Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR2: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR2 is Now Available    

The old V20.0 MR1 Post:  Sophos Firewall: v20.0 MR1: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Edited TAGs
[edited by: Erick Jan at 8:29 AM (GMT -7) on 23 Jul 2024]

Top Replies

Parents
  • We've just updated a not quite in production yet HA pair of XGS136's from MR1 to MR2.  When the upgrade was complete, we didn't have internet access, so checked the rules and our second from the bottom "drop all with logging rule" had jumped up in the order to half way up, blocking the allow internet rule.  Additionally other rules had moved out of folders.  I'm sure support think I'm crazy, but it really happened :).  

    I'm a bit concerned as our bigger models have hundreds of rules and a change in their order would be catastrophic!

    Support case 07472302.

  • This is interesting ... did Support have any luck determining the cause?

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • The devs have taken over the case from support and have been looking into it.  No info from them yet.

    On our end, what appears to have happened is a single rule group was "lost" and all of the rules in the group were then ungrouped and ordered in numerical order - which meant our "drop all with logging" was suddenly above all of these rules.  (of course the rule group that got lost was our generic network rules eg DNS/DHCP/Internet)

  • I would also be interested to know if there is any update on this. We have an XGS 136 too (not HA) and are now being offered MR2 (currently on MR1). Your post alarmed me when you said that you lost internet access as we normally apply these updates remotely via Sophos Central, but I now understand that you only lost internet access on the internal network due to the incorrect firewall rule order!

    Has everything else been ok with this update (after re-ordering the firewall rules)?

Reply
  • I would also be interested to know if there is any update on this. We have an XGS 136 too (not HA) and are now being offered MR2 (currently on MR1). Your post alarmed me when you said that you lost internet access as we normally apply these updates remotely via Sophos Central, but I now understand that you only lost internet access on the internal network due to the incorrect firewall rule order!

    Has everything else been ok with this update (after re-ordering the firewall rules)?

Children
No Data