Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v20.0 GA: Feedback and experiences

Release Post:  Sophos Firewall v20 is Now Available  

The EAP Post:  Sophos Firewall: v20.0 EAP1: Feedback and experiences  

The old V19.5 MR3 Post:  Sophos Firewall: v19.5 MR3: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 



This thread was automatically locked due to age.
  • What I've done quite some time ago is to DNAT the ports you need (and yes, this is also possible with webadmin, userportal and vpn-portal) to a Docker machine with a Traefik reverse proxy which in turns forwards the traffic back to the firewall (or any other webservice inside the DMZ).

    Instead of using Administration - Device Access to manage who can reacht those services you can also limit the source in the DNAT rules to prevent unauthorized users from getting to the webadmin interface.

    I'm also having a hard time believing Sophos will ever again implement Lets Encrypt as they have done before in UTM.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • The Ideas Website is a good idea in general, but a hard thing to keep up with. Because basically you would have to make ideas gate keeped and not based on a "you have an account, you have voting right". Because ideas gives a home user the power to have the same voice as a enterprise customer and vise versa, which is on the paper a good thing but in the end will lead up to a lot of trouble like "Why is not the top idea implemented" - simply because it has the most votes does not mean "the channel/customer require it at all". And what i mean by that is: SFOS is quite popular in the channel as a solution to go with smaller customers and LE is an implementation for a certain specific customer persona. 

    Lets tackle the LE need cases: 

    What i found after digging into this field a lot more. Customer who ask for LE have the following requirements:
    They are likely under 100 users (not all but most)
    They have an Exchange on premise
    (Therefore they purchase WAF for SFOS)
    They have another service they host
    They migrated from UTM and used FG. 

    So another persona is the home user, who wants that - But lets keep this out of this conversation for now. 
    If you disagree with the list above, feel free to add. That is my data collection and hundreds of talks to Partners around the globe. 

    You will find the most exchange servers in Germany (Based on shodan). I am from Germany as well - So i am talking to most of those partners. Why do i think, under 100 user? Most "bigger" customers still purchase a certificate anyway (from my experiences). Smaller customers do not want to do that (understandable). 

    LE solves the need for an external certificate. Likely you have 3 use cases for it: WAF + Exchange, WAF + Service to publish, User Portal/VPN Portal. Those are the main 3 components. 

    Now going back to the ideas website: Looking at those use cases, you will find some customers matching those requirements and that is the reason LE is on the Roadmap for a future version. But it is not Prio 1 item. 

    Another viewpoint is the movement of Exchange towards cloud services. I know, there are restrictions and countries not allowed but still the entire world is looking into services like M365 or Google Work Spaces etc. 

    My point and what i am telling Partners in this conversation is: Build a Factory Pipeline to automate it for your customers. It is actually easy to use, completely free and you will have LE like you used to (+ the benefit of having a wildcard instead, which is nice).

    LE will find it way to SFOS in the future. 

    __________________________________________________________________________________________________________________

  • As i stated above: Why not looking into a Factory approach? If you have docker running, getting a Factory Docker Runner is made within 5 minutes. Then you build your pipeline (copy/paste) and can have wildcard certificates. 

    See:  [HowTo] Lets Encrypt Renewal Process with Factory  

    __________________________________________________________________________________________________________________

  • According to the Sophos Firewall firmware release schedule, the firmware typically becomes available for download within 2 to 5 weeks after the initial soft release phase. It seems that although v20 was released around November 6, 2023, it's not yet accessible for download from the Firewall Firmware menu as of today, December 29, 2023. Should we manually download it from Sophos Central, then upload and install it on our firewall? In the past, previous firmware versions were usually accessible directly from firewall menu. The only modification I made recently was connecting my firewall to Sophos Central. Could this connection to Sophos Central be the reason why v20 isn't directly available on the firewall?

  • Hi Prateek, 

    We roll out a new Firewall firmware release in a staged manner. Due to the holidays we've paused the rollout, which is why you don't see it available on your Firewall yet. We will resume the rollout in January. This is not due to you connect your Firewall to Central. 

    In the meantime if you want to install v20 sooner, you can download the firmware update & apply it on the Firewall manually.

  • Hello  

    Thank you for the information. Happy Holidays!!

    I will wait for the rollout to begin.

  • For now I had a WAF rule with path specific routing pointing to a server to /.well-known/acme-challenge/ That would auto update the certs on the server. Since upgrading to version 20 that rule no longer works. It always worked fine under v19. Any ideas why that would now break and where in the logs do you think I could look to find an answer?

  • Check the /log/reverseproxy.log if the WAF in general work. 

    __________________________________________________________________________________________________________________

  • I actually did find it. It is treating now as a Bad Reputation with the message SXL category IPCAT_BOTS. I might try to see if I can get around this some way.

  • Hi Barry, if it gets blocked by IP rep, then disabling reputation based blocking should solve this.