Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 



This thread was automatically locked due to age.
  • Hi   Was this upgrade from 19.5MR1 to MR2? There is no known change in SNMP for 19.5MR2 from 19.5MR1. Dev team would like to investigate this more. Is it possible to share the device access id in private message to me /  . Also share the snmp config and remote command that is tried to check the connectivity. If access id not possible not , these log files may help  to start investigation - /log/snmp.log /log/syslog.log /log/csc.log , along with config -Shrikant

  • Yes the upgrade was from 19.5MR1 to MR2. Although there may have not been any changes in SNMP, clearly there have been changes in Administration access so something may have got unintentionally broken amongst those changes.

    For some reason, I have no option to message Avinash Aathreya but I can message ShrikantSophos. How would you like to proceed?

  • Yes  - Please message me ie   . Will have it checked.

  • Some finding about inaccessible userportal after upgrade:

    --

    Userportal on WAN was enabled in 19.5.1. after the upgrade it was still enabled on Webadmin but it was inaccessible.

    It is configured to use a custom port.

    TCPdump showed no packets coming in for the requests.

    disabled userportal on WAN zone, saved

    enabled it, saved

    --

    tested access to the userportal again.

    tcpdump showed packets coming in but not going out.

    re-checking the status of userportal on WAN zone - it was disabled, regardless I re-enabled it before

    enabled it again, saved

    --

    userportal was working again for the clients.

  • We have an interesting problem after updating to MR2 (from 19.5-MR1). We have a web server that is made available via a DNAT rule in the DMZ. From the WAN this is not a problem, this works.

    Since the update, we have some networks on the LAN that can no longer access the web server. Other networks from the LAN have no problem with this.

    With a tcpdump I have seen that requests from the LAN without NAT go directly over the WAN interface to the Internet:

    XGS5500_CI02_SFOS 19.5.2 MR-2-Build624 HA-Primary# tcpdump -i Port2 host 10.0.2.200
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port2, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:34:46.269798 Port2, OUT: IP 10.0.2.200.50011 > 10.0.5.80.https: Flags [SEW], seq 454467722, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    18:34:46.519736 Port2, OUT: IP 10.0.2.200.50012 > 10.0.5.80.https: Flags [SEW], seq 3042186263, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

    10.0.2.200 is the Client in LAN, 10.0.5.80 is the private IP of Web-Server in DMZ, Port2 is the WAN-Port

    I have tried with different source IPs (in my NAT rule) to access the web server from the LAN. Whenever the DNAT rule takes effect, the traffic goes to the WAN without NAT instead of the DMZ. 

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ben,

    Thank you for reaching out to Sophos Community.

    Apologies for the experience. Would it be possible to raise a case ID and share it here? 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Ben,

    Would it be possible for you to share access ID via PM?

    Also, could you please share working and non-working tcpdump from LAN side clients as some networks are working as you mentioned?

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Hi guys,

    the Case ID is: 06543219. I also send the tcpdumps to Sanket and Support Access ID.

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • Hi LHerzog ,

    Thank you feedback.

    Request to share access on PM. 

    Regard,

    Deepti

  • Hi  ,

    Thank you for the SR id, we'll get this expedited !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.