Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 



This thread was automatically locked due to age.
  • Hi guys,

    I was able to isolate the problem with support. Shortly after the update, we had to set an SD-WAN route for a specific tunnel that overlapped with the IP scope of another tunnel (both via tunnel interfaces). To make this work we had to adjust the routing order. On the firewall, there was a forgotten config fragment that for specific networks (the exact networks it didn't work from), an SD-WAN profile should run Internet traffic over the WAN port with the least amount of jitter. By adjusting the routing order there was a collision with the DNAT rule. We disabled the SD-WAN route in doubt and now everything works as usual. 

    Thank you for the very quick analysis by Sophos support. So I can confirm that the MR-2 is running stable.

    Cheers,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • And access to the user portal, and thus the VPN provisioning, can be ensured using the ACL exception rule described in the release notes?

  • Hi   - We tested the migration from 19.5MR1 to 19.5MR2. Used a free SNMP Tool to retrieve sample OID which works without issues. As discussed over Live debugging session, pls help us with the snmpd logs & Packet capture (pcap) outputs for further analysis.

    Attached screenshot of FWVersion read across MR1 & MR2 for your reference.

  • Agree with the others seem reasonable to disable HTTPS to WAN interfaces but DNS named objects should be present in ACL list.

    Thanks!

  • We will not install the update for our customers for precisely these reasons. We don't care about the user portal itself. But the VPN configuration must be able to be retrieved or updated at any time.

  • We don't care about the user portal itself. But the VPN configuration must be able to be retrieved or updated at any time.

    I raised this issue in this post - Sophos Connect and delivery of configuration via User Portal

    At the time,  reported that Sophos plan to change this behaviour:

    "We've brought your concerns up internally and our Development Team is currently in the works for a new method that would eliminate the need for the User Portal to be exposed on the WAN for SSL VPN RA use. We plan to implement this in the future release."

    Can someone at Sophos confirm that this is still planned?

  •    - Yes, that feature is being worked on and is planned for v20.0

  • I replied to your PM in some detail but when I 'sent' it, I got the message that I couldn't sent to you and all my text was lost Rage

    I used the same tool as you to test SNMPv3 and it worked. So I tried the tool I had been using previously, and that worked. So I switched our monitoring software back to SNMPv3 and that worked! I haven't made any changes since our debugging session on Friday.

    Last night I rebooted the XGS and our monitoring software to check that everything still worked, and it does. I have setup new credentials for SNMPv3 (as I had shared the previous credentials with you by email) and that worked fine too.

    It is very frustrating to have no idea of what the issue was but clearly there is nothing further we can do now. Hopefully it was just a 'one off' problem and that is the end of it.

    Thanks for your assistance with this.

  • JasP  - Yes, that feature is being worked on and is planned for v20.0

    Thanks for confirming that, it is good to hear.

    I was a little concerned that with the changes in this release regarding WAN access, that this had been dropped, and the current changes were regarded as a solution to the problem, which they clearly aren't for this particular issue.

  • How long do we have to postpone updates then?