Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 72 replies
  • Answers 4 answers
  • Subscribers 65 subscribers
  • Views 19451 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: v21.0 GA: Feedback and experiences

LuCar Toni

Release Post:  Sophos Firewall v21 is Now Available 

Release Notes: docs.sophos.com/.../sf_210_rn.html

Early Access EAP Thread:  Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread) 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue.   

Only XGS Hardware is supported - Not XG/SG Hardware. Sophos Home is excluded, as it uses Software, which is supported. 

Firmware update from the CM will be available after the firmware is available to all. Please refer to the standard update process.

Firmware update on Sophos firewall requires a valid support subscription (of any type - paid or trial) after the first 3 free firmware updates.

  • 0 in reply to duggan1

    Can you share us a screenshot, where you use the LE right now? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We also use it for the portals but this is where we don't get the option.

  • +1 in reply to duggan1

    We talked about this in the past, and decided not to implement it. 
    Just out of curiosity, why would you like to have a publicly signed cert here? 

    We decided not to do it, as the process of renewing certs is much higher compared to the benefit. As self-signed certificates still considered secure (and why would they not?) there is no real benefit of switching it. 

    __________________________________________________________________________________________________________________

  • 0

    What is status of NC-141046 as reported by Scotty Huges Jr. about 2 months ago in the EAP thread?

    I cannot find any mentioning of this anywhere outside that forum post.

    I have the excact same problem as he described. Bitwarden client App on some Android devices does not work because of this.
    If i change over to another Lets Encrypt certificate optained by certbot on another system and imported to SFO v21 firewall it works without problems.

    Why is this NC-141046 but not present in the release notes on your site?!? You officially have an ID for it. But dont publish it on your status - thats really shamefull!
    I just waste most of a work day trying to figure out what the hell was wrong with our WAF setup at work, until i stubmled on Scottys note from the EAP program.
    That is just really bad PR from you guys.

    Scotty. If youre reading this: Can you explain how you managed to fix this?
    Did you just import the missing LetsEncrypt CA's to the firewall?

  • 0 in reply to Martin Damgaard

    So we closed the ID NC-141046 as an internal ID and updated all CAs in another ID, which is closed with V21.0 GA. 

    We updated all LE CAs within the product: 

    You should see the same as well. 

    There are all the certificates, which the User in the EAP Thread mentioned. 

    So it would be useful to know, what kind of CA really is missing here in the Chain. 

    __________________________________________________________________________________________________________________

  • 0

    Hello!

    Are there any plans to add HTTP/2 support for (DPI) TLS Decryption?

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0

    Just noticed today looking for dependcies on my interfaces to plan upcoming changes: Object usage does not show depended firewall-rules using "#Port2"-Definition.
    As all "#PortX" ip-host-objects are automatically created/updated i'd expect those to show up in unterface object usage as well.
    So when i try to find all settings related to this interface, e.g. firewallrules containing host-definition should be listed there as well:

    Sure, you might use new port-migration assistant during restore (with downtime) to handle interface changes, but sometimes smaller changes might benefit here.
    Anything on the roadmap to change interface - hardware mapping? Like move only sinlge vlan-interface to other hardware-port with one click like on utm/sg?

  • 0 in reply to m8ey-au

    confirming no issues so far when upgrading some XGS 126, 136 and 4500 HA clusters - a stable release

    impressive RED robustness: the remote side behind a RED had only 7 ping loss during node reboot.

    this has been much worse in earlier versions.

  • 0

    cosmetic: some firewall generated mail could not be sent during upgrade

  • 0

    Hi,

    Recently, we have updated the V21 in our customer's firewall and we have got the information that  the ReportDB got regenerated and the reports were shown only from the date of firmware upgrade. This is the update what we have got, as of now.

Unfiltered HTML