Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 34667 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]
  • 0 in reply to JasP

    Here is a KB about this state: https://support.sophos.com/support/s/article/KB-000043489?language=en_US

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    can you clarify something for me?

    Is it just DNS that has to be allowed (which is what the article says) or does internet access have to be explicitly allowed to?

    As you know I have experienced this issue with the upgrade and before that, when I had to re-register my XG in Central. In our setup, as well as blocking access to DNS when there is no Heartbeat, we also block internet access when there is no Heartbeat. The article says you only need access to DNS, is that because there is a system firewall rule in XG which will bypass our rules to allow internet access to download the certificate? Or would we also need to allow internet access without a Heartbeat as well?

  • 0 in reply to JasP

    SFOS has a rule internally to allow traffic to Central to allow the pattern updates etc. So if there is a client, trying to reach Central, it is generally allowed. But this does not work, if the client cannot resolve the DNS record in the first place. So the client tries to resolve central.sophos.com, gets denied by the missing HB / RED Heartbeat, cannot resolve the DNS and stops working. If you allow the client to resolve DNS, it will be generally speaking allowed to communicate and restore the HB. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for confirming this. On the two occasions I have had this issue, I also allowed internet access either first, or at the same time, as allowing DNS so I have never tried it with DNS only.

  • 0

    SS/TLS engine errors

    As well one site has been classified as parked yet carries traffic and has done so in the past. If I use my phone hotspot the data downloads correctly.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to David Clark1

    Issue is related to Sophos Central. Using Top I see a process called hbtrsut the runs before opensssl tries to generate a bunch of certs.

    Deregistering from Sophos Central stopped the issue, and CPU is back to normal.

  • 0

    A little bug.

    If you create a web exception using url then try to add the url to FQDN to manage access an error screen is generated that the URL already exists.

    Now a search through the FQDN listing does not show the url in question.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to EgonSommer

    Same here with the licence issue. @lucar-toni do we have a solution to this yet?

  • 0 in reply to Martin Hampl

    What do you mean? The License shown as invalid? Do you have a valid license? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Of course I do have a valid XG licences :-) But I do also have one Endpoint expired licence in Central. But this should not be related as it worked until MR-2.

    "Security Heartbeat is not available due to license issues, verify licenses. Please contact your Sophos Partner to update your Sophos Central or Sophos Firewall licenses." vs. Licensed subscriptions: Xstream Protection bundle

    I will not upgrade the remaining boxes to MR-2 for now.

    And a small sidenote... I'm with XG since v16 and the road to v18.5 is quite a ride. Basic things like Let's Encrypt support still missing, new releases break things and issues reported as fixed are still not working (I need to reopen a ticket for iOS IPSEC vpn not working, which should be fixed with NC-76400 in MR-2)

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?