XG Firewall v18 MR-3: Feedback and experiences

Hi all,

Shall we start this new thread with the looks and feels of XG v18 MR-3?

community.sophos.com/.../xg-firewall-v18-mr3

  • Hi,

    sorry, I am a home user and not able to create reports except in these forums. The security setting seems to fail after about 30 minutes.

    An update, it only appear to affect the iPAD, I haven't tried the iPhones yet.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi PMStuart,

    Being of an experimental person by nature this morning I setup a SSL/TLS rule setup specifically for the iPAD, total failure, the only the applications that worked (one) facebook because there are exceptions for it. Everything else timed out including this site. The logviewer shows the connections all succeeding.

    Further, the mac mini mail failed two connections to one ISP and timed out. As soon as the iMAPs is removed from scanning the connections restore.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • DPI TLS/SSL engine is still a mess.  After upgrading to MR3, I enabled a firewall rule to use DPI instead of web proxy to test.  One of the users who hits the rule called me to tell me he couldn't access a site (AOL mail) today.  The error Chrome gives him is "ERR_CONNECTION_RESET."  I looked in the logs, the TLS/SSL logs show no errors related to this site, in facts shows successful decryption.  The Policy Tester shows it is allowed.  No errors shown on the Control Center page under the TLS/SSL Connections widget.  It just doesn't work with no explanation given at all on the XG.  Add the URL as a Local TLS Exception and it works perfectly.  I should add, the traffic works fine and is decrypted properly using Web Proxy engine.

    I still can't believe this "feature" is in wide use in actual medium to large scale businesses.  The web is vast and I can't imagine administrators sitting around all day chasing down broken sites to exclude due to the the DPI engine.

    Oh, and FLOW_TIMEOUTs are still plentiful in MR3.  

  • is there a feature request in for this? Yep, always wondered why we couldn't clear these.

  • There is a feature request to allow control of the Control Center message notifications. The request is asking for

    • Admin should be able to snooze, archive, delete control center message alerts.
    • Admin can choose to show or hide the alert messages for specific roles/access.
    • Admin can configure to send these alerts into logs.

    At this time the feature is not committed to any planned release.

  • Hi All,

    good start as well,

    1. had a customer who has been having issues with Client IPSec VPNs disconnecting throughout the day, no longer happening since upgrade!

    2. My home unit now reacts better and is a lot smoother as well.

    the only bad point is that another customer is still having issues with a S2S IKE v2 VPN disconnecting throughout the day, even after upgrade, and when there is no traffic on the connection.

    Between the XG210 and a Draytek 2862 - both on latest firmware - if anyone has any ideas I would love to hear them (as I have now resorted to using support, which could be months before it is even looked at)

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • True, but seeing a better memory management where is does not keep climbing at least. They will get to that hopefully 

  • What is the use of a scanning system if it doesn't scan and you need exceptions, what protection does that offer you?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • __________________________________________________________________________________________________________________