Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 37339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]

Top Replies

  • in reply to StevenSultana +6

    The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much easier to create cloned tokens that could be used without the knowledge of the original user to gain access to their account. Recovering OTP on an account by deleting the existing secret and creating a new one is more secure because even if it is done by the wrong person, the original user will realize the error the next time they try and log in using their old token.

    You see the same behaviour in most websites that offer OTP options like this - the only way to recover if you lose your OTP is to re-initialize with a new secret.

    Your point about including more specifics about this in the release notes is valid. We try to keep the release notes brief so that customers can read them all quickly and identify areas that may concern them where they can dig in to documentation to find out more. Sometimes we make them too brief. We'll take your feedback into account.

    [I updated my original post because I mistakenly thought I was reading the v19 EAP1 forum. Apologies for any confusion.]

    Jump to answer
Parents
  • 0

    Hi all, 

    we need to plan an update from18.0 MR 4 to 18.5 MR2 or later to 19.0  depending if some of the known issues are fixed before. Any how we run a XG in Active/Passive mode. We are not allowed to have bigger impact then a session reconnect for those apps which are not willing to move properly. As i treat this whole update as an "OS change" i expect stuff break  but i try to get a better view what i should expect or e.g. HA will be broken during update as both node will reboot simulatnous - such things. anyone have some input here ? The release notes gave not away much to work with. 

    So the most pressing question is behave that update like a normal one - patching passive first, failover, patch new passive , failback ? Or is it more adviseable to beak HA patch the "passive" , take conf from the active , point any client to the patched node and make it the active one. patch the other node, at best kill the config - and bring it as emtpy box back to cluster ? 

    Tbh it is hard to estimate how to work this update - as in past i encounter lot strange things with the OS release on different boxes.

    regards 

Reply
  • 0

    Hi all, 

    we need to plan an update from18.0 MR 4 to 18.5 MR2 or later to 19.0  depending if some of the known issues are fixed before. Any how we run a XG in Active/Passive mode. We are not allowed to have bigger impact then a session reconnect for those apps which are not willing to move properly. As i treat this whole update as an "OS change" i expect stuff break  but i try to get a better view what i should expect or e.g. HA will be broken during update as both node will reboot simulatnous - such things. anyone have some input here ? The release notes gave not away much to work with. 

    So the most pressing question is behave that update like a normal one - patching passive first, failover, patch new passive , failback ? Or is it more adviseable to beak HA patch the "passive" , take conf from the active , point any client to the patched node and make it the active one. patch the other node, at best kill the config - and bring it as emtpy box back to cluster ? 

    Tbh it is hard to estimate how to work this update - as in past i encounter lot strange things with the OS release on different boxes.

    regards 

Children
  • 0 in reply to Steffen Seitz

    Hi

    Last week I updated XG310 in HA (Active/Passive) from 18.0 MR5 to 18.5 MR2. Did not break HA, just did an update. First it updates passive device ( it took around 10 minutes), when passive device reboots with new OS it becomes Active device. When it switched from Act/Pass 2 pings are lost and all VPN reconect, and all SSL VPN sessions drop. Then the other device gets upgraded (also 10 minutes). Basically that is it. I had no problems. It probably also depends on how complex your configuration is. For failback I read a KB that you need to break HA and revert and set up HA again with old OS.

    BR