Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1959 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall policy problems when upgrading from Sophos 9.5 to 9.7

pdc

Hi,

Recently we have started looking to deploy upgrades of 9.7 out to our existing base of 9.5 users. For any of our on-premises staff, it's been quite straightforward , we would put the users into a "9.7 recommended" update group, and the users update accordingly, we would issue an alert to the users PCs advising them to reboot within 24 hours.

But with that said, we have a high number of users who are remote workers, their main means to connect back to our systems is via a IPsec VPN.

From our testing when we attempt to upgrade a 9.5 user (operating remotely), it appears the Sophos update packages download to the PC and the upgrade process begins, but when it gets to the stage of upgrading the firewall, the installation process appears to reset the firewall policy ruleset. From speaking with Sophos Support, the sophos install/update procedure, expects the PC to be on the LAN and be able to see our sophos update servers. But if you're off-site this isn't possible, unless you go to setting up an internet facing update point (which I really don't want to have to do, or see the need for the additional costs to set this up).

Has anyone had this situation before? Can you advise how you resolved it?

The response we received from support was to simply not good enough. The advice given was to disable the firewall, and get the user to retry the VPN connection, then perform a sophos update - to get our firewall rule to download.  This is not a suitable resolution, as we are dealing with large number of employees around the globe. The thoughts of requesting, let alone showing, an employee how to turn off their firewall, is a scary prospect. 

I don't see why the updater/installer process cannot utilise the already cached policy ruleset? Is there a way to force the installer to use the rules already in place on the 9.5 firewall version?

If you can think of any suggestions, it would be much appreciated.

:15771


This thread was automatically locked due to age.
  • 0

    Hello pdc,

    not going into the details of this behaviour (and the reason for them) - I expect that putting the policy in the CID might help to overcome this situation. Hmmmm ..... I've just checked - ask Support what they think of this article. Admittedly it does not exactly apply to your problem as a reboot won't help - while the "empty" firewall policy will allow the "Sophos" connections you are likely unable to establish the required VPN.

    Christian

    :15779
  • 0

    Thanks for that Christian, that link certainly helps me to carry out some additional testing. It's definitely a step in the right direction.

    I'm really keen to get a smooth transiition of upgrades, if a reboot is the only thing that needs to be done, then that makes life a million percent easier, as I can easily issue a pop-up alert to the PC to request a reboot.

    I don't understand the reasoning around not to putting this functionality (rules inclusion) in as base product, I can only hope that this type of oversight is picked up on the v10 release . Hopefully it's just down to the v9 architecture. 

    When you have hundreds of PC around the globe that need to be upgraded, the majority of them being on-the-road staff, the installation/upgrade process really has to be right first time, you can't keep chasing individual PCs otherwise the upgrade process becomes expensive to manage.

    Thanks again for your time and assistance.

    :15783
  • 0

    I don't understand the reasoning around not to putting this functionality (rules inclusion) in as base product

    Apart from the bug mentioned in the article it is by design that custom policies are only supplied by RMS. While there is a bootstrap policy (which permits "Sophos") it's impossible for it to be "VPN aware" (perhaps something like a site-defined policy which allows the VPN components would be possible). The final question is - why can't it use the cached policy as it is possible to export/import policies across versions? Compatibility? I don't know.

    If the reboot doesn't help try the policy in the CID.

    Christian

    :15785
  • 0

    We got burned by this during our 9.5 to 9.7 upgrade.  It's disturbing this is identified as a problem in 9.5 that apparently wasn't corrected for the 9.7 release.  Out of curiosity, do your client application event logs show several msinstaller firewall files in use messages before reporting the FW install & config as successful?

    :15795
  • 0

    Hi,

    The AdapterStorage ("\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage \") and Envelopes ("\ProgramData\Sophos\Remote Management System\3\Router\Envelopes\" ) along with a few other things should be backed-up up to "\windows\temp\" and then restored as part of the update to conserve the config on update of RMS and to prevent a no-ref causing a new policy to be sent from SEC.

    If you create a directory under:

    "\ProgramData\Sophos\Remote Management System\3\"

    just called for example:

    "\ProgramData\Sophos\Remote Management System\3\test\"

    and then upgrade do you see the same thing or does this enable the backed up files to be restored?

    Note: change "\ProgramData \" to "\documents and settings\all users\application data\" as required.

    It might be worth running Process Monitor during an update to see what happens.

    Hope it helps.

    Regards,

    Jak

    :15803