Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 37164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]

Top Replies

  • in reply to StevenSultana +6

    The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much easier to create cloned tokens that could be used without the knowledge of the original user to gain access to their account. Recovering OTP on an account by deleting the existing secret and creating a new one is more secure because even if it is done by the wrong person, the original user will realize the error the next time they try and log in using their old token.

    You see the same behaviour in most websites that offer OTP options like this - the only way to recover if you lose your OTP is to re-initialize with a new secret.

    Your point about including more specifics about this in the release notes is valid. We try to keep the release notes brief so that customers can read them all quickly and identify areas that may concern them where they can dig in to documentation to find out more. Sometimes we make them too brief. We'll take your feedback into account.

    [I updated my original post because I mistakenly thought I was reading the v19 EAP1 forum. Apologies for any confusion.]

    Jump to answer
Parents
  • 0

    Installed and all our workstation Heartbeats are missing (after rebooting workstations).

    Quite an issue as heartbeats are required for all workstation connectivity. Had to physically connect to the XG to put a temporary access rule in.

  • 0 in reply to JasP

    Seems to be faster, less having to refresh pages to get all inserts.

    No improvements to IPv6.

    Ian

    Added:- still have the heartbeat service failure.

    Probably a bit harsh with the no improvements in IPv6, seeing there is a fix listed.

    The FQDN tab still does not recognise IPv6 addresses, so when will this be fixed?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.



    expanded original comment about IPv6.
    [edited by: rfcat_vk at 6:41 AM (GMT -8) on 1 Dec 2021]
  • 0 in reply to rfcat_vk

    Also have the heartbeat error. 

    I also get the following message under --> System --> Sophos Central.

    Security Heartbeat is not available due to licenses. Check your licenses. Please contact your Sophos partner to update your Sophos Central or Sophos Firewall licenses.

    The license is okay, though. Re-registering the XG in Central did not help either.

  • 0 in reply to EgonSommer

    If it is indeed a certificate issue, your endpoints need access to the internet and a DNS server to be able to update their certificate. This is the problem for us, because without a heartbeat, our endpoints are blocked on our network, so they can't update the certificate. I have to change our firewall rules so they can get the certificate and then they got there Heartbeats and I could change the firewall rules back.

    Not sure if you have the same sort of setup so I don't know if this will help you resolve your issue.

Reply
  • 0 in reply to EgonSommer

    If it is indeed a certificate issue, your endpoints need access to the internet and a DNS server to be able to update their certificate. This is the problem for us, because without a heartbeat, our endpoints are blocked on our network, so they can't update the certificate. I have to change our firewall rules so they can get the certificate and then they got there Heartbeats and I could change the firewall rules back.

    Not sure if you have the same sort of setup so I don't know if this will help you resolve your issue.

Children
No Data