Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 37339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]

Top Replies

  • in reply to StevenSultana +6

    The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much easier to create cloned tokens that could be used without the knowledge of the original user to gain access to their account. Recovering OTP on an account by deleting the existing secret and creating a new one is more secure because even if it is done by the wrong person, the original user will realize the error the next time they try and log in using their old token.

    You see the same behaviour in most websites that offer OTP options like this - the only way to recover if you lose your OTP is to re-initialize with a new secret.

    Your point about including more specifics about this in the release notes is valid. We try to keep the release notes brief so that customers can read them all quickly and identify areas that may concern them where they can dig in to documentation to find out more. Sometimes we make them too brief. We'll take your feedback into account.

    [I updated my original post because I mistakenly thought I was reading the v19 EAP1 forum. Apologies for any confusion.]

    Jump to answer
Parents
  • 0

    We have report a bug with the release-link in the Quarantine Digest Mails.

    The port in the release-link is the port of the admin-interface and this is wrong. the link is for the endpoint-user and he can not open.

    this issue is not fixed in this new release SFOS 18.5.2 MR-2-Build380! still the same.

    In the Sophos XG management under "admin and user settings" the port for admin-portal is 4444 the port for user-portal is 443 and the link in the Quarantined Emails is like that:

    https://gateway.company.com:4444/webconsole/Controller?mode=458&release=aGR...

    this is wrong!

    we have all the time to delete all after the fqdn :4444/webconsole/Controller?mode=458&......

    only then the user can login in the userportal... whats wrong here?

Reply
  • 0

    We have report a bug with the release-link in the Quarantine Digest Mails.

    The port in the release-link is the port of the admin-interface and this is wrong. the link is for the endpoint-user and he can not open.

    this issue is not fixed in this new release SFOS 18.5.2 MR-2-Build380! still the same.

    In the Sophos XG management under "admin and user settings" the port for admin-portal is 4444 the port for user-portal is 443 and the link in the Quarantined Emails is like that:

    https://gateway.company.com:4444/webconsole/Controller?mode=458&release=aGR...

    this is wrong!

    we have all the time to delete all after the fqdn :4444/webconsole/Controller?mode=458&......

    only then the user can login in the userportal... whats wrong here?

Children
No Data