Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread)

Release Post:  Sophos Firewall v21 Early Access Announcement 

Whats New Link: https://assets.sophos.com/X24WTUEQ/at/7t8k46h9ttmxt6pn8g58k7wb/sophos-firewall-key-new-features-v21.pdf 

Please provide feedback using the option at the top of every screen in your Sophos Firewall as shown below or via the Community Forums.

NOTE: Sophos Firewall v21 does NOT include support for XG and SG Series appliances. XG Series EOL is March 31, 2025.
XG/SG Hardware will find them self until the EOL on the V20.0 Branche with MR2 + 
Sophos SFOS Home users are not affected, as SFOS Home is running the software version. 

For LE Related config issues, please review this post first:  Let´s Encrypt Deep Dive & Debugging in SFOSv21.0  



LE
[bearbeitet von: LuCar Toni um 8:59 AM (GMT -7) am 31 Aug 2024]
Parents
  • Let's Encrypt validation seems to fail (tried two different domains - one by one).
    Any ideas? Looks like timeout - there's no NAT/FW. Sophos is facing WAN directly on that Port.

    letsencrypt.log:

    [2024-08-29 14:39:54,171] Dehydrated: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"http-01"
    ["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXXXXXXXXXXXXXX/hTPVpg"
    ["status"]	"invalid"
    ["validated"]	"2024-08-29T12:39:42Z"
    ["error","type"]	"urn:ietf:params:acme:error:connection"
    ["error","detail"]	"31.29.XX.XX: Fetching http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo: Timeout during connect (likely firewall problem)"
    ["error","status"]	400
    ["error"]	{"type":"urn:ietf:params:acme:error:connection","detail":"31.29.XX.XX: Fetching http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo: Timeout during connect (likely firewall problem)","status":400}
    ["token"]	"XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo"
    ["validationRecord",0,"url"]	"http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/PZTcH1387gOCqRVPTArqz0e9hqLrmnlrubLcLhgXXUo"
    ["validationRecord",0,"hostname"]	"XXXXMYDOMAINXXXX"
    ["validationRecord",0,"port"]	"80"
    ["validationRecord",0,"addressesResolved",0]	"31.29.XX.XX"
    ["validationRecord",0,"addressesResolved"]	["31.29.XX.XX"]
    ["validationRecord",0,"addressUsed"]	"31.29.XX.XX"
    ["validationRecord",0]	{"url":"http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/PZTcH1387gOCqRVPTArqz0e9hqLrmnlrubLcLhgXXUo","hostname":"XXXXMYDOMAINXXXX","port":"80","addressesResolved":["31.29.XX.XX"],"addressUsed":"31.29.XX.XX"}
    ["validationRecord"]	[{"url":"http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/PZTcH1387gOCqRVPTArqz0e9hqLrmnlrubLcLhgXXUo","hostname":"XXXXMYDOMAINXXXX","port":"80","addressesResolved":["31.29.XX.XX"],"addressUsed":"31.29.XX.XX"}]

  • ["error","detail"]    "31.29.XX.XX: Fetching XXXXMYDOMAINXXXX/.../XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo: Timeout during connect (likely firewall problem)"
    ["error","status"]    400

    I´ve got the same. Maybe you have created a blackhole DNAT with Country Blocking?

    If modified my blackhole rule that it only blocks Ports from 1:79 and 81:65535, as Sophos opens Port 80 only for regenerating the certificate.

    Just an idea...

    BR Gerd

Reply
  • ["error","detail"]    "31.29.XX.XX: Fetching XXXXMYDOMAINXXXX/.../XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo: Timeout during connect (likely firewall problem)"
    ["error","status"]    400

    I´ve got the same. Maybe you have created a blackhole DNAT with Country Blocking?

    If modified my blackhole rule that it only blocks Ports from 1:79 and 81:65535, as Sophos opens Port 80 only for regenerating the certificate.

    Just an idea...

    BR Gerd

Children
No Data