every object type should be usable within all modules of the firewall if possible.

  • Yes - every kind of objects should be consistently avaliable through all of Sophos firewall. This is a must-have!

  • Overall, this release is not to tackle the way, how Customers/Partner work today. So if you are doing access to your firewall like that "today" it will not change anything.

    It is only to automatically increase the security of all customers, who do not use it at all. If you are not using WAN for 90 Days, likely you wont use it at all. So customers will get a setting removed, which highly reduce there attack surface at no cost. 

    Sophos is working on a way to improve the product in the future for partner access and customer access. And there are multiple approaches to this situation, like described above. 

    But those approaches are not covered in this Release, it is only to reduce the attack surface for all customers, who are currently not using it. 


  • Do you mean SSL VPN access? The way this update reads to me, if nobody connects to the User Portal in 90 days, that user portal will have WAN access turned off. And the User Portal is necessary for Sophos Connect. Plus, I don't like turning on SSL VPN on firewalls that don't need it, as, well... It's a security risk, after all.

    Or do you mean access over IPSec tunnels? I really don't want to make > 1000 tunnels manually. Plus then I have all my customers cross-connected, so, that's a pretty big security risk.

  • Using the Access means a successful Login. 

    SSLVPN and IPsec VPN is not impacted by this change. 

    Sophos Connect does not need User Portal. The User Portal is only needed, if the OVPN does not work, or you need a OVPN in the first place (It will connect to the User Portal and download the OVPN). This process will be reworked in the next major release. 


  • We make changes to the SSL VPN settings here and there that require a new .ovpn file for users. I'll admit that I love Sophos Connect for this, since the changes essentially auto-deploy. Are you saying that a successful Sophos Connect connection won't necessarily reset the 90-day timer on User Portal access?

    I may not be sure what you're referring to when you say "Using the Access" though. If Sophos Connect only defaults to pulling the .ovpn file when the locally cached .ovpn settings fail, then accessing SSL VPN won't usually reset the User Portal 90-day window. If it pulls the .ovpn settings every time in the background using the User Portal, then it would reset that window.

    Ultimately I just want to know the best way to keep WebAdmin and User Portal access going for my clients where it's only used maybe a few times a year, and from possibly-changing public IP addresses. I can update an FQDN as needed for WebAdmin, but we've had clients in the past go from SSL VPN users connecting once a year, to once a week, because they transitioned some people to WFH. We can go in and re-enabled when this happens of course, but it's hard to explain to the clients why their SSL VPN stopped working if it's by design and can't be changed.

    We would just prefer it stayed working, but just be hardened instead. Public-facing logins can be pretty locked down with industry standard stuff: 2FA, Captcha, geo-blocking, failure timeouts and IP auto-bans, active check-in and monitoring with error reporting, third-party code reviews, etc. Much of this is already implemented, but just not fully tied together.

  • RCEs happen. Geoblocking, 2FA, Captcha etc, cannot protect you against 0Day RCEs. Generally speaking, your strategy should be to keep services unavailable, if not needed. 

    Every successful login to user portal / webadmin will reset the timer. So essentially, if you need to change the config of OVPN in generell, you could enable the user Portal again. By the way, as mentioned will there be a new way to download the config in the future without the User Portal.