Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v20.0 GA: Feedback and experiences

Release Post:  Sophos Firewall v20 is Now Available  

The EAP Post:  Sophos Firewall: v20.0 EAP1: Feedback and experiences  

The old V19.5 MR3 Post:  Sophos Firewall: v19.5 MR3: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 



This thread was automatically locked due to age.
  • IPv6 hairpin NAT appears to be broken. In v19.5.x I had an IPv6 hairpin NAT which worked.

    IPv6 loop back NAT:-

    2023-11-07 13:34:03Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="62" fw_rule_id="26" fw_rule_name="NTP-6 for locals" fw_rule_section="Local rule" nat_rule_id="6" nat_rule_name="General NTP access" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="ians-mac14-6" user_group="ABB" web_policy_id="0" ips_policy_id="1" appfilter_policy_id="1" app_name="Network Time Protocol" app_risk="1" app_technology="Browser Based" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port3" in_display_interface="House Network" out_interface="Port3" out_display_interface="House Network" src_mac="C8:89:F3:DB:B9:44" dst_mac="7C:5A:1C:6D:8A:3E" src_ip="2403:5814:8482:3201:100::4" src_country="" dst_ip="2403:300:a08:3000::1f2" dst_country="" protocol="UDP" src_port="49955" dst_port="123" packets_sent="1" packets_received="0" bytes_sent="96" bytes_received="0" src_trans_ip="2403:300:a08:3000::1f2" src_trans_port="0" dst_trans_ip="2403:5814:8482:3201:100::4" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_direction="" con_event="Stop" con_id="2117821894" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

    The destination should be 2403:5814:8482:3201:100::2 which is the NTP server.

    IP4 loopback NAT:-

    2023-11-07 13:38:00Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="66" fw_rule_id="49" fw_rule_name="NTP access for local devices" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="NTP access for LAN" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="xg4" user_group="Guests" web_policy_id="0" ips_policy_id="5" appfilter_policy_id="0" app_name="Network Time Protocol" app_risk="1" app_technology="Browser Based" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="VoIP network" out_interface="Port3" out_display_interface="House Network" src_mac="00:0C:29:A8:9F:D3" dst_mac="7C:5A:1C:6D:8A:3C" src_ip="192.168.111.50" src_country="R1" dst_ip="162.159.200.123" dst_country="USA" protocol="UDP" src_port="49940" dst_port="123" packets_sent="1" packets_received="1" bytes_sent="76" bytes_received="76" src_trans_ip="10.10.10.1" src_trans_port="0" dst_trans_ip="10.10.10.5" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="LAN" dst_zone="LAN" con_direction="" con_event="Stop" con_id="1196815454" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the update on v20-GA build.

    Reg. 6/ and 7/, RA should manage IP prefix management and DHCPv6 server on delegated interface should manage other parameters like DNS settings, other DHCPv6 options etc. That's the reason it's not supported currently. Do you see a need where customer is using DHCPv6-PD and also want to manage stateful IPv6 addresses from DHCPv6 server on downstream interface?

    8/ - is it about static mac-ip DHCPv6 lease or even dynamic leases are also not seen in active leases table on UI? 

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • We are looking into it. Will get back to you soon.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Hello

    Upgraded yesterday v19.5 MR3 – Home to v20.0 GA – Home

    Backup emails have stopped working no changes made.

    Notification settings – External email server

    • Test emails work

    Backup & restore – Email

    • Backup now – I get the green banner “Backup has been taken successfully”
    • When I check Win Server 2019 SMTP Logs
      • 2023-11-07 12:03:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 EHLO - +Sophos 250 0 198 11 0 SMTP - - - -
      • 2023-11-07 12:03:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 MAIL - +FROM:<x@x.x.x> 552 0 59 45 0 SMTP - - - -
      • 2023-11-07 12:03:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 RCPT - +TO:<x@x.x.x> 503 0 33 27 0 SMTP - - - -
      • 2023-11-07 12:03:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 DATA - - 503 0 0 4 0 SMTP - - - -
      • 2023-11-07 12:03:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 QUIT - Sophos 240 16 70 4 0 SMTP - - - -
    • It looks like no DATA is being passed to the SMTP server

    Regards

    Paul

  • Hello  , 

    Thank you for feedback. 

    When you checked logs on your Win Server 2019 , for SMTP logs 

    'Have you not seen ANY SMTP traffic from SFOS?' or 'You were getting empty emails from SFOS?' - please clarify. 

    Could you please provide support access of your device in 1-1 PM ? so that we could investigate it further 

    Regards,

    Saurabh Pandya 

  • Where can this be downloaded? Treid to follow the  instructions. In sophos central all of our customers are blank in Firewall Licensing section. Treid to claim firewall with correct serialnumber but it says it's allready claimed.

  •  
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • Hello  

    The new v20 firmware will be gradually rolled out to all connected devices over the coming weeks. A notification will appear on your local device or Sophos Central management console when the update is available, allowing you to schedule the update at your convenience. Kindly refer to this post.Sophos Firewall v20 is Now Available 

    However, you should be able to download the firmware directly from here: https://support.sophos.com/support/s/article/KB-000043162?language=en_US just click the appropriate choice - if you are on Hardware/Software or Virtual and in the new window you should see at the bottom of the list. If you decide to go this way, I'd recommend you to take a backup of your configuration first.

    Have a nice day and thank you for choosing Sophos. 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Saurabh

    When you checked logs on your Win Server 2019 , for SMTP logs

    'Have you not seen ANY SMTP traffic from SFOS?' or 'You were getting empty emails from SFOS?' - please clarify.

    • (Email Received) If I send a test email from SFOS it works, and I receive an email as expected. Header and body.
    • SMTP logs from test email
      • 2023-11-08 09:33:54 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 EHLO - +Sophos 250 0 198 11 0 SMTP - - - -
      • 2023-11-08 09:33:54 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 MAIL - +FROM:<x@x.x.x> 250 0 45 42 15 SMTP - - - -
      • 2023-11-08 09:33:54 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 RCPT - +TO:<x@x.x.x> 250 0 30 27 0 SMTP - - - -
      • 2023-11-08 09:33:54 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 DATA - <S19APP02IVRmHmvOvPk00000057@S19App02.x.x.x> 250 0 134 968 32 SMTP - - - -
      • 2023-11-08 09:33:54 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 QUIT - Sophos 240 47 70 4 0 SMTP - - - -

     

    • (No Email Received) I have a backup up scheduled at 00:15 to email me the backup file. I don’t receive an email.
    • (No Email Received)  If I do Backup now – I get the green banner “Backup has been taken successfully”.  I don't receive an email
    • SMTP logs from backup.
      • 2023-11-08 00:15:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 EHLO - +Sophos 250 0 198 11 0 SMTP - - - -
      • 2023-11-08 00:15:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 MAIL - +FROM:< x@x.x.x > 552 0 59 45 0 SMTP - - - -
      • 2023-11-08 00:15:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 RCPT - +TO:< x@x.x.x > 503 0 33 27 0 SMTP - - - -
      • 2023-11-08 00:15:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 DATA - - 503 0 0 4 0 SMTP - - - -
      • 2023-11-08 00:15:08 192.168.16.5 Sophos SMTPSVC1 S19APP02 192.168.16.86 0 QUIT - Sophos 240 32 70 4 0 SMTP - - - -

    Please note the difference in the SMTP log text in red

    Regards

    Paul

  • Hello  

    Thanks for sharing the feedback with us!!!.

    We investigated the IPv6 hairpin NAT issue in our local environment and on your setup. The IPv6 loopback NAT functionality is working fine as per expectation but the logviewer shows the incorrect IPv6 address for the "dst_trans_ip" field. This issue is also observed in v19.5 MR3 as well and is not related to v20 GA.

    We created the new product bug for this issue and can be tracked by this ticket - NC-127532

    Regards,
    Bhrugu Patel