Sophos Firewall: v19.5 MR2: Feedback and experiences

Question

Release Post: Sophos Firewall OS v19.5 MR2 is Now Available 
 The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 
 To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue.

bobbylam · Accepted Answer

ACL rules for accessing WebAdmin are not affected by this, and would not be disabled automatically even if there's no activity. So if you want a persistent way to access WebAdmin over WAN, recommendation is to apply an ACL rule.

Giridhar Katti · Answer

Hi Enrico van Egmond1 
 When SSLVPN is configured with a static IP address, SSLVPN service sets nfmark mark on SSLVPN tun interfaces. 
 ip link set tun0 nfmark 0x300 
 ip link set tun1 nfmark 0x301 
 Note: Based on the number of OpenVPN instances SSLVPN service will have an equal number of tun interfaces. 
 
 So if SSLVPN static IP connections have a matching SDWAN route then the 0x300 mark is overridden by the SDWAN route, which causes SSLVPN connections to send traffic on the SDWAN gateway instead of the tun interface. 
 
 Where as for SSLVPN dynamic ip, when we assign the Dynamic IP to the user, we provision the route on the client, which is in the same network as tun interface. Hence there&rsquo;s no issue w.r.t the traffic.

Giridhar Katti · Answer

Hi Enrico van Egmond1 - We had a discussion on this issue internally. Can you please disable this "any" "any" rule(3rd rule in the list) from the SDWAN routes ? It should solve your problem.

Ben@Network · Answer

Hi guys, 
 I was able to isolate the problem with support. Shortly after the update, we had to set an SD-WAN route for a specific tunnel that overlapped with the IP scope of another tunnel (both via tunnel interfaces). To make this work we had to adjust the routing order. On the firewall, there was a forgotten config fragment that for specific networks (the exact networks it didn't work from), an SD-WAN profile should run Internet traffic over the WAN port with the least amount of jitter. By adjusting the routing order there was a collision with the DNAT rule. We disabled the SD-WAN route in doubt and now everything works as usual. 
 Thank you for the very quick analysis by Sophos support. So I can confirm that the MR-2 is running stable. 
 Cheers, 
 Ben

bobbylam · Answer

The 'auto disable when not in use' feature applies to both Admin & User portals, but only for the checkboxes (on Device Access page) which enables these portals to all of WAN. 
 If you create an ACL rule to allow access, that will not be disabled even if no activity is detected after 90 days.

LuCar Toni · Answer

Sophos Firewall: v19.5 MR3: Feedback and experiences V19.5 MR3 was released.

LuCar Toni · Answer

One up2date server seems to have served the update a little to early to all firewalls. This situation was resolved and the Firmware update is back into staging.

Giridhar Katti · Answer

JasP - Yes, that feature is being worked on and is planned for v20.0

MikeBarber1 · Answer

It is testable. Create the ACL rule allowing the service from the WAN and then uncheck the box for the WAN zone. If you can access the service then the ACL works

twister5800 · Answer

We've been using theese ACL for years - so not so much fuzz about it :-) 
 Also you can remote control if you enabled through Sophos Central :-)

Sophos Firewall: v19.5 MR2: Feedback and experiences

Top Replies