Sophos Firewall: v19.5 MR3: Feedback and experiences

Release Notes still showing MR2 - will this be updated shortly?

first issue - RADVD had to be manually started.

Ian

Thanks for the new Firmware.

Previously we were observing the high CPU utilization due to AVD, after this upgrade it is now under control.

XGS6500 - v19.5.3 MR-3

Upgrade from MR2 went through smoothly.

No issues so far, I am using like 20 Web application rules, 3 IPSec Site2Site tunnels and SSLVPN for users, e-mail and 2 APX120 working fine.

Using Home Edition on generic firewall appliance

I'm seeing SSL-VPN Connections not being accepted after Upgrade from MR2 in my demo-lab (sfos-home).
SSL-VPN is enabled on WAN-Zone but no connection successful. Device Access ACL seems to block but i can't tell why as settings are fine.

drppkt on advanced shell showing "log_type=Firewall log_component=Local_ACLs log_subtype=Denied"

2023-08-07 11:38:12 0103021 IP 192.168.222.124.56969 > 172.16.2.80.443 : proto UDP: packet len: 22 checksum : 36453
0x0000:  4500 002a c861 0000 7f11 25dc c0a8 de7c  E..*.a....%....|
0x0010:  ac10 0250 de89 01bb 0016 8e65 38ff 066e  ...P.......e8..n
0x0020:  02f1 0333 fe00 0000 0000                 ...3......

Date=2023-08-07 Time=11:38:12 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=2 outzone_id=4 source_mac=c8:4f:86:fc:00:05 dest_mac=00:1a:8c:44:00:45 bridge_name= l3_protocol=IPv4 source_ip=192.168.222.124 dest_ip=172.16.2.80 l4_protocol=UDP source_port=56969 dest_port=443 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=2322130158 masterid=0 status=256 state=0, flag0=824635817984 flags1=17179869184 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

ACL is fine:

Today I thought: so lets update my cluster (xg550) from 19.0.2 to 19.5.3.
So I uploaded the file and clicked "upload and boot" as always when i am doing an update.

The first node was updated successfully and it came back really quick and the modules are working.

The second node went offline and never came back.
After waiting around 30 minutes i had a look at my KVM and saw that the node is stuck on "booting 19.5.3".

After 20 minutes i decided to completely power off this machine and repower it.
Same problem. Not booting.

I said to me "everyone advises to reimage in this case". so i disabled ha - what could go wrong.

But no. The license exited the game and is lost now. I have tried to transfer it to now standalone host. On mysophos it says the standalone serial number is holding the license. But when i sync the license on webadmin, only base license is active. All other modules are with no subscription. So functionality is broken.

Then i created a case and called sophos instantly. Now i am in the 5. teamqueue waiting the problem to be solved. I am on the line for 1hour 31 minutes now and no ending is on the horizont. The license seems to be blocked by the old device.

GG. The XG licensing service is a very big problem SOPHOS. Since first version of XG I only have trouble with this...

can this resolved issue be described please?

in MR2 we have problems when users go from Wired to WiFi network - it takes 4:30  minutes but sometimes over 15 minutes until they are heartbeat-authenticated again at the firewall while going from WiFi to wired connections works again within a minute.

Is there a way to extract the SSD firmware update from MR 19.5.3 and install it under 19.5.2 ?

I would like to update the Phison PS3117-S17T SSD without upgrading to 19.5.3 ?

Resolves 65+ important performance, reliability, stability and security fixes → Can it be a little more precise? What is changing?

Authentication forms in WAF showing 404 error . Just terrible, 58 WAF rules need to be recreated.