Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Replies 145 replies
  • Answers 11 answers
  • Subscribers 93 subscribers
  • Views 51240 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: v20.0 GA: Feedback and experiences

LuCar Toni

Release Post:  Sophos Firewall v20 is Now Available  

The EAP Post:  Sophos Firewall: v20.0 EAP1: Feedback and experiences  

The old V19.5 MR3 Post:  Sophos Firewall: v19.5 MR3: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 



Pinning.
[bearbeitet von: LuCar Toni um 3:49 PM (GMT -8) am 5 Feb 2024]
Parents
  • 0

    IPv6 hairpin NAT appears to be broken. In v19.5.x I had an IPv6 hairpin NAT which worked.

    IPv6 loop back NAT:-

    2023-11-07 13:34:03Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="62" fw_rule_id="26" fw_rule_name="NTP-6 for locals" fw_rule_section="Local rule" nat_rule_id="6" nat_rule_name="General NTP access" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="ians-mac14-6" user_group="ABB" web_policy_id="0" ips_policy_id="1" appfilter_policy_id="1" app_name="Network Time Protocol" app_risk="1" app_technology="Browser Based" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port3" in_display_interface="House Network" out_interface="Port3" out_display_interface="House Network" src_mac="C8:89:F3:DB:B9:44" dst_mac="7C:5A:1C:6D:8A:3E" src_ip="2403:5814:8482:3201:100::4" src_country="" dst_ip="2403:300:a08:3000::1f2" dst_country="" protocol="UDP" src_port="49955" dst_port="123" packets_sent="1" packets_received="0" bytes_sent="96" bytes_received="0" src_trans_ip="2403:300:a08:3000::1f2" src_trans_port="0" dst_trans_ip="2403:5814:8482:3201:100::4" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_direction="" con_event="Stop" con_id="2117821894" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

    The destination should be 2403:5814:8482:3201:100::2 which is the NTP server.

    IP4 loopback NAT:-

    2023-11-07 13:38:00Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="66" fw_rule_id="49" fw_rule_name="NTP access for local devices" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="NTP access for LAN" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="xg4" user_group="Guests" web_policy_id="0" ips_policy_id="5" appfilter_policy_id="0" app_name="Network Time Protocol" app_risk="1" app_technology="Browser Based" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="VoIP network" out_interface="Port3" out_display_interface="House Network" src_mac="00:0C:29:A8:9F:D3" dst_mac="7C:5A:1C:6D:8A:3C" src_ip="192.168.111.50" src_country="R1" dst_ip="162.159.200.123" dst_country="USA" protocol="UDP" src_port="49940" dst_port="123" packets_sent="1" packets_received="1" bytes_sent="76" bytes_received="76" src_trans_ip="10.10.10.1" src_trans_port="0" dst_trans_ip="10.10.10.5" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_direction="" con_event="Stop" con_id="1196815454" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    IPv6 hairpin NAT appears to be broken. In v19.5.x I had an IPv6 hairpin NAT which worked.

    IPv6 loop back NAT:-

    2023-11-07 13:34:03Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="62" fw_rule_id="26" fw_rule_name="NTP-6 for locals" fw_rule_section="Local rule" nat_rule_id="6" nat_rule_name="General NTP access" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="ians-mac14-6" user_group="ABB" web_policy_id="0" ips_policy_id="1" appfilter_policy_id="1" app_name="Network Time Protocol" app_risk="1" app_technology="Browser Based" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port3" in_display_interface="House Network" out_interface="Port3" out_display_interface="House Network" src_mac="C8:89:F3:DB:B9:44" dst_mac="7C:5A:1C:6D:8A:3E" src_ip="2403:5814:8482:3201:100::4" src_country="" dst_ip="2403:300:a08:3000::1f2" dst_country="" protocol="UDP" src_port="49955" dst_port="123" packets_sent="1" packets_received="0" bytes_sent="96" bytes_received="0" src_trans_ip="2403:300:a08:3000::1f2" src_trans_port="0" dst_trans_ip="2403:5814:8482:3201:100::4" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_direction="" con_event="Stop" con_id="2117821894" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

    The destination should be 2403:5814:8482:3201:100::2 which is the NTP server.

    IP4 loopback NAT:-

    2023-11-07 13:38:00Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="66" fw_rule_id="49" fw_rule_name="NTP access for local devices" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="NTP access for LAN" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="xg4" user_group="Guests" web_policy_id="0" ips_policy_id="5" appfilter_policy_id="0" app_name="Network Time Protocol" app_risk="1" app_technology="Browser Based" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="VoIP network" out_interface="Port3" out_display_interface="House Network" src_mac="00:0C:29:A8:9F:D3" dst_mac="7C:5A:1C:6D:8A:3C" src_ip="192.168.111.50" src_country="R1" dst_ip="162.159.200.123" dst_country="USA" protocol="UDP" src_port="49940" dst_port="123" packets_sent="1" packets_received="1" bytes_sent="76" bytes_received="76" src_trans_ip="10.10.10.1" src_trans_port="0" dst_trans_ip="10.10.10.5" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_direction="" con_event="Stop" con_id="1196815454" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    We are looking into it. Will get back to you soon.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • 0 in reply to sanket.shah

    Hello  

    Thanks for sharing the feedback with us!!!.

    We investigated the IPv6 hairpin NAT issue in our local environment and on your setup. The IPv6 loopback NAT functionality is working fine as per expectation but the logviewer shows the incorrect IPv6 address for the "dst_trans_ip" field. This issue is also observed in v19.5 MR3 as well and is not related to v20 GA.

    We created the new product bug for this issue and can be tracked by this ticket - NC-127532

    Regards,
    Bhrugu Patel

  • 0 in reply to BhruguPatel

    Hi BhruguPatel,

    thank you for the update. I have been reviewing the logviewer traffic in CM to see if that report provides a different answer, but no. I am confused because the issue then raises concerns about the accuracy of XG logviewer reports when trying to debug firewall rules and NAT settings. The CM report does not show any traffic being passed by any devices on the 3 LANs directly to the NTP server using either IP4 or IPv6 addresses. The NTP server is setup in the DHCP server options to point at the local NTP server.

    Ian

    Fixed the missing items from logviewer, a missing configuration in the firewall rule.

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML