Sophos Firewall: v18.5 MR2: Feedback and experiences

Hi folks,

I have installed this version on my xg115W and it is not working well. I have tried a number of different configurations. The aim was to replace my home XG with this new box. I built a configuration based  on my existing system but with many cleaned up and refined policies and firewall rules. That was a disaster, throughput for speediest max'ed out the line, but web surfing, just did not work at all well, pages took many seconds and sometimes minutes to load and more often timed out leaving online payments in limbo.

A restart partially fixed the issue but not completely.

The logviewer showed many failed to associate connection errors.

I removed over 50% of the configuration and in a lot of cases used the default XG provided policies with my firewall rules. With one user connected works well, while not as quick with page loads as my existing XG, still worked.

I moved my IoT network across again after refining and reducing the configuration and end up with poor connection times and lots of cannot associate errors in the logviewer.

So, the conclusion I have come to is that this version of XG software is not suitable for my XG115w with a full business licence.

My IoT network has 7 wifi devices and 5 fixed devices, which most are not always active or powered on.

Ian

Howdy,

I've got an XG 115 v3 with about 35 firewall rules (31 user/network rules + 4 WAF rules), 2 APs and about 40 devices (phones/tablets/game consoles/RasPi/VMs/servers/laptops/desktops). Ticks along quite nicely with minimal latency added and no throughput loss on my 42/13 FTTN connection. Works well for 4-5 concurrent users + whatever devices need access.

I don't do Web Control nor TLS/SSL inspection on the XG 115 - Web control is done on EndPoints using Intercept X, or from the AdGuard Home VMs I run. DNS/DHCP aren't done on the XG, but the XG is acting as an SMTP MTA.

Webadmin's never been quick, but not as slow as you've mentioned. Average weekly load is 0.54, CPU 12%, mem 2.5GB.

I may try TLS/SSL inspection if the exception list management isn't too onerous when I upgrade the XG 115 to an XGS unit.

Hi Chris,

Thank you for the information. Maybe I need a reset and start from scratch?

which version of XG are you using?
ian

Hi Ian,

Maybe. For all the XG units I've managed, the only time I've had performance issues is when I've managed to mangle DNS settings (i.e. running internal DNS and having the internal DNS forward to the XG, only for the XG to forward it back to the same servers... doh!). But again, no Web Control nor TLS/SSL inspection load.

Currently running 18.5.1 MR1. Upgrading to MR2 as I type this.

Hi Chris,

I fixed a dns issue yesterday, the XG does not hand out IPv6 dns info, but that does not explain the high number of unable to associate packet errors.

ian

Does "unable to associate" mean that it's trying to be stateful but it can't find the established connection so its dropping packets? The CPU utilization does seem to be increasing over time, so maybe that indicates some kind of cascading problem. Memory usage seems about what I see (on an XGS87).

Have you tested it with only one LAN device hooked up -- or through the Console with no devices hooked up? I'm wondering if a defective RJ45 port or something could be hosing you.

Hi Wayne,

the graphs are with one device connected. Unable to access the console. I will re-image it today.

Ian

Hi Ian,

After upgrading to 18.5.2 MR2 I did see similar behaviour to what you're describing, until I realised that my primary laptop was associating with the far end mesh AP (APX 530, typical RSSI of -71 dBm). The near end mesh AP (APX 530, typical RSSI of -43 dBm) was offline, as is so often the case after an XG restart. Once I power cycled the near end mesh AP and it successfully joined the mesh, then my laptop performance was back to normal.

Maybe worth investigating to see if your performance issues are WiFi related?

BTW I wouldn't touch another XG/XGS unit with built-in WiFi. Doesn't scale when you need to add additional APs as the built-in WiFi AP is a special case, and a complete pain if you want to upgrade to a non-WiFi unit (either configure from scratch, or export full config, wade through config file and excise local WiFi settings, re-order config file to ensure dependencies are parsed first, import config into clean install, then export full config from both units and compare with diff/WinMerge or check page-by-page to ensure migrated config is right).

Hi Chris,

the issues are with my mac mini which is hardwired which is what I was testing with. The built-in wifi I gave up and restored my other APs, the built-in wifi could not connect to most of wifi devices reliably.

Currently the box is dead eg you can't configure much because it is soooo slow. The speedest still max'es the line out.

Thank you for the detailed update from your equipment.

Hi Ian,

just want to ask what browser do you use for XG administration? I have 3 XG boxes (115 to 135) and one is super slow to config. I figured out it was the browser (MS Edge which is basicaly Chrome). I do now always start the browser in private/incognito mode and the web GUI is much faster. So just letting you know.

Martin

Hi Martin,

I primarily use safari and then FF, but today I ended up using edge on w10. The w10 machine is used mainly for photo scanning so it doesn't have many extras installed.

Ian

Hi Martin,

I primarily use safari and then FF, but today I ended up using edge on w10. The w10 machine is used mainly for photo scanning so it doesn't have many extras installed.

Ian