Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread)

Let's Encrypt "Hosted address" dropdown should not display hardware-ports.
Yes, you can hover and see IP, but please display interface names!

That's why i can customize interface names in Interface menu - they should show up everywhere you need to select a port/interface.
As partner switching through multiple customers a day, custom naming is important. You do not always remember individual WAN-IPs or port-associations.

You currently see in Dropdown plain "#Port1, #Port2, #Port3, ...".
e.g. focusing on WAN-Zone Ports might be useful as well.

(Cannot post screenshot here - "File embedding is not allowed")

Thank you FFin ! Agree. We will try our best to consider this in GA.

I can totally confirm what FFin said, this #Port2 stuff is a real pain. We also have a lot of aliases on some ports which makes it even worse, e.g. it goes up to #Port2:12 and we have to maintain an Excel table in parallel to keep just a little bit of an overview.

This has annoyed me since SFOS v17 when I started working with it, but sadly I've gotten used to it and never suggested it as feedback to change it.

As Let's Encrypt implementation temporarily creates WAF-Rule for verification:
Can Let's Encrypt be used for SMTP, WebAdmin, UserPortal, etc. without having Webserverprotection-Module licensed?

Yes. WAF license is not required to generate a Certificate. 

Generally speaking is this feedback heard and we are looking into resolving this in general and not on a module basis going into the future. 

Let's Encrypt validation seems to fail (tried two different domains - one by one).
Any ideas? Looks like timeout - there's no NAT/FW. Sophos is facing WAN directly on that Port.

letsencrypt.log:

[2024-08-29 14:39:54,171] Dehydrated: ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"http-01"
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXXXXXXXXXXXXXX/hTPVpg"
["status"]	"invalid"
["validated"]	"2024-08-29T12:39:42Z"
["error","type"]	"urn:ietf:params:acme:error:connection"
["error","detail"]	"31.29.XX.XX: Fetching http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo: Timeout during connect (likely firewall problem)"
["error","status"]	400
["error"]	{"type":"urn:ietf:params:acme:error:connection","detail":"31.29.XX.XX: Fetching http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo: Timeout during connect (likely firewall problem)","status":400}
["token"]	"XXXXXXXXXXXXX9hqLrmnlrubLcLhgXXUo"
["validationRecord",0,"url"]	"http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/PZTcH1387gOCqRVPTArqz0e9hqLrmnlrubLcLhgXXUo"
["validationRecord",0,"hostname"]	"XXXXMYDOMAINXXXX"
["validationRecord",0,"port"]	"80"
["validationRecord",0,"addressesResolved",0]	"31.29.XX.XX"
["validationRecord",0,"addressesResolved"]	["31.29.XX.XX"]
["validationRecord",0,"addressUsed"]	"31.29.XX.XX"
["validationRecord",0]	{"url":"http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/PZTcH1387gOCqRVPTArqz0e9hqLrmnlrubLcLhgXXUo","hostname":"XXXXMYDOMAINXXXX","port":"80","addressesResolved":["31.29.XX.XX"],"addressUsed":"31.29.XX.XX"}
["validationRecord"]	[{"url":"http://XXXXMYDOMAINXXXX/.well-known/acme-challenge/PZTcH1387gOCqRVPTArqz0e9hqLrmnlrubLcLhgXXUo","hostname":"XXXXMYDOMAINXXXX","port":"80","addressesResolved":["31.29.XX.XX"],"addressUsed":"31.29.XX.XX"}]

Thanks! That would be great. (and not V21 specific, but applies to WAF and NAT in general as well. everywhere port-selections currently implemented).

Some thoughts about Lets Encrypt from my end: 
Release Notes: 
Let’s Encrypt Certificate Support – A long-requested feature, Let's Encrypt certificate support enables the automatic deployment and renewal of certificates based on certificate signing requests (CSRs). Let’s Encrypt certificates are supported for WAF, SMTP, TLS configuration, hotspot sign-in, the Web Admin console, user portal, captive portal, VPN portal, and SPX portal.

SFOSv21.0 LE is very similar to the implementation from UTM9. 
You can start a new LE certificate for a domain, for example: test.domain.com. You need to be the owner of this domain and add a DNS record for this FQDN. test.domain.com needs to point to the firewall (WAN). The firewall will try to request the certificate for test.domain.com and LE will reach out to the configured DNS. If this worked, you will get a valid certificate, you can use everywhere. The firewall will automatically refresh the certificate, if needed and there is no user interaction required. 

For this concept, you do not need a subscription - Base Firewall is fine. 

You cannot generate a wildcard certificate (*.domain.com) - This concept needs an DNS API renewal. SFOS (like UTM) supports only HTTP based renewal - Which limits to one domain per request. You can generate multiple FQDNs per firewall, if needed. 

You cannot download the certificate and reuse it somewhere else. For this concept, you should review a own method like certbot or lego. 

You find more information to debug LE here:  Let´s Encrypt Deep Dive & Debugging in SFOSv21.0  

Are there any plans to support FQDN's for SD-WAN Probes?

Also, the web ui is so much faster than v20, everything is *instant* now. Thanks for the update!