Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR2: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR2 is Now Available    

The old V20.0 MR1 Post:  Sophos Firewall: v20.0 MR1: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Edited TAGs
[edited by: Erick Jan at 8:29 AM (GMT -7) on 23 Jul 2024]

Top Replies

  • Hi, this morning my network connection speed was changed and a static IP4 address applied. I now have a 250/100 connection, all very good eventually. The issue that has arisen is the IPv6 PD no longer works and to use IPv6 I had to enable the default IPv6 SNAT rule. Until the network change this morning IPv6 PD was working and I did not need a SNAT for IPv6 traffic.

    I have not restarted the XG115W after this morning's changes.

    So in summary, there appears to be a bug in the IPv6 PD implementation.

    Ian

    Update:- The network termination device was not restarted during the upgrade to v20.0.2 MR-2 only the XG115W.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Community,

    The latest update in the ticket found "An inconsistency in the synchronization of firewall operations within the HA pair, potentially leading to the issue. The initial findings reveal that the position numbers associated with adding a firewall rule differ between primary and auxiliary setups".

    DEV will keep working on finding the RCA.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Ian,

    In general, DHCPv6-PD shouldn't have any relation with SNAT rule.

    SNAT rules come in picture for normal IPv6 traffic once client gets IPv6 address either statically or dynamically.

    Could you please share access id over PM?

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  •   Thanks for the update. Will you share more information about the RCA when available? It sounds like this only affects HA setups but it would be good to have this confirmed.

      How has the update been so far on your XGS 136 units (other than this)?

  • Thanks for the info.  That would be a showstopper for my customers in production, so looking forward to the RCA and also the version in which the issue is patched if it is a bug.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • I want to highlight - This is not a general issue within the Update and had no relationship with V20.0 MR2. 
    Apparently the issue was there before the update. DEV is looking into this in more details for this race condition, but this is not seen on any other installation (as you can see, nobody reported it yet). 

    __________________________________________________________________________________________________________________

  • FWIW, I know I have at least one customer that lost custom WAF settings (the fix for the file size limit, for example) after an HA failover recently.  I think they were on v20MR1... so maybe it's a broader issue as you said.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Only the database change in terms of the KIL item? Do you have a support case for this situation? 

    __________________________________________________________________________________________________________________

  • No support case, but have seen it more than once.  also after some firmware updates.  We just fix it for the customer and move on.  Sounds like the issue that was in the KIL for country blocking rules disappearing for WAF after failovers.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Hi,

    We are facing a new problem with SSL Dialin connections with SFOS 20.0.2 MR-2-Build378

    After the update to SFOS. 20.0.2, users are increasingly complaining about disconnections.
    We see in the log that the users dial in again, although the old connection still exists.

    According to initial observations, this mainly affects users with the Sophos Connect Client 2.3.1.
    Users of the Open VPN Gui in various versions have currently not reported any incidents.

    Both firewalls (with more than 100 VPN users) have been running very well so far.
    We have of course checked the key lift time, this is not the reason!

    Has anyone else had the same experience?

    BR Gerd