Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread)

Question

Release Post: Sophos Firewall v21 Early Access Announcement 
 Whats New Link: https://assets.sophos.com/X24WTUEQ/at/7t8k46h9ttmxt6pn8g58k7wb/sophos-firewall-key-new-features-v21.pdf 
 Please provide feedback using the option at the top of every screen in your Sophos Firewall as shown below or via the Community Forums. 
 
 NOTE: Sophos Firewall v21 does NOT include support for XG and SG Series appliances . XG Series EOL is March 31, 2025. XG/SG Hardware will find them self until the EOL on the V20.0 Branche with MR2 + Sophos SFOS Home users are not affected, as SFOS Home is running the software version. 
 For LE Related config issues, please review this post first: Let´s Encrypt Deep Dive & Debugging in SFOSv21.0

LuCar Toni · Accepted Answer

This is planned for the future. Not in V21.0

LuCar Toni · Answer

You find details in the release notes: 
 Added resiliency, seamless transitions, and reduced downtime &ndash; High availability deployments are enhanced with seamless failover of dynamic routes.SD-RED tunnel failover has also been significantly improved, enabling tunnels to be reestablished within a few second of an HA failover, reducing downtime. Improved interactions with Active Directory domains during HA failovers

LuCar Toni · Answer

Yes. 
 See Release Notes: https://assets.sophos.com/X24WTUEQ/at/7t8k46h9ttmxt6pn8g58k7wb/sophos-firewall-key-new-features-v21.pdf 
 Enhanced Site-to-Site IPsec Performance: FQDN-based remote gateways have been optimized to improve scalability for distributed deployments. In addition, using DHCP relays over XFRM interfaces is available for traffic to DHCP servers deployed behind the firewall. And for RBVPN deployments, an increase of up to 20x in XFRM interface up-time significantly minimizes disruption during tunnel flap and reboot.

LuCar Toni · Answer

Yes, PBR probing via FQDN is on the roadmap for the future. Not included in the V21.0 GA Release.

Jubin · Answer

Hi twister5800 , 
 One option to control the frequency of email alerts generated by MDR, X-Ops, and third-party threat feeds is to disable local firewall email notifications and instead rely on Sophos Central ATP alerts. Sophos Central provides more granular control, allowing you to specify the frequency of these alerts more precisely. See below.

Jubin · Answer

Hi Ronaldo de Moura , 
 When a blackhole route is configured, the firewall silently drops any packets destined for the blackholed route without sending back any "Destination Unreachable" messages to the source. This is easier than configuring the NAT rule with some unreachable destination. 
 Internally, we create a null0 route (functionality offered by FRR engine)

Michael Dunn · Answer

Thank you Prism for the report. This was due to a server side change and not related to Sophos Firewall v21 EAP. The issue was been addressed less than 12 hours after reported. All future Zero Day Protection will no longer show status "Error" though past ones will until the file is encountered again.

LuCar Toni · Answer

Some thoughts about Lets Encrypt from my end: Release Notes: Let&rsquo;s Encrypt Certificate Support &ndash; A long-requested feature, Let's Encrypt certificate support enables the automatic deployment and renewal of certificates based on certificate signing requests (CSRs). Let&rsquo;s Encrypt certificates are supported for WAF, SMTP, TLS configuration, hotspot sign-in, the Web Admin console, user portal, captive portal, VPN portal, and SPX portal. SFOSv21.0 LE is very similar to the implementation from UTM9. You can start a new LE certificate for a domain, for example: test.domain.com. You need to be the owner of this domain and add a DNS record for this FQDN. test.domain.com needs to point to the firewall (WAN). The firewall will try to request the certificate for test.domain.com and LE will reach out to the configured DNS. If this worked, you will get a valid certificate, you can use everywhere. The firewall will automatically refresh the certificate, if needed and there is no user interaction required. 
 For this concept, you do not need a subscription - Base Firewall is fine. 
 You cannot generate a wildcard certificate (*.domain.com) - This concept needs an DNS API renewal. SFOS (like UTM) supports only HTTP based renewal - Which limits to one domain per request. You can generate multiple FQDNs per firewall, if needed. 
 You cannot download the certificate and reuse it somewhere else. For this concept, you should review a own method like certbot or lego. 
 You find more information to debug LE here: Let´s Encrypt Deep Dive & Debugging in SFOSv21.0

SPandya · Answer

SFOS 21 GA will have E5 builtin , its being tracked with NC-141165

LuCar Toni · Answer

Yes. WAF license is not required to generate a Certificate.

LuCar Toni · Answer

Essentially i do not see a point in using LE for VPN at any chance. OpenVPN uses LE only for the management component and rely on own (self generated) CAs like SFOS does. 
 The benefit of LE for VPN compared to a self/gen CAs is not given due the fact of trust relationship. You can use LE for the VPN Portal to get the self-gen ovpn file. 
 Same for UTM - there was never a reason to switch to LE and deal with the Auto regen problems. 
 BTW: You would have to do it for every user all the time, means an additional load of tasks for no benefit.

twister5800 · Answer

Hi Guys, 
 So I got home and looked into things, it was not the EAP1's fault at all, after the one firewall rebooted the ISP gave it a new IP address, I was looking in Sophos Central, and the IP shown inthere, is still the old one, so this did create some confusing at my end :-) I have now rebooted severel times, but Sophos Central still shows the old IP, but the firewall is online and I can remote to it from central, so maybe this is a "small" bug?

FFin · Answer

You can just install GA-Update like any other regular update if you&rsquo;re on EAP. That&rsquo;s been the case with all EAPs before.

Jubin · Answer

Tentative end of Oct'24.

LuCar Toni · Answer

We are looking into it: ID to track: NC-141030

LuCar Toni · Answer

We are tracking this issue here: NC-141068

LuCar Toni · Answer

That is correct, SFOS now sorts per Interface name (which is adjustable). 
 There was a lot of feedback by bigger customers about "empty interfaces. For example customers using PortF1, which where down below. Now you can control the order by selecting a Name.

LuCar Toni · Answer

This item is on the backlog, but not included in V21.0

LuCar Toni · Answer

We will look into this, tracked as: NC-141046

JanosRapcsak · Answer

Hi EinMarco_DE , 
 SFOS clears the error states of the failed LE certificate requests overnight, and retries them. 
 That means, when you have fixed the NAT rule, the LE certificate should be obtained in the next 24 hours the latest. 
 You can send me an support access ID in a PM when ready, we can trigger the retry from the CLI too. 
 Regards, 
 Janos

Bart van der Horst · Answer

If you use profile based vpn config, your clients have the update policy option where they can refresh the vpn config, saves a lot of time and effort.

FFin · Answer

Solved. The packet capture service was not started after a reboot due to a memory crunch. No happend again so far after multiple reboots. Thanks to BhruguPatel for investigation.

Jubin · Answer

Hi Wayne Folta , 
 The firewall first implements MDR threat feeds followed by Sophos X-Ops and Third-party threat feeds. 
 If an Indicator of Compromise (IoC) exists in Sophos X-Ops and Third Party Feeds, and Sophos X-Ops is set to Log and drop , the firewall drops the traffic, logs the event under X-Ops, and doesn't check further&mdash;no event for Third-Party feeds. 
 If the Action is set to Log only or Monitor , the firewall logs separate events for Sophos X-Ops, and Third-party threat feeds. 
 Thank you!

LuCar Toni · Answer

Essentially: SFOS will print the error given from LE into the Logs. 
 If we get an Error 400, we will print this in the logs. 
 Additionally you can check for the logs in the logfile itself. 
 To prevent this from happening, we are not trying again and again. SFOS tries it once, you can delete the cert and recreate it to try it again.

SPandya · Answer

Hi Dirk, one thing we have noticed while checking logs from your device along with Shrikant. Your primary disk is only 4GB, which have caused smaller /content partition. Here's the recommendation for disk size for virtual appliance for v21 EAP https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/VirtualAndSoftwareAppliancesHelp/SoftwareAppliance/index.html#system-requirements 
 We recommend it to be 64 GB.

Jubin · Answer

Hi dirkkotte , 
 Thank you for participating in the EAP and sharing your feedback. 
 We've noted this issue, as a few other community members have also reported it. Our team is actively working on a solution, and we&rsquo;ll keep you updated with progress. 
 Stay tuned for further updates.

SPandya · Answer

ok, thank you for information. I checked with support - this is being tracked as NC-135613

RaveNet · Answer

Either replace the drive in the xg unit 
 Or fully wipe the existing drive 
 Once either is done, the software will no longer detect as Sophos hardware and legacy units can be repurposed with software installer and license

SPandya · Answer

Software image is not supported on XGS hardware.

Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread)

Top Replies