Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR1: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR1 is Now Available 

The old V20.0 GA Post:  Sophos Firewall: v20.0 GA: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Prio Change
[bearbeitet von: LuCar Toni um 4:40 PM (GMT -7) am 23 Sep 2024]
  • things that still need fixing and were indicated would be more than likely be in MR-1

    1/. disable local wifi

    2/. DHCP in the DHCP-PD

    3/. IPv6 DHCP fields still fixed width and the data not readily accessible.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Fixes are in like: 

    DHCP enhancements

    • IPv6 DHCP prefix delegation: The firewall requests the preferred prefix from the ISP each time you update the interface configuration or when the firewall restarts.
    • DHCP lease time: DHCP clients will make renewal requests at 30 seconds if the lease interval's half-time is 30 seconds or less, ensuring continuous WAN connectivity.

    More to be addressed in the future as well. 

    __________________________________________________________________________________________________________________

  • The global option "Compress SSL VPN traffic" is now removed in webadmin.
    And not available within ssl-profiles. Does this mean, new openvpn server in SFOS will accept compressed and uncompressed connections?

    As there's nothing mentioned in release-notes about that openvpn android/ios problem, i was wondering how this is "fixed"?

  • You can select in VPN Portal, what device you use: 

    __________________________________________________________________________________________________________________

  • So to fix affected android/ios OpenVPN Clients, those users will need to redownload config?
    And all other (Windows) OpenVPN Users will remain untouched without need to change any settings on SFOS?

    Will there be an update within Sophos Firewall: Temporary Fix OpenVPN (3.4.0) No Compression (Android Devices) - Recommended Reads - Sophos Firewall - Sophos Community what to do after upgrading to MR1?

  • Updated my home-appliance from v20.0 GA - after the update i can't establish either a IPsec nor SSL-VPN connection with duo-push. Password is accepted and duo will trigger a push and after acception of the push, with the following error:

    2024-05-15 10:22:56AM [2528] inf Starting Sophos Sophos Connect version 2.2.90.1104
    2024-05-15 10:22:56AM [2528] dbg Initializing protected storage
    2024-05-15 10:22:56AM [2528] inf Logged on user is *USER*
    2024-05-15 10:22:56AM [2528] dbg Starting the auto-importer
    2024-05-15 10:22:56AM [2528] inf Initializing strongSwan
    2024-05-15 10:23:01AM [2528] dbg strongSwan version 5.9.5 has been started
    2024-05-15 10:23:01AM [2528] inf Initializing open vpn service
    2024-05-15 10:23:04AM [2528] dbg Starting the communications module
    2024-05-15 10:23:04AM [2528] dbg Starting HTTP server on 127.0.0.1:60110
    2024-05-15 10:23:04AM [2528] inf Sophos Connect started
    2024-05-15 10:23:09AM [21524] dbg Sending telemetry data to sftelemetry.sophos.com:443
    2024-05-15 10:23:12AM [23992] dbg *TARGET* VPN state changed to connecting
    2024-05-15 10:23:12AM [23992] dbg Starting tunnel (connecting)
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *TARGET* 9443
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *TARGET* 9443 tcp-client
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *IP-NET-1* 9443 tcp-client
    2024-05-15 10:23:12AM [23992] inf Remote added to list: *IP-NET-2* 9443 tcp-client
    2024-05-15 10:23:15AM [23992] dbg Tunnel initiated to *TARGET* 9443
    2024-05-15 10:23:17AM [18508] dbg *TARGET* user authentication failed - clearing any stored credentials
    2024-05-15 10:23:17AM [18508] dbg *TARGET* VPN state changed to disconnected
    2024-05-15 10:23:17AM [18508] dbg Sending notification: User authentication failed. Please try again
    2024-05-15 10:23:17AM [23992] dbg Tunnel is stopped
    2024-05-15 10:23:17AM [18508] dbg received exiting event
    2024-05-15 10:23:22AM [7964] dbg Handling request for file type 2
    2024-05-15 10:23:22AM [7964] dbg Sending file 'openvpn.log' from 'C:\Program Files (x86)\Sophos\Connect\openvpn.log'

    Will troubleshoot when i get home

    EDIT: log is from scvpn.log

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 20.0 MR 1

    If a post solves your question please use the 'Verify Answer' button.

  • Essentially it offers different configs, based on your needs of your device. But it is the same cert.
    If it worked with the fix above, then they will still work. If you have the problem now, you download the correct config. 

    __________________________________________________________________________________________________________________

  • And the removed "Compress SSL VPN traffic" is no longer needed at all?
    Will SSL-VPN-Traffic compressed by default? or not? ...or "adaptive"?

  • Compression was dropped from SSLVPN configs going forward. More information you find here: https://community.openvpn.net/openvpn/wiki/Compression 

    __________________________________________________________________________________________________________________

  • Thank you for the information.

    This is what was supposed to be activated in MR-1.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.