Sophos Firewall: v20.0 MR2: Feedback and experiences

Question

Release Post: Sophos Firewall OS v20 MR2 is Now Available 
 The old V20.0 MR1 Post: Sophos Firewall: v20.0 MR1: Feedback and experiences 
 To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 
 Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 
 
 Important Note on EOL Sophos RED Support: 
 The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50

Jubin · Accepted Answer

Jubin · Answer

Hi FFin ,

You can change the physical interface, and all VLAN interfaces created on that interface will be moved to another port.

Yes, you can restore a backup on the same device and swap the port. Assistant will be presented even if you're restoring same device backup.

Same as above.

FYI - we have highlighted in the video - please check out - techvids.sophos.com/.../yYcJQzaQN3Z7vyYyakoL4R

PMParth · Answer

v20 MR2 includes New Backup Restore Assistant, Active Directory SSO Improvements, and Web Protection Optimizations 
 As this is a Maintenance Release (= MR), in addition to the enhancements, it resolves 45+ issues around performance, reliability, stability and security fixes. JIRA Reference and Issue details are available in the Release Notes -> Resolved Issues section (Refer the screen shot below)

Dirk van der Merwe · Answer

Hi Dev Singh / BrucekConvergent 
 Let me clarify this since I worked on the issue. 
 The issue arises when the network driver fails to allocate a new buffer for network traffic; it was designed to retry this operation, but due to a bug, this mechanism didn't operate as intended and ultimately the driver will become starved of incoming and outgoing buffers. 
 This is not a regression with SFOS v20 MR2 and it is not specific to PPPoE either, but it will depend on the memory profile of your configuration and traffic patterns. 
 An RMA will not help, this is a software issue only. 
 As suggested by LuCar Toni , the fix is already available in v21 (in EAP at the moment) and v20 MR3 (not yet released). However, if this is a significant issue for you, please log a support ticket, and we can apply a pre-fix manually to your system. 
 I hope this information helps. 
 Best regards

LuCar Toni · Answer

There is no release note to indicate that SSLVPN now supports EntraID. This is on the roadmap for the future releases (primarily major releases).

LuCar Toni · Answer

HSTS was addressed (if the client tries to reach port 8091 on https) and the HA sync of kerberos. most Kerberos situation are caused by the client not being correctly configured. For example the firewall fqdn is not setup as a trusted site.

LuCar Toni · Answer

The bottom line is: the Kerberos implementation is similar to the UTM one. It is just for some setups different, as SFOS in most setups is not the direct proxy / like in UTM in most cases was. 
 Those fixes here are not helping for initial setups. Customers using SFOS as a direct proxy should not have much problems for Kerberos in the first place. For transparent proxy, you need to be careful with the internet proxy settings on the client. One fix is about customer using HSTS for the proxy and this breaks the authentication in SFOS.

rfcat_vk · Answer

Thie issue has been resolved by the RSP even after advising me that nothing was wrong at their end.. Thank you to Sanket Shah and team for their assistance in resolving the issue. 
 Ian

Mayur Makvana · Answer

Hello apijnappels 
 You may review the complete guide under below: 
 docs.sophos.com/.../index.html

FFin · Answer

What does &bdquo;nothing happened&ldquo; mean? MR2 showed up in Central for upgrade and you scheduled there? Or opening WebAdmin through central and uploading firmware-file there failed? - if that&lsquo;s that&rsquo;s the case I think LuCar Toni said before that&lsquo;s not recommended. Manual upload should use direct WebAdmin access.

Mayur Makvana · Answer

Hello, 
 You may refer 
 community.sophos.com/.../firewall-dhcp-relay-stops-working-until-you-delete-an-recreate-a-random-dhcp-relay-object

LuCar Toni · Answer

Based on the different personas, you can argue of both situations. 
 As mentioned earlier: The "default drop rule" is an cosmetic item to showcase what happen, if there is no firewall rule. If you need logging, you need your own firewall rule. 
 For Partners/power users of SFOS, it would be also useful to think about XML Import/Export and/or Backup/Restore scenarios, to reduce the amount of configuration needed per firewall. 
 This thread is also to reflect the particular Release. Discussing something, which is documented in this thread is maybe not the best solution, as it will blow up this thread and people looking for MR2 feedback have to read more feedback about SFOS since V18.0.

LuCar Toni · Answer

I want to highlight - This is not a general issue within the Update and had no relationship with V20.0 MR2.
Apparently the issue was there before the update. DEV is looking into this in more details for this race condition, but this is not seen on any other installation (as you can see, nobody reported it yet).

LuCar Toni · Answer

We had one situation, where the WAF in particular lost configuration after an Upgrade. It is essentially unrelated to a particular Firmware Update and will be fixed in the next version: NC-136560: WAF auth template files disappeared after upgrading to v20 MR1 
 This issue, we addressed based on feedback from the MR1 Update, as we found the issue there. 
 Generally speaking, issues are picked up here from the community and being analysed on a case by case situation. 
 I just want to make sure, there is no "V20.0 MR2 breaks the Firewall order for HA Clusters" claim in this thread, as this is (right now) a unlikely situation and seems to be related to the particular cluster and not being related to V20.0 MR2 at all. 
 Customers and Partners review this thread - So information here needs to be filtered and categorized for likelihood of occurrence.

emmosophos · Answer

Hello Community, 
 The latest update in the ticket found "An inconsistency in the synchronization of firewall operations within the HA pair, potentially leading to the issue. The initial findings reveal that the position numbers associated with adding a firewall rule differ between primary and auxiliary setups". 
 DEV will keep working on finding the RCA. 
 Regards,

emmosophos · Answer

Hello Community, 
 This question is addressed in the following link: IPv6 PD and v20.0.2 MR-2 
 Regards,

Sophos Firewall: v20.0 MR2: Feedback and experiences

Important Note on EOL Sophos RED Support:

Top Replies