Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 37191 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]

Top Replies

  • in reply to StevenSultana +6

    The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much easier to create cloned tokens that could be used without the knowledge of the original user to gain access to their account. Recovering OTP on an account by deleting the existing secret and creating a new one is more secure because even if it is done by the wrong person, the original user will realize the error the next time they try and log in using their old token.

    You see the same behaviour in most websites that offer OTP options like this - the only way to recover if you lose your OTP is to re-initialize with a new secret.

    Your point about including more specifics about this in the release notes is valid. We try to keep the release notes brief so that customers can read them all quickly and identify areas that may concern them where they can dig in to documentation to find out more. Sometimes we make them too brief. We'll take your feedback into account.

    [I updated my original post because I mistakenly thought I was reading the v19 EAP1 forum. Apologies for any confusion.]

    Jump to answer
Parents
  • 0

    Installed and all our workstation Heartbeats are missing (after rebooting workstations).

    Quite an issue as heartbeats are required for all workstation connectivity. Had to physically connect to the XG to put a temporary access rule in.

  • 0 in reply to JasP

    Here is a KB about this state: https://support.sophos.com/support/s/article/KB-000043489?language=en_US

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    can you clarify something for me?

    Is it just DNS that has to be allowed (which is what the article says) or does internet access have to be explicitly allowed to?

    As you know I have experienced this issue with the upgrade and before that, when I had to re-register my XG in Central. In our setup, as well as blocking access to DNS when there is no Heartbeat, we also block internet access when there is no Heartbeat. The article says you only need access to DNS, is that because there is a system firewall rule in XG which will bypass our rules to allow internet access to download the certificate? Or would we also need to allow internet access without a Heartbeat as well?

  • 0 in reply to JasP

    SFOS has a rule internally to allow traffic to Central to allow the pattern updates etc. So if there is a client, trying to reach Central, it is generally allowed. But this does not work, if the client cannot resolve the DNS record in the first place. So the client tries to resolve central.sophos.com, gets denied by the missing HB / RED Heartbeat, cannot resolve the DNS and stops working. If you allow the client to resolve DNS, it will be generally speaking allowed to communicate and restore the HB. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for confirming this. On the two occasions I have had this issue, I also allowed internet access either first, or at the same time, as allowing DNS so I have never tried it with DNS only.

  • 0 in reply to LuCar Toni

    this was a known issue in the release notes for the upgrade 

    NC-82331 Security Heartbeat From 18.5 MR2, Sophos Firewall encrypts certificate keys. So, when you upgrade to this version, the firewall refreshes the certificate used by synchronized endpoints to send a Security Heartbeat.

    If DNS resolution to sophos.com fails, the endpoints may not get the new certificate from Sophos Central, and the heartbeat fails.    		 Do as follows:
    • Make sure the endpoints have network connectivity during the upgrade. They can then fetch the new certificate from Sophos Central.
    • If the endpoints are blocked from getting DNS resolution for sophos.com to download the new certificate, go to the corresponding firewall rule and temporarily clear the checkbox "Block clients with no heartbeat".
Reply
  • 0 in reply to LuCar Toni

    this was a known issue in the release notes for the upgrade 

    NC-82331 Security Heartbeat From 18.5 MR2, Sophos Firewall encrypts certificate keys. So, when you upgrade to this version, the firewall refreshes the certificate used by synchronized endpoints to send a Security Heartbeat.

    If DNS resolution to sophos.com fails, the endpoints may not get the new certificate from Sophos Central, and the heartbeat fails.    		 Do as follows:
    • Make sure the endpoints have network connectivity during the upgrade. They can then fetch the new certificate from Sophos Central.
    • If the endpoints are blocked from getting DNS resolution for sophos.com to download the new certificate, go to the corresponding firewall rule and temporarily clear the checkbox "Block clients with no heartbeat".
Children
No Data