Sophos Firewall: v21.0 GA: Feedback and experiences

Installed on my VM XG and performed a restore from there XG115W backup. The password was not recognised even though I have used the backups to perform restores on the XG115W. Reset the XG115W password and the restore on the VM XG went smoothly. 

Ian

Hello,

Thanks f or reaching out. 

We wanted to confirm if this happened on your Sophos Firewall after upgrading to v21 GA? or are you unable to access Sophos Community from China even though you are not behind a Sophos Firewall? if it is, you may want to open a new thread here instead:  Community Chat  As this thread is designated for concerns encountered and feedback for SFOS v21. 

If we miss any context of your post please feel free to add and elaborate details. Thank you

Regards,

I have Updated my KVM and SW Firewalls so far and all fine
No issues - progress runs smoothly

KVM v21GA
SW v21GA with SD-RED 20

Great Update - upgrade from EAP went through smoothly. Good to see Interface-Naming was updated in GA to get rid of „#PortX“ only in dropdown-menues.

Two things i noticed within WAF-Rules: there‘s this new popup/tooltip when selecting certificate:

• it‘s not translated (at least in german)
• the first hint regarding certificate naming is useless at this point as you do not define or change it‘s name here
  (this should be located in the certificate menu instead WAF and include more details on which special chars are allowed and which are not)

Hello FFin ,

Point well taken. We shall approach the team and we will review and let you know if this is feasible or not.

The EAP worked well and the GM update installed smoothly. The new, dynamic Control Center is really coming into its own. Have been trying third-party block feeds, though they haven't hit anything that Sophos doesn't already hit. (Which is ultimately a good thing.) I even noticed that the Messages no longer shows those info notifications (being under Sophos Central, VPN controls have moved) that we could never eliminate.

Now that the XGS effort is behind you, it feels like you're making solid progress with each release, and working off the backlog of requests like Let's Encrypt.

(My only disappointment is that the way port 8090 access works evidently means we can't use Let's Encrypt for web-block interactions on our Guest networks. Which would be super-useful for, well, guests who won't have our CA certificate installed on their machines. Hopefully this can be straightened out at some point in the future. I've submitted it as a suggestion from the firewall.)

I added the FireHOL L3 threat (IP address) threat feed and am finally getting blocks. (URLHaus URLs don't seem to give blocks beyond Sophos built-in. Which is fine: I think the Sophos list does a great job.) Two things I notice about third-party threat feeds:

1. Their block seems to happen up front, before the Appliance Access blocking? I'm noticing hits from outside IPs there, not to outside IPs. My theory is that these used to show up as Appliance Access and were dropped -- those are fairly common -- but now some of them correspond to FireHOL IP's and so are classified there first. Not a problem, though I had to turn of email notifications because that happens so often.

2. With a lowly XGS87, there's no room for on-device logging so I depend on Sophos Central and third-party hits are classified in SC as access to remote beacons. I think they should be identified more like "FireHOL_L3 IP address" or "URLHaus URL address" or something not so disturbing.

Thank you Wayne Folta for the feedback about third party threat feed feature.

Would it be possible to share log viewer snippets of the traffic which is being blocked?

Could you please confirm whether destination IP (in blocked traffic) is one of the appliance IPs or different?

Reg. Sophos Central wrong classification, could you please share screenshot?

If you can share appliance access details via PM, it would help us to look from our end as well.

The new alphabetical (but not alpha-numerical?) interface-name-order does not feel very natural?
I'd expect "P1 XXX" before "P3 XXX"? - like Excel would sort a table ;)

It’s unfortunate that Entra ID support for SSL VPN has not yet been introduced, especially after several years of anticipation. It was expected with Version 20, and there’s been no indication of it in the Version 21 release either. The rationale about needing to lay the groundwork for Entra ID in earlier versions no longer seems valid. It seems like there may be a lack of resources dedicated to developing the Sophos Connect Client as Sophos is prioritizing its ZTNA product.