Hi everyone, We're using the integrated Let's Encrypt feature in SFOS V21. We've noticed some strange behavior when it comes to renewing certificates. When the firewall attempts to renew the certificate, it fails with the message: "Reason for failure…

Hello. Recently, a bunch of my locally-generated certificates have expired and I am having trouble finding a way to renew them. I am using the firewall's local CA to make certificates for WAF rules and the web-admin console. You'd think there would…

On one of our XGS-firewalls, we need a NAT rule for HTTP/HTTPS. On this firewall, it's not possible to create or renewal a Let's Encrypt Cert. We need to disable the NAT rule, then it works to create/renewal the certificate. But this can't be the…

Problem: When I go to the portals from my LAN zone I can get into all of them except the captive portal. Ports 4443 (user) , 4444 (admin) work. Port 8090 gives me an error in the browser: Firefox v133.0: PR_END_OF_FILE_ERROR Chrome v131.0.6778.87: ERR_CONNECTION_CLOSED…

i have configured a clientless sftp policy that contains the bookmark and the bookmark contains the private and public key along with server information. I created a user on our portal and allowed it to use this policy. I did on the side another rdp policy…

I have my certificates in a folder and I'm looking for a script that will update them when there is a change so that waf will continue working without manual intervention. I have very little experience scripting, I can read and understand more or less…

I’m trying to move Office 365 connector authentication from IP-address to certificate. A Let’s Encrypt certificate has been created (on SFOS 21) and added to the SMTP TLS configuration under the Email > General tab. When changing the Office 365 connector…

Hi, we have a problem with transferring syslog from Sophos firewall to the Arcsight SmartConnector. When we try UDP, logs can be seen in connector. However, with TLS communication fails. This is only example, but ours handshake also fails at Change…

Hi guys I can't see the wood for the trees -- so please forgive me this (probably stupid) question: When using PSK for IPsec without certificates, everything is working properly. It asks for password (or I save my password) click Connect and it works…

Hi, I'm facing a new issue: After deploying new Firewall the fresh instance cannot be synchronized with Central. Device keeps hanging on state connected The default certificate seems to be invalid (Namibia???) After editing the default authority and…

Hi folks, I did setup a remote access IPsec profile with a uthentication type digital certificate. The local certificate was created with a CSR by the firewall with help of OpenSSL under Linux and the remote certificate as described in docs.sophos…

We currently use an SSL certificate from Digicert for IPSec VPN access for users. When migrating from an XG 210 to and XGS 2100 do I need to buy a new certificate or will the current certificate transfer over during the migration? Thank you.

Hi, I have set up email scanning according to this guide: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailConfigurePOPIMAPScan/index.html#add-a-firewall-rule I have found that…

Hi, we uploaded a certificate from our domain provider, but it's showing not trusted.

I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate…

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN. I have push by GPO certificat CA to windows computer. That work just fine for most site. Now I have an issue with site that have HSTS enabled. For those site that enable…

When I go to edit the certificate and upload the certificate which is due for renewal ( every 13 months ), it fails with the following error at the top center of the screen: Certificate could not be updated as it is already used by HTTP Based Policy…

Hello, We are using the DPI engine and have created SSL/TLS inspection rules. Unfortunately, we receive a certificate warning for some websites even though the firewall certificate has been imported. What could be the reason for this and how can we…

Hello everyone, is there a complete Guide available for setting up XGS and NPS with EAP and certificate authentication? We want to move on from a working EAP and MSChapv2 configuration because it is deprecated. i wonder, do i need to change…

HI all, Hoping you can help. Recently an external website we access has been updated and hosted elsewhere. Following the move we now get the following error but only when connecting via the VPN (Remote access). We can browse to the site without issue…

Good day I have client with XG 230, the They don't have an Active Directory, is there a way to install ssl appliance certificate to all machines.

Hi, I have ONE of 3 new installs of XGS-126 having long known problem with Sophos CA certificates on some popular URL addresses. For example, users cannot download Google Chrome: I guess problem is HSTS, where browser detects MITM, which is Sophos…

Does regenerating the Appliance Certificate affect any other access besides SSL VPN? This is my issue, we recently had our XG210 replaced and rebuilt the new unit with a backup. Prior to the firewall failure SSL VPN has been my goto setup for staff who…

Tried to add a certificate to an unmanaged Chromebook device with latest Chrome OS version (someone brought in their own device). Followed the steps as we have used for years. Download the CRT file and open Chrome Security settings and under manager certificates…

Dear Friends: I’ve been following this article because none of my reports were working. Sophos Firewall: No reports show After flushing the reports, it appears as though I never completed the configuration of my WAF certificates. So, I decided…