XG V18 MR3

Got an email for the new release but the link is broken.

Hi XG Community! We've released a new build of XG Firewall v18 MR-3. Enhancements in v18 MR-3 Security enhancements: Several security and hardening enhancements - including SSMK (secure storage master key) for the encryption of sensitive data.... more

Page not found ...

Hi,

I agree with the update time, although I do not have the update tot he AP Firmware yet, very odd, my system is a Partake I7 with VMWare VSphere 6.7 installed, and then the Guest instances have VMXNet3 NICs and it is configured in HA (A/P).

... scrub that after logging out and logging in the new AP firmware has appeared, yay

SSMK is described in the release notes.

Any news on NC-59127 ? Or there will be only a fix for it at v18.5/v19 ?

Prism, latest news I can give you on that issue is that is is currently in backlog for v19. I will talk to the engineering team responsible to see if it can be pulled in, but there is a lot in the backlog and I can't commit at this stage.

Thanks for the answer!

Also another thing, since on v18 MR2 Snort has been pushed to the latest version (2.9.16) is there any chances we will see Snort 3 on v18.5/v19 ? I'm asking this since Snort 3 already got out of beta, and will be soon GA by the end of the year.

PMStuart Any plans for an improved AD sync feature? 

SNORT 3 has been in Beta for so long that we had to decide to go for the latest shipping and supported version. I know it may seem like it should be the case, but it's not a matter of dropping in a binary or a library. SNORT is a very tightly integrated and customised component of SFOS, V3 is on our radar but not in the near future.

In what respect Jonnie?

Thanks; This has the answer I expected, way too much stuff changed from Snort 2.x to 3.

Choose an AD group that will constantly synced with the XG. I can import groups and the including members, but if I remove a user from the group at AD, the access at the XG is not removed. At least this is my last experience a few MR's ago. 

Choose an AD group that will constantly synced with the XG. I can import groups and the including members, but if I remove a user from the group at AD, the access at the XG is not removed. At least this is my last experience a few MR's ago. 

Did you try to reauthenticate with the users whos group membership has changed. From my experience, sync actions are only done upon authentication.

Sure I did this. The User was able to login, though he was not longer in the ad group.

Removing a user from an ad group does - in my opinion - not block him from authenticating against the firewall. From my understanding he will be then assigned to the default group "Open Group". Please check this.

Seems to be a general problem to delete something (for example IP Object)

XG will not delete the user in this phase. It will simply authenticate this user in the next authentication phase. So if the user is removed from a group or inactive in AD, XG will try to talk to the AD. AD will tell XG the current status. 

If the user is placed on XG, does not matter, as XG will not grant access without the matching group and the correct password. 

But from what I understand, removing a user from an ad group should only put him back to the default group. Therefor the user will be able to access the user portal, even when not having any permission assign inside the default group, am I correct?

This is something I would love to see, like in Sophos SG, so being able to specify group membership for such firewall services and don't sync users, that could not authenticate against the firewall based on the permission scope, if you understand what I mean ;)