Sophos Firewall: v19.5 MR2: Feedback and experiences

Hi JasP  Was this upgrade from 19.5MR1 to MR2? There is no known change in SNMP for 19.5MR2 from 19.5MR1. Dev team would like to investigate this more. Is it possible to share the device access id in private message to me / Avinash Aathreya . Also share the snmp config and remote command that is tried to check the connectivity. If access id not possible not , these log files may help  to start investigation - /log/snmp.log /log/syslog.log /log/csc.log , along with config -Shrikant

Yes the upgrade was from 19.5MR1 to MR2. Although there may have not been any changes in SNMP, clearly there have been changes in Administration access so something may have got unintentionally broken amongst those changes.

For some reason, I have no option to message Avinash Aathreya but I can message ShrikantSophos. How would you like to proceed?

Yes  - Please message me ie  ShrikantSophos . Will have it checked.

Some finding about inaccessible userportal after upgrade:

--

Userportal on WAN was enabled in 19.5.1. after the upgrade it was still enabled on Webadmin but it was inaccessible.

It is configured to use a custom port.

TCPdump showed no packets coming in for the requests.

disabled userportal on WAN zone, saved

enabled it, saved

--

tested access to the userportal again.

tcpdump showed packets coming in but not going out.

re-checking the status of userportal on WAN zone - it was disabled, regardless I re-enabled it before

enabled it again, saved

--

userportal was working again for the clients.

We have an interesting problem after updating to MR2 (from 19.5-MR1). We have a web server that is made available via a DNAT rule in the DMZ. From the WAN this is not a problem, this works.

Since the update, we have some networks on the LAN that can no longer access the web server. Other networks from the LAN have no problem with this.

With a tcpdump I have seen that requests from the LAN without NAT go directly over the WAN interface to the Internet:

XGS5500_CI02_SFOS 19.5.2 MR-2-Build624 HA-Primary# tcpdump -i Port2 host 10.0.2.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Port2, link-type EN10MB (Ethernet), capture size 262144 bytes
18:34:46.269798 Port2, OUT: IP 10.0.2.200.50011 > 10.0.5.80.https: Flags [SEW], seq 454467722, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:34:46.519736 Port2, OUT: IP 10.0.2.200.50012 > 10.0.5.80.https: Flags [SEW], seq 3042186263, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

10.0.2.200 is the Client in LAN, 10.0.5.80 is the private IP of Web-Server in DMZ, Port2 is the WAN-Port

I have tried with different source IPs (in my NAT rule) to access the web server from the LAN. Whenever the DNAT rule takes effect, the traffic goes to the WAN without NAT instead of the DMZ. 

Hi Ben,

Thank you for reaching out to Sophos Community.

Apologies for the experience. Would it be possible to raise a case ID and share it here? 

Hello Ben,

Would it be possible for you to share access ID via PM?

Also, could you please share working and non-working tcpdump from LAN side clients as some networks are working as you mentioned?

Hi guys,

the Case ID is: 06543219. I also send the tcpdumps to Sanket and Support Access ID.

Ben

Hi LHerzog ,

Thank you feedback.

Request to share access on PM. 

Regard,

Deepti

Hi Ben@Network ,

Thank you for the SR id, we'll get this expedited !