Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR3: Feedback and experiences

Release Post:  Sophos Firewall OS v19.5 MR3 is Now Available  

The old V19.5 MR2 Post:  Sophos Firewall: v19.5 MR2: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.5 



This thread was automatically locked due to age.
  • Release Notes still showing MR2 - will this be updated shortly?

    • Caching Issue - Will be updated soon in all regions. 

      __________________________________________________________________________________________________________________

    • first issue - RADVD had to be manually started.

      Ian

      XGS118 - v21.0.1 MR1

      XG115 converted to software licence v21.0.1 MR-1

      If a post solves your question please use the 'Verify Answer' button.

      • 2nd issues - inbuilt AP enabled and not able to disable it. Prior to the upgrade the inbuilt AP was disabled.

        Ian

        XGS118 - v21.0.1 MR1

        XG115 converted to software licence v21.0.1 MR-1

        If a post solves your question please use the 'Verify Answer' button.

        • First: Could you please post per issue one own post, so we can follow up without mixing it up. 
          Second: 
          About the first issue: Could you give us / me the Support ID?
          About the second issue: Do you mean: Could you post an screenshot about this? 

          __________________________________________________________________________________________________________________

          • Thanks Luca for asking Support ID - that could help us in narrowing down the possible issue.  Ian, may share support ID with Luca or myself in 1:1

            • I have provided you with the access id.

              Ian

              XGS118 - v21.0.1 MR1

              XG115 converted to software licence v21.0.1 MR-1

              If a post solves your question please use the 'Verify Answer' button.

              • Hi LuCar,

                screenshot as requested.

                Ian

                XGS118 - v21.0.1 MR1

                XG115 converted to software licence v21.0.1 MR-1

                If a post solves your question please use the 'Verify Answer' button.

                • Thanks Ian, we're investigating this - we shall update you shortly. 

                  • Thanks, Ian, for providing feedback & access id.

                    UI status for LocalWIFI0 reflects (unfortunately Disappointed) post-reboot, i.e. it changes  to "-" from "Active"

                    We have observed that on your device, Wireless Protection was enabled before migration, 

                    awed.log (Before Migration)

                    2023-08-02 09:20:04Z [MASTER] SIGTERM received, sending SIGTERM to siblings, exiting

                    awed.log (After Migration)

                    2023-08-02 09:24:46Z [MASTER] awed_ng starting

                    If you will change Wireless Protection turned OFF and will reboot the device then the LocalWiFi0 status will be displayed the same as the previous 19.5.MR2 release. Sorry for the trouble - we may need to discuss this internally to see how can we improve user experience here.

                    • Hi,

                      thank you for the followup. I have Wireless Protection enabled because I occasionally use a APX120 on the XG115W. If I enable Wireless Protection after the reboot will the inbuilt AP become active?

                      Ian

                      XGS118 - v21.0.1 MR1

                      XG115 converted to software licence v21.0.1 MR-1

                      If a post solves your question please use the 'Verify Answer' button.

                      • I disabled wireless protection and restarted the XG115W, both APs came up as inactive. I enabled Wireless Protection, the inbuilt AP came up as active and the APX120 as inactive which is the wrong way around.

                        Ian

                        XGS118 - v21.0.1 MR1

                        XG115 converted to software licence v21.0.1 MR-1

                        If a post solves your question please use the 'Verify Answer' button.

                        • Yes, that's correct 

                          • External APs (APX120) takes some time during handshake and could appear as active in few mins - could you check again. ?

                          • Hi  

                            I require some info about RADVD issue observed by you.

                            Have you observe this issue first time while upgrading to v19.5.MR3?

                            Have you observed this issue previously during system reboot?

                            I believe you have started the RADVD service from the SFOS GUI via System Service > Service page. Do you observe any after service start?

                            • Hi,

                              I cannot remember seeing RADVD requiring a manual restart in any recent updates or XG restarts. I restarted RADVD from the GUI without any issues.

                              Ian

                              XGS118 - v21.0.1 MR1

                              XG115 converted to software licence v21.0.1 MR-1

                              If a post solves your question please use the 'Verify Answer' button.

                              • Hi,

                                Would you please share support access ID in DM?

                                We have similar observation once locally so wanted to confirm whether it's similar or not.

                                • Done.

                                  Isn

                                  XGS118 - v21.0.1 MR1

                                  XG115 converted to software licence v21.0.1 MR-1

                                  If a post solves your question please use the 'Verify Answer' button.

                              • Thanks for the new Firmware.

                                Previously we were observing the high CPU utilization due to AVD, after this upgrade it is now under control.

                                XGS6500 - v19.5.3 MR-3

                                • Upgrade from MR2 went through smoothly.

                                  No issues so far, I am using like 20 Web application rules, 3 IPSec Site2Site tunnels and SSLVPN for users, e-mail and 2 APX120 working fine.

                                  Using Home Edition on generic firewall appliance

                                  • I'm seeing SSL-VPN Connections not being accepted after Upgrade from MR2 in my demo-lab (sfos-home).
                                    SSL-VPN is enabled on WAN-Zone but no connection successful. Device Access ACL seems to block but i can't tell why as settings are fine.

                                    drppkt on advanced shell showing "log_type=Firewall log_component=Local_ACLs log_subtype=Denied"

                                    ACL is fine:

                                    • Did this configuration work in V19.5 MR2? 

                                      Do you have a WAF configured? 

                                      __________________________________________________________________________________________________________________

                                      • yes, I'm quite sure - and no waf-rules, no dnat active.
                                        You're asking because of 443 udp?

                                        • Check the sslvpn.log on CLI for more insights. 

                                          __________________________________________________________________________________________________________________

                                          • No connections at all - i think traffic is not getting forewarded to ssl-vpn, as visible in drppkt?

                                            • I have DM you for support access.

                                              • It’s not related to MR3 or upgrade, we have captured the logs for further investigation.

                                                It looks like while SSLVPN service was coming up it got timed out and terminated by the parent service, but it returned error for termination request and hence it got stuck. Historically, we have seen a similar issue once earlier on another version by one of the customers. 

                                                Appliance reboot has resolved the problem for now.

                                                • Yes, thank you very much  !

                                              • Today I thought: so lets update my cluster (xg550) from 19.0.2 to 19.5.3.
                                                So I uploaded the file and clicked "upload and boot" as always when i am doing an update.

                                                The first node was updated successfully and it came back really quick and the modules are working.

                                                The second node went offline and never came back.
                                                After waiting around 30 minutes i had a look at my KVM and saw that the node is stuck on "booting 19.5.3".

                                                After 20 minutes i decided to completely power off this machine and repower it.
                                                Same problem. Not booting.

                                                I said to me "everyone advises to reimage in this case". so i disabled ha - what could go wrong.

                                                But no. The license exited the game and is lost now. I have tried to transfer it to now standalone host. On mysophos it says the standalone serial number is holding the license. But when i sync the license on webadmin, only base license is active. All other modules are with no subscription. So functionality is broken.

                                                Then i created a case and called sophos instantly. Now i am in the 5. teamqueue waiting the problem to be solved. I am on the line for 1hour 31 minutes now and no ending is on the horizont. The license seems to be blocked by the old device.

                                                GG. The XG licensing service is a very big problem SOPHOS. Since first version of XG I only have trouble with this...

                                                • Can you send me the Serialnumbers per PM? 

                                                  __________________________________________________________________________________________________________________

                                                  • Ok licensing team got this. Now i was able to sync the license and it seems license sync is working again.
                                                    It took 1hour and 43 minutes on the telephone and 5 different support teams to fix this...

                                                    I reimaged the second node already and will try to enable HA on monday.

                                                    • Do you have console logs/screenshots when the device didn't boot to 19.5.3?

                                                    • can this resolved issue be described please?

                                                      NC-116531 SecurityHeartbeat Can't access resources for some time when heartbeat is configured.


                                                      in MR2 we have problems when users go from Wired to WiFi network - it takes 4:30  minutes but sometimes over 15 minutes until they are heartbeat-authenticated again at the firewall while going from WiFi to wired connections works again within a minute.

                                                    • Is there a way to extract the SSD firmware update from MR 19.5.3 and install it under 19.5.2 ?

                                                      I would like to update the Phison PS3117-S17T SSD without upgrading to 19.5.3 ?

                                                      • Why would you do that? As far as i know, you could request this update from Support - But i dont see the reason? 

                                                        __________________________________________________________________________________________________________________

                                                        • The Phison is a Consumer SSD …

                                                          One PS3117 died already and it would be great to get an Update.

                                                          And if only it lets you sleep more peacefully.
                                                          Somehow I find it disturbing to use enterprise devices with consumer ssd.

                                                        • There's no firmware upgrade in 19.5 MR3 for your SSD (i.e. Phison...) - so you're anyway unaffected (even if you stay in 19.5 MR2 or you upgrade to 19.5 MR3)

                                                          • Thanks, which SSD's are installed in the XGS2100 models?
                                                            Besides the Phison, there are surely other variants.

                                                            • 19.5 MR3 updates SSD firmware ONLY for some SSD models within the XGS 2100, XGS 2300, XGS 3100, XGS 3300 and XGS 4300 firewalls to optimize performance and reliability.

                                                              Every component used in Sophos firewalls is carefully selected to operate at optimal capacity throughout the full lifecycle of the product. The solid-state drives (SSDs) we use are no exception to this, and are models intended for enterprise use where a high volume of read/write cycles is to be expected.

                                                              Please reach out to Sophos support if you are seeing any erroneous symptoms with your firewall device.

                                                          • Resolves 65+ important performance, reliability, stability and security fixes → Can it be a little more precise? What is changing?

                                                          • Authentication forms in WAF showing 404 error . Just terrible, 58 WAF rules need to be recreated.