Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR2: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR2 is Now Available    

The old V20.0 MR1 Post:  Sophos Firewall: v20.0 MR1: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Edited TAGs
[edited by: Erick Jan at 8:29 AM (GMT -7) on 23 Jul 2024]

Top Replies

Parents
  • We've just updated a not quite in production yet HA pair of XGS136's from MR1 to MR2.  When the upgrade was complete, we didn't have internet access, so checked the rules and our second from the bottom "drop all with logging rule" had jumped up in the order to half way up, blocking the allow internet rule.  Additionally other rules had moved out of folders.  I'm sure support think I'm crazy, but it really happened :).  

    I'm a bit concerned as our bigger models have hundreds of rules and a change in their order would be catastrophic!

    Support case 07472302.

  • Hello Community,

    The latest update in the ticket found "An inconsistency in the synchronization of firewall operations within the HA pair, potentially leading to the issue. The initial findings reveal that the position numbers associated with adding a firewall rule differ between primary and auxiliary setups".

    DEV will keep working on finding the RCA.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
  •   Thanks for the update. Will you share more information about the RCA when available? It sounds like this only affects HA setups but it would be good to have this confirmed.

      How has the update been so far on your XGS 136 units (other than this)?

  • Thanks for the info.  That would be a showstopper for my customers in production, so looking forward to the RCA and also the version in which the issue is patched if it is a bug.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • I want to highlight - This is not a general issue within the Update and had no relationship with V20.0 MR2. 
    Apparently the issue was there before the update. DEV is looking into this in more details for this race condition, but this is not seen on any other installation (as you can see, nobody reported it yet). 

    __________________________________________________________________________________________________________________

  • FWIW, I know I have at least one customer that lost custom WAF settings (the fix for the file size limit, for example) after an HA failover recently.  I think they were on v20MR1... so maybe it's a broader issue as you said.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Only the database change in terms of the KIL item? Do you have a support case for this situation? 

    __________________________________________________________________________________________________________________

  • No support case, but have seen it more than once.  also after some firmware updates.  We just fix it for the customer and move on.  Sounds like the issue that was in the KIL for country blocking rules disappearing for WAF after failovers.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • We had one situation, where the WAF in particular lost configuration after an Upgrade. It is essentially unrelated to a particular Firmware Update and will be fixed in the next version: NC-136560: WAF auth template files disappeared after upgrading to v20 MR1

    This issue, we addressed based on feedback from the MR1 Update, as we found the issue there. 

    Generally speaking, issues are picked up here from the community and being analysed on a case by case situation.

    I just want to make sure, there is no "V20.0 MR2 breaks the Firewall order for HA Clusters" claim in this thread, as this is (right now) a unlikely situation and seems to be related to the particular cluster and not being related to V20.0 MR2 at all. 

    Customers and Partners review this thread - So information here needs to be filtered and categorized for likelihood of occurrence. 
     

    __________________________________________________________________________________________________________________