Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 37312 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]

Top Replies

  • in reply to StevenSultana +6

    The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much easier to create cloned tokens that could be used without the knowledge of the original user to gain access to their account. Recovering OTP on an account by deleting the existing secret and creating a new one is more secure because even if it is done by the wrong person, the original user will realize the error the next time they try and log in using their old token.

    You see the same behaviour in most websites that offer OTP options like this - the only way to recover if you lose your OTP is to re-initialize with a new secret.

    Your point about including more specifics about this in the release notes is valid. We try to keep the release notes brief so that customers can read them all quickly and identify areas that may concern them where they can dig in to documentation to find out more. Sometimes we make them too brief. We'll take your feedback into account.

    [I updated my original post because I mistakenly thought I was reading the v19 EAP1 forum. Apologies for any confusion.]

    Jump to answer
  • 0 in reply to rfcat_vk

    Hi Ian,

    Maybe. For all the XG units I've managed, the only time I've had performance issues is when I've managed to mangle DNS settings (i.e. running internal DNS and having the internal DNS forward to the XG, only for the XG to forward it back to the same servers... doh!). But again, no Web Control nor TLS/SSL inspection load.

    Currently running 18.5.1 MR1. Upgrading to MR2 as I type this.

  • 0 in reply to ChrisKnight

    Hi Chris,

    I fixed a dns issue yesterday, the XG does not hand out IPv6 dns info, but that does not explain the high number of unable to associate packet errors.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Especially SSH should be there, as it is a light weight service. There is something wrong with your appliance. Maybe the disk broken? What kind of XG115 is this? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It is a brand new XG115W rev 3.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Did you upgrade or reimage the appliance by arrival? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Automatic upgrade, no choice.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Does "unable to associate" mean that it's trying to be stateful but it can't find the established connection so its dropping packets? The CPU utilization does seem to be increasing over time, so maybe that indicates some kind of cascading problem. Memory usage seems about what I see (on an XGS87).

    Have you tested it with only one LAN device hooked up -- or through the Console with no devices hooked up? I'm wondering if a defective RJ45 port or something could be hosing you.

  • 0 in reply to LHerzog

    I tried to reproduce this on my test lab. I made a upgrade from V18.0 MR5 to V18.5 MR2. The certificate was renewaled. Heartbeat was blocked for some minutes, until MCS was able to fetch the new policy and all clients (multiple clients and servers) could fetch the new certificate. Firewall rule was ANY - ANY - ANY --> Block without heartbeat. Therefore the client could not communicate to any website anymore. But MCS still works due the whitelisting of SFOS. 

    You could take a look into your mcsagent.log on the client, if you see a delay or an issue of the communication itself (DNS as explained). MCS is the service to fetch the policies from Central. See: https://support.sophos.com/support/s/article/KB-000034886?language=en_US

    Generally speaking, i could not reproduce any kind of issue in this process. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    I will re-image it today and report back.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Wayne Folta

    Hi Wayne,

    the graphs are with one device connected. Unable to access the console. I will re-image it today.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.