Sophos Firewall: v21.0 GA: Feedback and experiences

Question

Release Post: Sophos Firewall v21 is Now Available 
 Release Notes: docs.sophos.com/.../sf_210_rn.html 
 Early Access EAP Thread: Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread) 
 To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 
 Only XGS Hardware is supported - Not XG/SG Hardware. Sophos Home is excluded, as it uses Software, which is supported. 
 Firmware update from the CM will be available after the firmware is available to all. Please refer to the standard update process . 
 Firmware update on Sophos firewall requires a valid support subscription (of any type - paid or trial) after the first 3 free firmware updates.

Jubin · Accepted Answer

This problem occurs when any interface display name (logical or physical) contains more than 10 digits at the end of the name. Example PortLAN_12345678912 or VLAN1025_LAN_12345678912. There is no functional impact only a display issue. 
 
 Quick workaround 
 Select Export of Configuration: 
 
 Navigate to Backup and Firmware > Import/Export > Export Selective Configuration. 
 Choose Interface and VLAN to export 
 
 Open the Exported File: 
 
 Open the exported file in your preferred text editor. 
 
 Modify Display Name: 
 
 If the interface display name has numeric digits as a suffix (for example VLAN1050_1234567891), ensure that the total number of digits is 9 or fewer. 
 
 Save Changes: 
 
 Save the modified file. 
 
 Compress the File: 
 
 Compress the file into a .tar format. 
 
 Import to Firewall: 
 
 Import the compressed file back into the firewall.

LuCar Toni · Answer

We talked about this in the past, and decided not to implement it. Just out of curiosity, why would you like to have a publicly signed cert here? 
 We decided not to do it, as the process of renewing certs is much higher compared to the benefit. As self-signed certificates still considered secure (and why would they not?) there is no real benefit of switching it.

Jubin · Answer

Hi Stephen BabuJohnson 
 In version 21, we upgraded the Postgres database to a newer version. As a result, version 21 temporarily operates with the old and new databases. 
 Before the upgrade : Reports created are stored in the old database. 
 After the upgrade : Any new reports generated post-upgrade are stored in the new database. 
 Please refer help for more details: https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Reports/index.html#reports-behavior

Jubin · Answer

Hi Dev Singh , 
 Entra ID support for SSL VPN is a top priority, and our engineering team is actively working on it. We're aiming to include this feature in a future version of SFOS.

mas0384 · Answer

FFin the VLANs are not removed - they're just hidden / not visible in GUI.

Kavan Modi · Answer

FFin , 
 In v21, we have resolved the issue with lexicographical ordering of interfaces. Previously, for interfaces like Port1, Port2...Port10, Port10 would incorrectly appear next to Port1, resulting in an order like Port1, Port10, Port2, and so on. This has now been fixed. 
 Additionally, based on feedback from various users, we&rsquo;ve adjusted the interface ordering to be alphabetical, with numeric values considered only when they appear at the end of the interface name. For example, PLANInter1, PLANInter2, and PWAN3 will now appear in both alphabetical and numerical order. If a number appears within the name, only the letters before the number are considered for ordering. For example, in "P2 LAN Inter," only the letter 'P' is considered for sorting, and the rest is ignored. 
 Considering both numbers and letters that appear anywhere in the name would make the sorting more complex, and the lexicographical issue would persist. This was a design choice we had to make. 
 In the future, we aim to further improve this and provide users with the option to customize how interfaces are ordered.

mas0384 · Answer

Hi LuCar Toni , thanks for your reply. 
 I heard from the support that its a problem when VLANs have more than 9 Characters. So thats why we have the problem on every device ;-) 
 Could you please explain what a "KIL" is? 
 Is it possible to have NC-144474 in the Known Issues list?

kerobra · Answer

Turned out ro be a misconfiguration issue (system-generated traffic SNAT) that was forgotten when switching from VPN-connected firewalls to MPLS-connected firewalls. Big thanks to sanket.shah for helping me by DMs!

Sophos Firewall: v21.0 GA: Feedback and experiences

Top Replies