Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 99 replies
  • Answers 2 answers
  • Subscribers 65 subscribers
  • Views 24172 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.0 GA: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-os-v19-is-now-available

Release Notes: docs.sophos.com/.../index.html

"Old" V18.5 MR3 Thread: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr3-is-now-available

The V19.0 EAP Community: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/

About the Upgrade Issues: 

See Known Issue List in Release Note

s: 



This thread was automatically locked due to age.

Top Replies

  • +2

    I have been running V19 on my personal firewall's since the public beta started. Here are my thoughts so far. I also upgraded a cluster of XG230's to test on tomorrow as well.

    * Performance-Based Link Selection

    Works great until the firewall is under load. When the CPU starts getting above 60-70%, this feature doesn't work as it should. The firewall itself will start inducing latency and jitter on links as it gets loaded down, which give false information to the service responsible for the SD-WAN routing. It seems Sophos does not have any type of CPU prioritization in SFOS to guarantee the firewall will have enough core resources to do what it is supposed to do, even if the CPU is approaching it's max.

    * Zero-Impact Transitions

    Again, great feature and it seems to work really well, but not when the firewall is under load.

    * DPI

    No performance improvements on non XGS hardware. It actually increased RAM and CPU utilization slightly on 2 different units. Still no way to disable the DPI engine from looking at inter-vlan traffic and slowing it down, like encrypted SMB that is going across VLAN's at a small site that utilizes the XG as the layer 3 device. Sophos still thinks SMB should have a layer 3 switch for inter-vlan routing, instead of just making a feature to allow the admin to exclude certain traffic from all forms of inspection. The "other guys" allow this. Hopefully Sophos will at some point. It's disappointing because it's nice to know what is flowing between VLAN's, but to do it at true wire speed of let's say 1G, you'd need an XGS 2100 at least, if it's encrypted traffic.

    Overall, I do think it's a great build, but I do wish they would close some product gaps a lot sooner than they do (like the logging that still sucks and the lack of a live flow monitor like UTM. Live Connections isn't even CLOSE to UTM's flow monitor).

    I will post another update once I have a cluster of XGS devices updated to see how they do. I will probably wait until MR1 though.

    Mike

    Jump to answer
Parents
  • 0

    Had to roll back to 18.x mr3....The SSL VPN for remote appeared to be working; however some users were getting socket timeout errors when attempting to connect through the IPsec tunnel to a server on the other side. After rolling back those users were able to connect just fine. Had tried the new all in one client as well. This is what it was doing:

    SSLVPN IN ---> Out Ipsec Tunnel to Remote Server ---> Program reports Socket Time out

    on 18.x mr3

     SSLVPN IN ---> Out Ipsec Tunnel to Remote Server ---> Connection succeeds

    Has anyone else seen this issue?

    And as stated it does not affect every user and the users that are affected are running the same version of the sophos ssl vpn client as the other users. Like I said I did try Sophos Connect and it did not work. I wish they had not combined them as well; we deploy multiple user config files to the SSLvpn directory; if these are imported to Connect they all look identical and must be manually renamed. I guess lucky for us we can probably eventually just start using the generic openssl client instead of the one from sophos.

  • 0 in reply to Cameron Savage1

    We had the same problem and found out that only some users are affected - users that have a configuration file generated with 17.x. Check in the VPN configuration if the affected users have the line "comp-lzo yes" and change it to "comp-lzo no". After this change SSL VPN works again. Thanks for the hours of work as this "change" has to be done on all client computers as administrator. It was 6 hours of work for 3 of my staff. Luckily only 15-20% of our clients were affected....

  • 0 in reply to Bjoern Mueller

    Are you using Sophos Connect? Because this could be done with Sophos Connect by the user itself by updating the policy. 

    __________________________________________________________________________________________________________________

Reply Children