Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 37279 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]

Top Replies

  • in reply to StevenSultana +6

    The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much easier to create cloned tokens that could be used without the knowledge of the original user to gain access to their account. Recovering OTP on an account by deleting the existing secret and creating a new one is more secure because even if it is done by the wrong person, the original user will realize the error the next time they try and log in using their old token.

    You see the same behaviour in most websites that offer OTP options like this - the only way to recover if you lose your OTP is to re-initialize with a new secret.

    Your point about including more specifics about this in the release notes is valid. We try to keep the release notes brief so that customers can read them all quickly and identify areas that may concern them where they can dig in to documentation to find out more. Sometimes we make them too brief. We'll take your feedback into account.

    [I updated my original post because I mistakenly thought I was reading the v19 EAP1 forum. Apologies for any confusion.]

    Jump to answer
Parents
  • 0

    Suggestion:

    • Add Dark theme. 
    • Add option to display Host in the browser tab to identify which firewall it is. This helps when working on multiple firewalls at the same time.
    • When adding a new interface such as VLAN, give an option to create another one while the first one is been created. GUI takes forever to create the VLAN and then drop you back to the Network tab. This is really time-consuming when creating multiple VLANs during the initial setup.
    • Add DHCP creation at the end of the new interface creation window. Give a check box for enable when created.
    • Create a link from the DHCP lease to reserve the select lease. (Instead of copying the MAC, go into DHCP, then add there.)
    • Give an option to NOT monitor and interface state. Sometimes, we left one LAN interface open and only use it to configure directly when all other interfaces are VLAN and there is no managed switch to use. Because this port is configured but unplugged, the home page always shows yellow on the interface. 
    • In general, GUI is too slow even on high-end CPUs. To much wait time on each action. On a fast CPU(E3-1220), 20% of the time is waiting for GUI to load or action to complete. On a slower CPU(J1900), this goes up to 60-80%.
    • Remove the WiFi interface or option to turn it off. In any case, there is no wifi directly on the firewall but connected via other interfaces.

    Bugs(?):

    • When WAN is on DHCP and WAN port state changed, WAN IP is not auto retrieved after the WAN state becomes online. WAN interface requires a change from the GUI to update the DHCP information. (In other words, when changing the WAN to a different IP, auto-update either take forever to happen or never auto-update.)
    • When accessing Admin HTTPS from WAN, sometimes, the view log window from the GUI will cause the session to terminate. This requires a firewall reboot to fix. (I know WAN access is not recommended. This is only used for stagging..)
    • From time to time, firewall rules drag to change orders stop working. (Suggestion: add the move up/down button directly on the rule/group.)
  • 0 in reply to DangoPC
    DangoPC said:
    When WAN is on DHCP and WAN port state changed, WAN IP is not auto retrieved after the WAN state becomes online. WAN interface requires a change from the GUI to update the DHCP information. (In other words, when changing the WAN to a different IP, auto-update either take forever to happen or never auto-update.)

    I have the same problem with my 2nd WAN connection, its a DHCP LTE connection. I used it as a backup connection with WAN Link Manager, and the whole XG would become unstable with services crashing after some hours. Since I disabled/unbound the port where the LTE modem is connected, everything went back to stable.

  • 0 in reply to EdmundSackbauer

    I had problems with my memory modules in my HW Firewall barebone. The DIMMs were defect leading to all sorts of core dumps.
    Since I changed the DIMM, everything runs smoothly also with 2nd WAN connection.

Reply Children
No Data