Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 37164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]

Top Replies

  • in reply to StevenSultana +6

    The specific change you mention was a result of a security review we carried out on the OTP functionality. It is not good practice to provide methods to recover existing secrets because this makes it much easier to create cloned tokens that could be used without the knowledge of the original user to gain access to their account. Recovering OTP on an account by deleting the existing secret and creating a new one is more secure because even if it is done by the wrong person, the original user will realize the error the next time they try and log in using their old token.

    You see the same behaviour in most websites that offer OTP options like this - the only way to recover if you lose your OTP is to re-initialize with a new secret.

    Your point about including more specifics about this in the release notes is valid. We try to keep the release notes brief so that customers can read them all quickly and identify areas that may concern them where they can dig in to documentation to find out more. Sometimes we make them too brief. We'll take your feedback into account.

    [I updated my original post because I mistakenly thought I was reading the v19 EAP1 forum. Apologies for any confusion.]

    Jump to answer
  • 0 in reply to LuCar Toni

    Hi,

    I think there was a comment about additional features in the software version, would that be the cause and what are the additional features?

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to JasP

    Same Issue here. Clients on the VLAN that does NOT require HB on the firewall rule that allows http/https to WAN work fine, clients are authenticated using HB. Clients on the VLAN that requires HB to access the internet cannot authenticate using HB and cannot access anything on the WAN. This was an upgrade 18.5.1 -> 18.5.2 on an XG flashed SG430.

    After removing the HB and "match known users" requirement from the firewall rule the clients started authenticating using HB again.

  • 0

    Installed and everything worked fine. The reboot after the installation took over 20 minutes. The UI seems faster now. But I can't find the Sophos Assistant in the right corner.

  • 0 in reply to TheBalmasque

    You might need to widen your browser page, on my XG it is about 1/3 down on a very wide page.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Florian SM

    Yes, MR2 regenerate a certificate on the firewall level. We will update all needed documents to reflect this and what to do. 

    Additionally we are checking, why a client is not able to update in the state of missing hb. 

    __________________________________________________________________________________________________________________

  • 0

    The time for the CLI logs such as applog, strongswan log and csc log have now changed to GMT from local time. However when running the date command in the CLI it is showing the local time as well as in the GUI. Was that intended?

  • 0 in reply to Hank Hill

    Yes - There was a streamline process made to sync up all Logs. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I would have thought that the issue (at least for us) was DNS. Even when we allowed internet access, certificates could not be renewed because we also require Heartbeat to access our internal DNS server (which isn't the XG). Unlike Heartbeat itself, which connects to a fixed IP, certificate renewal must use a URL. If you can't resolve that URL then you aren't going to be able to renew the certificate whatever internal firewall exceptions are present on the XG. Certificates renewed fine once we allowed access to our DNS without a Heartbeat.

  • 0 in reply to SOPORTE ROVELLA CARRANZA

    Heartbeat should be able to cover after a one time internet connection of the clients. 

    CPU increase seems to be a odd behavior, which i cannot comment on. We would need a support case to investigate this further. 

    __________________________________________________________________________________________________________________

  • 0

    Please put a warning on the firmware details page stating that the firmware upgrade can lead to loss of connectivity when depending on heartbeat state and heartbeat authentication.

    Which destinations need to be excluded to allow the communication from Sophos Central endpoints to Sophos Central for renewing/receiving the new certificate for Heartbeat communication?