V17 MR5 and failures

To add to this the following are having issues : 

1. SNMP - with the previous version SNMP used to work , now NMS is not picking up any SNMP traffic from XG , snmpwalk does not even return details 

2. Control Center shows CPU , Memory and Traffic as zero (though we have internet) 

3. Logging daemon has stopped 

Will be reverting to old firmware the wait and see for any feedback on the new firmware.

After using the hotspot on my iphone with the mac to talk to the internet. I tested access to the Apple store and it connected, then tried again through the XG and the mac book connected. Restarted the Mac book and tried the connection again and again it connected without error. So what is wrong with the XG mr5 that stops the initial contact?

Ian

Perhaps related to this fqdn bug where the initial connection sometimes fails till the resolution is completed by the dns server and subsequent tries work as expected. https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/97805/first-fqdn-host-resolution-happens-to-late-when-used-in-fw-rule I am not sure if they fixed it or not. I can't keep up with all the quirks. Still running MR3 which has been pretty stable for me since I don't use ipsec vpn. Although it has a remote code execution exploit when using WAF which was patched in MR4. I use UTM9 for WAF.

The list of fixes is long in MR5 which scares me a little so I am going to wait for other people to start testing/complaining and I may skip it again till MR6 which from the release notes doesn't seem too far off.

Edit: I am guessing that sophos is not going to update the linux kernel for spectre and meltdown bugs and take the calculated risk that everything will be fine on a firewall if no user is actively installing programs[:D] Can't say that I blame them... reissuing throughput  guidance for all their patched appliances will surely be messy specially if you were already pushing your box to the limit. 

Perhaps related to this fqdn bug where the initial connection sometimes fails till the resolution is completed by the dns server and subsequent tries work as expected. https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/97805/first-fqdn-host-resolution-happens-to-late-when-used-in-fw-rule I am not sure if they fixed it or not. I can't keep up with all the quirks. Still running MR3 which has been pretty stable for me since I don't use ipsec vpn. Although it has a remote code execution exploit when using WAF which was patched in MR4. I use UTM9 for WAF.

The list of fixes is long in MR5 which scares me a little so I am going to wait for other people to start testing/complaining and I may skip it again till MR6 which from the release notes doesn't seem too far off.

Edit: I am guessing that sophos is not going to update the linux kernel for spectre and meltdown bugs and take the calculated risk that everything will be fine on a firewall if no user is actively installing programs[:D] Can't say that I blame them... reissuing throughput  guidance for all their patched appliances will surely be messy specially if you were already pushing your box to the limit. 

All other lookups worked. I tried 4 different Apple devices and all failed to connect to the Apple store. I spent a lot of time investigating and fixing the Apple access, then Apple released a fix in 10.13.3 and 10.13.4 beta, then Sophos broke it again.

I updated the bios on my Xg and did not notice any difference in performance.

Ian

Hi Ian,

in my case, iPhone at the first glance it connected to AP but no internet traffic at all was allowed. Disconnecting and reconnecting the mobile to Wi-Fi did the trick. Also look at the traffic graph:

Active Firewall Rules.....:-)