Sophos Firewall: v20.0 GA: Feedback and experiences

Hello,

And still no lets encrypt support. LuCar Toni Dont tell me to use some extra software, sorry. This should be done by the FW.

Hello,

And still no lets encrypt support. LuCar Toni Dont tell me to use some extra software, sorry. This should be done by the FW.

Thanks for your feedback. Lets Encrypt is on the roadmap for a future version. 
You can automate it with things like Sophos Factory or a script based approach, if you want. (Even better by doing it by the Script based, as you get a Wildcard Certificate, which is usable for multiple instances). 

Give up. Been on the road map for more than a decade. A bit like NAT rule grouping. Sophos will tell customers what they need, not the other way around.

Couldn't agree more. Sophos conveniently took down the ideas site where actual end users were voting on features. LE was at the top of the list, but they still won't make it happen. I don't understand. We need a new version of the ideas site that Sophos actually listens to.

What I've done quite some time ago is to DNAT the ports you need (and yes, this is also possible with webadmin, userportal and vpn-portal) to a Docker machine with a Traefik reverse proxy which in turns forwards the traffic back to the firewall (or any other webservice inside the DMZ).

Instead of using Administration - Device Access to manage who can reacht those services you can also limit the source in the DNAT rules to prevent unauthorized users from getting to the webadmin interface.

I'm also having a hard time believing Sophos will ever again implement Lets Encrypt as they have done before in UTM.

The Ideas Website is a good idea in general, but a hard thing to keep up with. Because basically you would have to make ideas gate keeped and not based on a "you have an account, you have voting right". Because ideas gives a home user the power to have the same voice as a enterprise customer and vise versa, which is on the paper a good thing but in the end will lead up to a lot of trouble like "Why is not the top idea implemented" - simply because it has the most votes does not mean "the channel/customer require it at all". And what i mean by that is: SFOS is quite popular in the channel as a solution to go with smaller customers and LE is an implementation for a certain specific customer persona. 

Lets tackle the LE need cases: 

What i found after digging into this field a lot more. Customer who ask for LE have the following requirements:
They are likely under 100 users (not all but most)
They have an Exchange on premise
(Therefore they purchase WAF for SFOS)
They have another service they host
They migrated from UTM and used FG. 

So another persona is the home user, who wants that - But lets keep this out of this conversation for now. 
If you disagree with the list above, feel free to add. That is my data collection and hundreds of talks to Partners around the globe. 

You will find the most exchange servers in Germany (Based on shodan). I am from Germany as well - So i am talking to most of those partners. Why do i think, under 100 user? Most "bigger" customers still purchase a certificate anyway (from my experiences). Smaller customers do not want to do that (understandable). 

LE solves the need for an external certificate. Likely you have 3 use cases for it: WAF + Exchange, WAF + Service to publish, User Portal/VPN Portal. Those are the main 3 components. 

Now going back to the ideas website: Looking at those use cases, you will find some customers matching those requirements and that is the reason LE is on the Roadmap for a future version. But it is not Prio 1 item. 

Another viewpoint is the movement of Exchange towards cloud services. I know, there are restrictions and countries not allowed but still the entire world is looking into services like M365 or Google Work Spaces etc. 

My point and what i am telling Partners in this conversation is: Build a Factory Pipeline to automate it for your customers. It is actually easy to use, completely free and you will have LE like you used to (+ the benefit of having a wildcard instead, which is nice).

LE will find it way to SFOS in the future. 

As i stated above: Why not looking into a Factory approach? If you have docker running, getting a Factory Docker Runner is made within 5 minutes. Then you build your pipeline (copy/paste) and can have wildcard certificates. 

See:  [HowTo] Lets Encrypt Renewal Process with Factory  

For now I had a WAF rule with path specific routing pointing to a server to /.well-known/acme-challenge/ That would auto update the certs on the server. Since upgrading to version 20 that rule no longer works. It always worked fine under v19. Any ideas why that would now break and where in the logs do you think I could look to find an answer?

Check the /log/reverseproxy.log if the WAF in general work. 

I actually did find it. It is treating now as a Bad Reputation with the message SXL category IPCAT_BOTS. I might try to see if I can get around this some way.

Hi Barry, if it gets blocked by IP rep, then disabling reputation based blocking should solve this.