Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

  • Howto combine 'Match known users' and 'Block clients with no heartbeat'

    I could not figure out the details about traffic matching critera and further filtering within firewall rules. Can someone clarify what will happen if you select "Match known users" and "Block clients with no heartbeat"? Will the rule block no heartbeat…
  • Feature-request Warning in case of communication failure between Sophos and LDAP

    Good morning everyone. Since the function of a company depends on the LDAP query, I would consider it extremely important to receive a warning. If the LDAP query fails. The MTA then no longer checks users if the connection to LDAP is disturbed (it cannot…
  • Unauthenticated traffic on WAN - Captive portal

    Hello All, We have a Sophos XGS connected to a metered WAN connection, in order for devices to connect to the internet the user must authenticate to the Sophos captive portal and at which point a weekly data transfer quota is applied. This has been…
  • Cannot establish NTLM Authentication channel

    Lots of posts about this. Here is an example. AD SSO - Cannot establish NTLM authentication channel with xxx Seems like the recommendation is to disable AD SSO in all zones. But what if we want SSO so we can log user web traffic? Why might we want…
  • Does SSL inspection analyses WebSocket traffic?

    Hello there, I have a customer who may want to buy a Sophos Firewall with the main reason of using it as a Web Proxy Server. Unfortunately I could not find information regarding WebSocket traffic inspection. My guts tell me that the SFOS will inspect…
  • Sophos vFW VPN - Users

    Hi all, I was considering purchasing a virtual firewall, but I have a doubt to clear up. The vFW will mainly be used only to create a site to site where there will be about 100 users behind it. (There will be no local users on the LAN instead) In…
  • SSL VPN or ZTNA

    hi, i have friewall XGS2100 with Xstream protection. on that i am using ssl vpn for remote connectivity. so should i use ZTNA??? what extra benefits can i get if i use ZTNA?does xstream protection gives us few ZTNA licenses??? if i dont have Microsoft…
  • Ipsec and mss-clamping. Is there a way to make them persistent?

    Hi all, I have an xgs 3100 firewall on which about 20 ipsec tunnels are attested. All these ipsec have fragmentation problems so I am forced to use mss-clamping. For example without mss-clamping an icmp packet passes as long as I set a size of 1400…
  • Invalid Traffic - specifically using web browser, not via nmap

    Hi all, i have had a look at the Invalid Traffic page but as stated at the bottom doesnt resolve the issue, just reduces the number of logged entries My setup is as follows Core network is TPLink Omada (Manages the vlans) Sophos setup: Port1 …
  • TLS Inspection Rules

    Issue Summary: Slow Speed test SSL/TLS Inspection Summary of Call Discussion: Traffic for the test system (172.xxx.xx.8) was passing through rule ID #2. We observed a speed of 36 Mbps with the SSL/TLS inspection rule enabled. After disabling the…
  • migration fw xg to xgs

    Dear good evening, I have a firewall migration requirement for a client who has a Sophos XG450 firewall in version SFOS 19.0.2 MR-2 Build472 and wants to migrate to a new XGS4500 computer. Is it possible to do this migration by generating a backup…
  • Device Registration fails: Appliance connectivity issue with the license server - Time not set

    I tried to register a RMA firewall with SFOS 21 EAP after it has been claimed in Central. It did not work. Either Administration -> "Registration" failed also Sophos Central -> "Sophos Central registration" failed Live Log found: 1970…
  • Sophos Client can´t import configuration file

    I have XGS 116 with 20.0.1 MR-1-Build342. Using a MAC computer, gets the "File Import Error" error when connecting to VPN using Sophos Connect, the same config file is processed on the device with the windows operating system and it works smoothly.…
  • Distribute IPSec site-to-site network via OSPF

    Hello, I found a solution where IPSec networks are distributed via OSPF and would like to know if this is correct? Can I use this in a productive environment? 1. SSH -> 4. Device Console 2. system ipsec_route add net 192.168.123.0/255.255.255.0 tunnelname…
  • RED vs IPSec (XGS)

    [POST DE DEBATE SOBRE O ASSUNTO] Opa pessoal! Em minha infraestrutura eu tenho o escritório na matriz (XGS 3100) conectado a outros quatro escritórios filiais (XGS 136) por Tunel RED, utilizando a configuração RED Server no escritório matriz e RED Client…
  • Traffic Shaping / QoS

    Good morning. I have been looking for information about the use of Traffic Shaping / QoS and applied what is indicated but in my case it is not working for me. I have 2 offices, each with a Sophos firewall. The server in office A sends data to the…
  • Poor Spamfilter v20MR2

    Hi everybody, we have installed a Sophos v20 MR2. However, we had to realize that the spam filtering is very poor compared to the UTM. The Sophos is acting as an MX and works in MTA mode. Spam protection is active as a policy and basically has all options…
  • Possible to Backup/Restore to a different (higher/lower) model?

    Hi, i was just wondering if it's possible with the latest SFOS to backup and restore from a XG 210 to a XGS 2300 and from a XG 230 to a XGS 2100? Thnaks alot!
  • IPSEC site to site VPN, initiator behind router

    We are wanting to connect our remote office, which is in a managed/shared office space building, to our head office. We have no control over the shared office netowrk. We have a XGS in the managed office space. The internet connection is supplied…
  • XGS2100 (SFOS 20.0.2 MR-2-Build378) - Fritzbox 7490 VPN

    Hi, after updating to 20.0.2 the Site to Site VPN connection between our XGS (Host) and the Fritzbox is not working anymore. Before the Update is was workking without any problems. A downgrade to 20.0.0 is also impossible as the XGS always tells Firmware…
  • HA_degraded, device is showing faulty

    Hi, We have configured a HA in the site and it was working fine from last one year, HA degraded yesterday, Primary device is showing faulty All the cable connections are working fine, How to resolve this issue ? What would be the reason for…
  • Sophos Reports showing IP rather than websites visited by users

    Hi Community... Please assist - Customer has a sophos 125 XG SFOS 20.0.2 running web filter and support license only- Web filtering works fine - Customer requested a report on a specific user on websites visited/ internet usage - Reports show IP address…
  • old Queued mail found within Mail-Spool

    hello, I have a really old queued mail found within mail spool. in this case the email is not (was not) important, but how can that happen? In the meantime, many new emails have been delivered from the same sender to the same recipient. I'm asking because…
  • IPSEC VPN Routing traffic between multiples sites

    Hi, We need to establish a multiple site to site IPSEC VPN with a XG86w as the HQ. Both remote sites have a TELTONIKA RUT240 router. I am able to ping from HQ both remote sites, and from each remote site the HQ, but can’t ping a remote site from…
  • Display the real IP in Web Application Firewall (WAF) when using Cloudflare

    Many of us are using Cloudflare or similar services to protected their Extranet / Webmail and other public websites using the Sophos WAF. It's possible to display the real IP addresses on any Linux servers behind the firewall by enabling Pass host header…