Sophos Firewall: v18.5 MR2: Feedback and experiences

Could you create a Support case for this? Because actually this should not occur. Do not forget - MR2 is a "Softrelease". We are not expecting issues, but there could still occur problems, thats the reason for a soft release. 

Will do sometime today. I understand, I was aiming for NC-76400 which should resolve my another support ticket from March, yes March 2021 so 9 months :-/

I have the same problem: heartbeat dead in the GUI after the upgrade from 18.5.1_MR-1-326 to MR2.

In /log/heartbeatd.log I have this error:

[2021-12-01 14:26:36.814Z] ERROR HBSessionHandler.cpp[31086]:256 dbCallbackEncryptedPassphrase - Decryption of passphrase is failed

[2021-12-01 14:26:36.814Z] FATAL HbdModuleBuilder.cpp[31086]:143 intializeAndRunHbd - Password missing to decrypt the key

[2021-12-01 14:26:36.814Z] INFO HbdModuleBuilder.cpp[31086]:148 intializeAndRunHbd - Heartbeat daemon halted

On my box it's about missing crt files :-/ ...

[2021-12-07 12:31:30.639Z] INFO HbdModuleBuilder.cpp[30468]:96 intializeAndRunHbd - Heartbeat daemon starting
[2021-12-07 12:31:30.987Z] INFO HbdModuleBuilder.cpp[30468]:225 neededFilesMissing - blocking until missing files exist:
[2021-12-07 12:31:30.988Z] INFO HbdModuleBuilder.cpp[30468]:227 neededFilesMissing - /conf/sysfiles/heartbeatd/server.crt
[2021-12-07 12:31:44.721Z] INFO HbdModuleBuilder.cpp[30468]:225 neededFilesMissing - blocking until missing files exist:
[2021-12-07 12:31:44.721Z] INFO HbdModuleBuilder.cpp[30468]:227 neededFilesMissing - /conf/sysfiles/heartbeatd/server.crt
[2021-12-07 12:32:21.137Z] INFO HbdModuleBuilder.cpp[30468]:303 operator() - Got SIGNAL so daemon is going to stop
[2021-12-07 12:33:05.044Z] INFO HbdModuleBuilder.cpp[30958]:202 initLogger - Word size of architecture: 64

I'm not sure if this is related to 18.5-MR2, but I cannot change anything in Configure/Authentication/Web Authentication for Captive portal.  

 I set it to default then change anything in behavior and click apply and got this pop-up: 

I have no idea what URL or IP is invalid, because it just won't tell :-/

Found it!

Even after resetting to default the "Show web page after sign-in" is unchecked and at the same time it's set to custom and won't let you apply.

You need to check the box, set to "Originally requested by user" and Apply. Then uncheck "Show web page after sign-in" and Apply again.

Hi Martin Hampl and Alessandro Abolis Can you please DM me your Support Access ID? 

Info from support:

In version v18.0.MR5 there is no passphrase encryption feature for server.key, and the encryption is enabled in v18.5MR2, As part of passphrase encryption we check whether the central account used for registration of Firewall has valid Syncsec/EP license or not, so if the central account doesn't have valid license we do not encrypt the passphrase, and the Heartbeat daemon will be in DEAD state. You will not see this issue if you use a valid Central account with licenses in v18.5MR2.
This is expected behavior and as a result you will have the below logs:  "Security Heartbeat is not available due to license issues, verify licenses. Please contact your Sophos Partner to update your Sophos Central or Sophos Firewall licenses."

Ok I guess, but wrong from UX point of view. Because we do not use Endpoint Protection, our box will have RED Services icon and will report a DEAD service in Status frontpage? Seems to me that this change was not prepared well enough. I see myself checking the services quite often just to be sure it's only the heartbeat service. Because how can I now see after login if any other issue is there?

The option to view the QR code of a user's OTP was removed. Can't find this in the release notes. Was quite a surprise for a client use used that option to re-instate changed phones etc.

Resolution/workaround is to delete the OTP and have the user re-create it.

(#2 can't sort release notes by Component to find changes related to a specific feature more quickly - sorting by component not by ID is a bit more human-readable)

Getting occasional errors like this is not unexpected and is certainly not new to MR2. Most occurrences of errors like these are intermittent and go unnoticed and the browser or other app just reconnects and gets on with things. Occasionally they may happen consistently for certain hosts, causing noticeable problems, which is why we include them in the logs.

Flow timeout usually means the server stops responding to us before the handshake is complete. This happens from time to time depending on the client and server app. For example, if a server is under heavy load it might complete the TLS handshake but not be able to service the HTTP request within the TLS tunnel.

Session Unknown can happen when a device tries to establish a TLS connection using a session ID that was previously unseen by the Firewall - maybe the device moved networks, or the TLS decryption rules changed, or the Firewall was restarted, or the session ID was just very old and had aged out of the Firewall's session cache. Typically these occurrences don't cause significant actual problems - apps generally retry the connections. This is just a standard part of the TLS protocol - even if we weren't in the path doing decryption, the server may lose track of a session ID and tell the client to reconnect.