Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Release Post: Sophos Firewall OS v19.5 MR3 is Now Available
The old V19.5 MR2 Post: Sophos Firewall: v19.5 MR2: Feedback and experiences
To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue.
Release Notes: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.5
Caching Issue - Will be updated soon in all regions.
__________________________________________________________________________________________________________________
First: Could you please post per issue one own post, so we can follow up without mixing it up.
Second:
About the first issue: Could you give us / me the Support ID?
About the second issue: Do you mean: Could you post an screenshot about this?
__________________________________________________________________________________________________________________
Thanks Luca for asking Support ID - that could help us in narrowing down the possible issue. Ian, may share support ID with Luca or myself in 1:1
Hi LuCar,
screenshot as requested.
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
Thanks, Ian, for providing feedback & access id.
UI status for LocalWIFI0 reflects (unfortunately ) post-reboot, i.e. it changes to "-" from "Active"
We have observed that on your device, Wireless Protection was enabled before migration,
awed.log (Before Migration)
2023-08-02 09:20:04Z [MASTER] SIGTERM received, sending SIGTERM to siblings, exiting
awed.log (After Migration)
2023-08-02 09:24:46Z [MASTER] awed_ng starting
If you will change Wireless Protection turned OFF and will reboot the device then the LocalWiFi0 status will be displayed the same as the previous 19.5.MR2 release. Sorry for the trouble - we may need to discuss this internally to see how can we improve user experience here.
Hi,
thank you for the followup. I have Wireless Protection enabled because I occasionally use a APX120 on the XG115W. If I enable Wireless Protection after the reboot will the inbuilt AP become active?
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
I disabled wireless protection and restarted the XG115W, both APs came up as inactive. I enabled Wireless Protection, the inbuilt AP came up as active and the APX120 as inactive which is the wrong way around.
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
Hi rfcat_vk
I require some info about RADVD issue observed by you.
Have you observe this issue first time while upgrading to v19.5.MR3?
Have you observed this issue previously during system reboot?
I believe you have started the RADVD service from the SFOS GUI via System Service > Service page. Do you observe any after service start?
Hi,
I cannot remember seeing RADVD requiring a manual restart in any recent updates or XG restarts. I restarted RADVD from the GUI without any issues.
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
Hi,
Would you please share support access ID in DM?
We have similar observation once locally so wanted to confirm whether it's similar or not.
Done.
Isn
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
Thanks for the new Firmware.
Previously we were observing the high CPU utilization due to AVD, after this upgrade it is now under control.
XGS6500 - v19.5.3 MR-3
Upgrade from MR2 went through smoothly.
No issues so far, I am using like 20 Web application rules, 3 IPSec Site2Site tunnels and SSLVPN for users, e-mail and 2 APX120 working fine.
Using Home Edition on generic firewall appliance
I'm seeing SSL-VPN Connections not being accepted after Upgrade from MR2 in my demo-lab (sfos-home).
SSL-VPN is enabled on WAN-Zone but no connection successful. Device Access ACL seems to block but i can't tell why as settings are fine.
drppkt on advanced shell showing "log_type=Firewall log_component=Local_ACLs log_subtype=Denied"
2023-08-07 11:38:12 0103021 IP 192.168.222.124.56969 > 172.16.2.80.443 : proto UDP: packet len: 22 checksum : 36453 0x0000: 4500 002a c861 0000 7f11 25dc c0a8 de7c E..*.a....%....| 0x0010: ac10 0250 de89 01bb 0016 8e65 38ff 066e ...P.......e8..n 0x0020: 02f1 0333 fe00 0000 0000 ...3...... Date=2023-08-07 Time=11:38:12 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=c8:4f:86:fc:00:05 dest_mac=00:1a:8c:44:00:45 bridge_name= l3_protocol=IPv4 source_ip=192.168.222.124 dest_ip=172.16.2.80 l4_protocol=UDP source_port=56969 dest_port=443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2322130158 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0
ACL is fine:
Did this configuration work in V19.5 MR2?
Do you have a WAF configured?
__________________________________________________________________________________________________________________
yes, I'm quite sure - and no waf-rules, no dnat active.
You're asking because of 443 udp?
Check the sslvpn.log on CLI for more insights.
__________________________________________________________________________________________________________________
No connections at all - i think traffic is not getting forewarded to ssl-vpn, as visible in drppkt?
It’s not related to MR3 or upgrade, we have captured the logs for further investigation.
It looks like while SSLVPN service was coming up it got timed out and terminated by the parent service, but it returned error for termination request and hence it got stuck. Historically, we have seen a similar issue once earlier on another version by one of the customers.
Appliance reboot has resolved the problem for now.
Today I thought: so lets update my cluster (xg550) from 19.0.2 to 19.5.3.
So I uploaded the file and clicked "upload and boot" as always when i am doing an update.
The first node was updated successfully and it came back really quick and the modules are working.
The second node went offline and never came back.
After waiting around 30 minutes i had a look at my KVM and saw that the node is stuck on "booting 19.5.3".
After 20 minutes i decided to completely power off this machine and repower it.
Same problem. Not booting.
I said to me "everyone advises to reimage in this case". so i disabled ha - what could go wrong.
But no. The license exited the game and is lost now. I have tried to transfer it to now standalone host. On mysophos it says the standalone serial number is holding the license. But when i sync the license on webadmin, only base license is active. All other modules are with no subscription. So functionality is broken.
Then i created a case and called sophos instantly. Now i am in the 5. teamqueue waiting the problem to be solved. I am on the line for 1hour 31 minutes now and no ending is on the horizont. The license seems to be blocked by the old device.
GG. The XG licensing service is a very big problem SOPHOS. Since first version of XG I only have trouble with this...
Can you send me the Serialnumbers per PM?
__________________________________________________________________________________________________________________
can this resolved issue be described please?
NC-116531 | SecurityHeartbeat | Can't access resources for some time when heartbeat is configured. |
in MR2 we have problems when users go from Wired to WiFi network - it takes 4:30 minutes but sometimes over 15 minutes until they are heartbeat-authenticated again at the firewall while going from WiFi to wired connections works again within a minute.
It introduce a new flag in CLI:
https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#synchronized-security
Try Range 30 to test a better result.
*edit* The Flag is not new - But MR3 introduce a new mechanism to kick out old sessions, to opens the "slot" for the new IP once again. But by lowering this value you should also get a better result.
__________________________________________________________________________________________________________________
LuCar Toni where can i specify this option. I did the Upgrade to 19.5.3 MR-3 but am unable to set a value. The Parameter is unknown to my system. The old one seems to work fine.
console> system synchronized-security delay-missing-heartbeat-detectionsettime show % Error: Unknown Parameter 'delay-missing-heartbeat-detectionsettime' console> system synchronized-security delay-missing-heartbeat-detection show 30
Seems like the doc has a typo.
The correct parameter is like you mentioned. The Doc has an invalid statement.
__________________________________________________________________________________________________________________
Why would you do that? As far as i know, you could request this update from Support - But i dont see the reason?
__________________________________________________________________________________________________________________
The Phison is a Consumer SSD …
One PS3117 died already and it would be great to get an Update.
And if only it lets you sleep more peacefully.
Somehow I find it disturbing to use enterprise devices with consumer ssd.
19.5 MR3 updates SSD firmware ONLY for some SSD models within the XGS 2100, XGS 2300, XGS 3100, XGS 3300 and XGS 4300 firewalls to optimize performance and reliability.
Every component used in Sophos firewalls is carefully selected to operate at optimal capacity throughout the full lifecycle of the product. The solid-state drives (SSDs) we use are no exception to this, and are models intended for enterprise use where a high volume of read/write cycles is to be expected.
Please reach out to Sophos support if you are seeing any erroneous symptoms with your firewall device.
Resolves 65+ important performance, reliability, stability and security fixes → Can it be a little more precise? What is changing?
__________________________________________________________________________________________________________________
Does not answer the question, because there is not more info regarding "Resolves 65+ important performance, reliability, stability and security fixes".
Check the "Resolved issues" Section for more details.
__________________________________________________________________________________________________________________
Authentication forms in WAF showing 404 error . Just terrible, 58 WAF rules need to be recreated.
Hi Sergejs,
Thank you for reaching out to Sophos Community.
Would it also be possible to create a case # and share it here?
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
I hope you do not add more. We switched from an UTM with 90+ rules and had to change a lot because WAF on SFOS only allows 60 rules. No clue why this hard limit is there though, as UTM did not have it.