Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Sophos Firewall: v20.0 GA: Feedback and experiences

Release Post:  Sophos Firewall v20 is Now Available  

The EAP Post:  Sophos Firewall: v20.0 EAP1: Feedback and experiences  

The old V19.5 MR3 Post:  Sophos Firewall: v19.5 MR3: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 



Pinning.
[bearbeitet von: LuCar Toni um 3:49 PM (GMT -8) am 5 Feb 2024]
Parents
  • Installed on the XG115W this morning.

    The good, the bad and the ugly

    1/. the inbuilt AP is still enabled - no ability to disable

    2/. no IPv6 FQDN support

    3/. IPv6 delegation works with DHCP and selectable options

    4/. the reconnect WAN at restart works without any action by the admin.

    5/. the GUI is even slower than before.

    6/. unable to assign a range to IPv6 DHCP server

    7/. unable to assign IPv6 addresses from IPv6 DHCP server created by delegated interface..

    8/. IPv6 lease table does not display active leases.

    9/. Unable to edit name of the delegated created DHCP IPv6 server

    So far so good.

    Ian

    Added extra info.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the update on v20-GA build.

    Reg. 6/ and 7/, RA should manage IP prefix management and DHCPv6 server on delegated interface should manage other parameters like DNS settings, other DHCPv6 options etc. That's the reason it's not supported currently. Do you see a need where customer is using DHCPv6-PD and also want to manage stateful IPv6 addresses from DHCPv6 server on downstream interface?

    8/ - is it about static mac-ip DHCPv6 lease or even dynamic leases are also not seen in active leases table on UI? 

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

Reply
  • Thanks for the update on v20-GA build.

    Reg. 6/ and 7/, RA should manage IP prefix management and DHCPv6 server on delegated interface should manage other parameters like DNS settings, other DHCPv6 options etc. That's the reason it's not supported currently. Do you see a need where customer is using DHCPv6-PD and also want to manage stateful IPv6 addresses from DHCPv6 server on downstream interface?

    8/ - is it about static mac-ip DHCPv6 lease or even dynamic leases are also not seen in active leases table on UI? 

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

Children
  • Hi Sanket Shah,

    thank you for your assistance. My apologies for the delayed response, I did not see your request until today.

    The delegated process does not allow for management of address allocation and from past experience your devices are assigned two addresses from within the delegated range. Controlling access to the internet then becomes an issue.

    The IPv6 lease table only shows dynamic leases not static leases, I am expecting the IPv6 lease table to look very similar to the IP4 table to assist with network management.

    Also I was hoping that the IPv6 lease table fields might be expandable so you can see all the field, not just part of it.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the clarification.

    Reg. IPv6 lease table improvements, it's there in the roadmap. I will check with product management about its priority.

    Reg. multiple IPv6 address management, I believe it might be due to transition in your setup from manual way of managing prefix network via DHCPv6 server to DHCPv6-PD. If it would have been a fresh deployment, I guess you would have got single IPv6 address in your LAN network via Router advertisement. For multiple IPv6 address management, cleaner approach is to use "user" based authentication to not worry about IP address at all to identify client machine(s).

    If there is a need to have multiple IPv6 addresses to be managed (which I think you don't need as of now), DHCPv6 server with lease pool management will be required on delegated interface on top of prefix distribution via router advertisement. We will consider this requirement based on deployment feedback we get from the customer.

    Thanks for your cooperation and support.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • "user" based authentication is meaningless for most IoT devices.