Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v21.0 GA: Feedback and experiences

Release Post:  Sophos Firewall v21 is Now Available 

Release Notes: docs.sophos.com/.../sf_210_rn.html

Early Access EAP Thread:  Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread) 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue.   

Only XGS Hardware is supported - Not XG/SG Hardware. Sophos Home is excluded, as it uses Software, which is supported. 

Firmware update from the CM will be available after the firmware is available to all. Please refer to the standard update process.

Firmware update on Sophos firewall requires a valid support subscription (of any type - paid or trial) after the first 3 free firmware updates.

Parents
  • I added the FireHOL L3 threat (IP address) threat feed and am finally getting blocks. (URLHaus URLs don't seem to give blocks beyond Sophos built-in. Which is fine: I think the Sophos list does a great job.) Two things I notice about third-party threat feeds:

    1. Their block seems to happen up front, before the Appliance Access blocking? I'm noticing hits from outside IPs there, not to outside IPs. My theory is that these used to show up as Appliance Access and were dropped -- those are fairly common -- but now some of them correspond to FireHOL IP's and so are classified there first. Not a problem, though I had to turn of email notifications because that happens so often.

    2. With a lowly XGS87, there's no room for on-device logging so I depend on Sophos Central and third-party hits are classified in SC as access to remote beacons. I think they should be identified more like "FireHOL_L3 IP address" or "URLHaus URL address" or something not so disturbing.

Reply
  • I added the FireHOL L3 threat (IP address) threat feed and am finally getting blocks. (URLHaus URLs don't seem to give blocks beyond Sophos built-in. Which is fine: I think the Sophos list does a great job.) Two things I notice about third-party threat feeds:

    1. Their block seems to happen up front, before the Appliance Access blocking? I'm noticing hits from outside IPs there, not to outside IPs. My theory is that these used to show up as Appliance Access and were dropped -- those are fairly common -- but now some of them correspond to FireHOL IP's and so are classified there first. Not a problem, though I had to turn of email notifications because that happens so often.

    2. With a lowly XGS87, there's no room for on-device logging so I depend on Sophos Central and third-party hits are classified in SC as access to remote beacons. I think they should be identified more like "FireHOL_L3 IP address" or "URLHaus URL address" or something not so disturbing.

Children
  • Thank you  for the feedback about third party threat feed feature.

    Would it be possible to share log viewer snippets of the traffic which is being blocked?

    Could you please confirm whether destination IP (in blocked traffic) is one of the appliance IPs or different?

    Reg. Sophos Central wrong classification, could you please share screenshot?

    If you can share appliance access details via PM, it would help us to look from our end as well.

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall