Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR1: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR1 is Now Available 

The old V20.0 GA Post:  Sophos Firewall: v20.0 GA: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Adding
[bearbeitet von: LuCar Toni um 10:50 AM (GMT -7) am 16 May 2024]
Parents Reply Children
  • Thank you    for reporting this.

    We have identified the root cause, workaround, and resolution.

    Root cause summary:  

    DHCP Boot Options Next-server configuration cannot take URL value (as per RFC 2131). The validation for the URL is missing in v20 MR1. When URL is present in DHCP Boot Options Next-server config, the DHCP service fails to start.

     Workaround: Please remove URL config from the DHCP Boot Option Next server configuration (DHCP server  > Boot Options > Next-server).

    Resolution:  We will soon release a hotfix to resolve this/prevent it from happening. And also fix this in the immediate next maintenance release.

    Root cause details:  

    Till 20.0 GA and earlier versions, Boot Option configures DHCP options 66 and 67 internally and did NOT consider Next-server and boot file configurations.

    In 20.0 MR1 and later versions, these settings configure the DHCP Boot Options Next-server and Boot file option available in the DHPC header. 

    During Migration, if DHCP Boot options Next-server and Bootfile are configured, then when migrating to 20 MR1, SFOS retained the configuration for both DHCP Boot options (Next-server and Boot file) and DHCP options 66 and 67. Additionally, DHCP options 66 and 67 was populated by the firewall (internally) will be made visible on UI under the DHCP option section.

    The next-server option only support IP address and domain. URL values are not supported (as per RFC 2131), however, the URL value validation has been missing which caused the DHCP service to fail.

    Thank you for your understanding and patience as we work to resolve this issue.  

    Sophos Team

  • what exactly do you mean with URL? did the customer enter a FQDN or a http/file link?

    FQDN should be supported

  • In this scenario, there was an actual URL (httpx//server/file) within the Next-Server part (copied by the migration). 
    And the RFC explicitly says, next-Server are only support an IP or FQDN. 

    __________________________________________________________________________________________________________________

  • How can we be sure that the fix is installed? We face the same problem. See #07363204

  • yes but it seems that it isn't... our server link is something like server.domain.local:9200/.../. As soon as you enter it the dhcpd is gone...

  • Hi  

    Can you please provide a support access ID in a PM so that we can take a look at your system?

  • Doesn't work on our site at the moment with a FQDN http URL. dhcpd is down immediately after saving...

  • Current answer via 07363204 is:

    - We currently have NC-131042 reported and no fix version is yet to be tagged
    - Workaround is available on the community post as well

    What does the hotfix do?

    How can we add server.domain.local:9200/.../ at the moment?

    And we have the problem that several clients flood our dhcp log with renewals after some seconds or minutes.

  • Thank you  for sharing the support access.

    The hotfix is applied successfully on the device shared.

    The hotfix is applied successfully, if the file "/static/v20.0.1_LOCAL_ACL_n_DHCP_BOOT_OPT_HF" is present on the system.

    Looking into the device, I think, the DHCP service was not dead on the firmware upgrade as there was no URL configured in the next-server option before migration. I think you are trying to configure URL from the GUI and observing DHCP service dead.

    The aim of the hotfix was to prevent the DHCP server dead and network outage if URL was configured on the firmware upgrade operation. 

    The validation is not implemented with the hotfix to prevent the URL configuration for next-server option. The validation implementation is planed for future.

    In summary, DHCP service will continue working post firmware upgrade if URL is configured for next-server option and if DHCP server is created/updated with URL (invalid value) configured for next-server option then DHCP service will observe dead.