Next EAP release date?

Any news about next release? We will have EAP 3 refresh, EAP 4 or GA version? Any date?

darnoK said:

Any news about next release? We will have EAP 3 refresh, EAP 4 or GA version? Any date?

I was satisfied by the answer given in another thread so won't rehash it again here but a couple of points about DPI...

Snort like any other daemon has its limits... ie you can only pass so many packets before dropping the packets or bypassing the daemon. The problem with XG implementation is that you can't drop packets like you can on an IPS if the daemon gets overwhelmed so the more traffic you pass, the harder the cpu will be taxed and the quicker you will reach the top limit of the traffic processed.

Instead of putting DPI and proxy as separate entities, they probably should have done some programming magic so that snort handles all the traffic but the traffic falls back on proxy automatically if the cpu usage is getting too high or snort is getting overwhelmed. 

Not only that, I am not a fan of tweaking the same firewall rule at different places simply to pass traffic. The current implementation is too cumbersome. Choose between proxy or DPI, create exceptions for proxy or DPI, look at the logs for proxy or DPI. For a geek like myself this is really fun to tinker with but to be honest, I wouldn't want to mess with this much complexity if I was administering hundreds of users.

Sophos has really moved away from security made simple. It is security with too many half baked options maybe but definitely not simple.

This is my personal opinion and is not meant to offend anyone at sophos or other fanboys that think I keep hating on sophos.

Regards

Billybob said:

Snort like any other daemon has its limits... ie you can only pass so many packets before dropping the packets or bypassing the daemon. The problem with XG implementation is that you can't drop packets like you can on an IPS if the daemon gets overwhelmed so the more traffic you pass, the harder the cpu will be taxed and the quicker you will reach the top limit of the traffic processed.

For reference:
On the Control Center page there are now two new stats: Decryption capacity and Decrypt sessions.
SSL/TLS inspection rules > SSL/TLS inspection settings > When SSL/TLS connections exceed limit

Hi folks,

I know there have been public holidays and al those good things, but nearly a month has passed without sings of EAP 3 refresh 1.

Looking forward to some fixes in DPI because i have had to revert to proxy.

Ian

DPI will work the way it is in a foreseeable future.  Any changes in that is extremely heavy and will require months or years to fine tune.

You will get performances boost or things like that.  But if it just does not work for your application, it will not work anytime soon.

There's a price to pay to deliver machine with only 4 gig, or even less.

Paul Jr

EAP3-refresh is released internally.  After soaking it in for a bit it will be released to customers.

My understanding is that on larger boxes, DPI performance is very good.  On smaller CPU boxes it is not yet ideal.

After this refresh there are still numerous bugs that need to be fixed for GA.  The GA release date will depend on the bug count.  I know you all want to use the GA product, but I also know you don't want us to release software with lots of known defects.  All teams are focused on quality and stability right now.

Please keep the bug reports and feedback coming.

Hi Michael,
high resource consumption on small devices, specifically the processor, also is very high when using proxy mode, e.g. on the 115 Rev. 2.

A stupid question : Why call that EAP3 Refresh ?  Could not be called EAP4 ?

Paul Jr

V18 EAP3 refresh is needed urgently, currently having issues with more and more sites failing SSL check even when using the web proxy.

I have for the moment disabled https decrypt and scanning to connectivity for some failing sites, eg iinet.net.au an Australian ISP.

Lots of broken sites, but nothing in the logs. This is occurring g on MBP and W10 machine Everytinh works fine when i use the phone as a hotspot, secure connections etc.

ian

v18 is in BETA.  The notion of "urgency" does not apply here.

Paul Jr

see magic happens. LOL

Ian

see magic happens. LOL

Ian

So ? Installed since few hours ? You found any magic running already ?

As far as I am concerned Microsoft Outlook still refuses to work with DPI activated.

DPI is still no-go.

Paul Jr

IMAPS does not work with 17.5.9 or v18 EAP, the funny part is most sites work and SMTPS  with the XG CA. I am wrong about smtp, it does not work with mac mail.

What magic did I find, the major bug in ATP appears to have been fixed, now just a minor issue. DPI, I haven't seriously tried so far.

Ian

Now waiting until tomorrow's daily reports arrive.

Hi,

I've found some "new magic" on EAP 3 Refresh,

It's finally better to debug SSL/TLS erros on XG. *Overall logs still sucks.

Snort isn't killing my CPU anymore, It's using a reasonable amount of it, also something interesting: On multiple connections, snort is seamlessly sharing the load between the cores perfectly, which is impressive, something changed for good on it.
There's still some quirks and errors with DPI (mostly HTTPS), but It's with Firefox, on chrome it works perfectly now.

They changed how to create NAT rules, for good. (also made a wizard for DNAT)

I believe It has Ilferrara who gave the ideia here. Thank you!

One thing that apparently still hasn't been fixed is the new Flow Monitor, still sucks, and shows values that makes no sense.

*Dumb mistake made by myself.

Thanks!

Hi Prism,

Could you give some more specific detail on what you are seeing with Firefox with DPI enabled?

- Are the problems visible when browsing, or are you just seeing errors being logged?

- If the problems are visible when browsing, do you see errors being logged in the SSL/TLS log in log viewer? If so, could you send (in direct message) example log lines - the detail from the detailed log view would be most helpful.

- Are the problems happening with specific websites or are they happening across a range of sites?

- Are you running on Windows, Mac or Linux?

- In Firefox, enter 'about:config' in the address bar, click through the warning, and then search for security.ssl.enable_false_start. Is this set to 'true'? If you change the setting to 'false' do the quirks and errors go away or reduce?

Many thanks,
Rich

We know of many users (including internal Sophos users) who are running Outlook happily with DPI enabled, and would like to get to the bottom of why you're seeing issues where others are not.

Could you please provide more detail about the issue you're seeing with Outlook.

- What operating system are you running, and which version of Outlook? Are you connecting to a local exchange server or to Office 365?

- At what stage does it fail? Does it not connect at all? Or does it connect, but fail completely or partially to retrieve mail? Or something else?

- Do you see any errors under SSL/TLS or Web Filtering in the log viewer that are related to connections?

- Do you have SSL/TLS decryption enabled for this traffic?

Thanks,
Rich

Hi Rich,

I'm sorry that I won't be able to provide logs right now (I will do It later).

Let's start with this:

RichBaldry said:

- In Firefox, enter 'about:config' in the address bar, click through the warning, and then search for security.ssl.enable_false_start. Is this set to 'true'? If you change the setting to 'false' do the quirks and errors go away or reduce?

Already done that before, as I faced some errors with Firefox before, here's the topic.

This fixed a lot of errors I had before, but there's still some others.

RichBaldry said:

- Are the problems visible when browsing, or are you just seeing errors being logged?

The problems are visible, but on XG It doesn't show any errors, it shows as the session has successfully Decrypted. * Only on "SEC_ERROR_REUSED_ISSUER_AND_SERIAL"

I'm getting: "PR_END_OF_FILE_ERROR" on certain websites, just on the first time accessing it, refreshing the page after It and It will load as expected.

2020-01-21 12:21:01SSL/TLS inspectionmessageid="19006" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="prismpc" src_ip="10.0.0.200" dst_ip="13.227.101.7" user_group="Clientless Open Group" src_country="R1" dst_country="USA" src_port="46662" dst_port="443" app_name="" app_id="0" category="Online Shopping" category_id="45" con_id="0" rule_id="3" profile_id="2" rule_name="Defauly Decrypt" profile_name="Block insecure SSL" bitmask="Valid" key_type="KEY_TYPE__RSA" fingerprint="36:07:b9:78:01:d0:df:3e:86:1c:68:5f:50:45:24:03:eb:4d:e8:dd" resumed="1" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" sni="www.mercadolivre.com.br" tls_version="TLS1.2" reason="Dropped due to TLS engine error" exception="" message=""

I'm also getting a lot of "SEC_ERROR_REUSED_ISSUER_AND_SERIAL" It also depends on the website I'm accessing. Strange enough, this happens sometimes on Chrome, and give me no option to access the website anyway.

RichBaldry said:

- If the problems are visible when browsing, do you see errors being logged in the SSL/TLS log in log viewer? If so, could you send (in direct message) example log lines - the detail from the detailed log view would be most helpful.

As stated before I will provide logs later (I will edit this post).

RichBaldry said:

- Are the problems happening with specific websites or are they happening across a range of sites?

As stated before, It's only happening with specific websites.

RichBaldry said:

- Are you running on Windows, Mac or Linux?

Linux on my computer, and Windows 10 on my notebook.

Thanks!

RichBaldry 

I am having this issue since v18 EAP1 and this has been investigating by Sophos devs (I exchanged some logs and email with them). The issue is tracked under the NC-51956.

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115778/using-the-new-dpi-ssl-tsl-linkedin-does-not-open-with-firefox-on-mac

I have tried the FF workaround to disable the ssl component in about:config but doe not help alot.

Please create proper thread and do not use this thread as the topic is totally different.

Regards

Running windows 10, 10.0.18363.592.

Outlook 2010 and Outlook 2013

It takes up to 20 minutes before Outlook connects to Exchange.  After, it works.

In do not see SSL/TLS error.

Paul Jr