Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 99 replies
  • Answers 2 answers
  • Subscribers 65 subscribers
  • Views 24192 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.0 GA: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-os-v19-is-now-available

Release Notes: docs.sophos.com/.../index.html

"Old" V18.5 MR3 Thread: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr3-is-now-available

The V19.0 EAP Community: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/

About the Upgrade Issues: 

See Known Issue List in Release Note

s: 



This thread was automatically locked due to age.

Top Replies

  • +2

    I have been running V19 on my personal firewall's since the public beta started. Here are my thoughts so far. I also upgraded a cluster of XG230's to test on tomorrow as well.

    * Performance-Based Link Selection

    Works great until the firewall is under load. When the CPU starts getting above 60-70%, this feature doesn't work as it should. The firewall itself will start inducing latency and jitter on links as it gets loaded down, which give false information to the service responsible for the SD-WAN routing. It seems Sophos does not have any type of CPU prioritization in SFOS to guarantee the firewall will have enough core resources to do what it is supposed to do, even if the CPU is approaching it's max.

    * Zero-Impact Transitions

    Again, great feature and it seems to work really well, but not when the firewall is under load.

    * DPI

    No performance improvements on non XGS hardware. It actually increased RAM and CPU utilization slightly on 2 different units. Still no way to disable the DPI engine from looking at inter-vlan traffic and slowing it down, like encrypted SMB that is going across VLAN's at a small site that utilizes the XG as the layer 3 device. Sophos still thinks SMB should have a layer 3 switch for inter-vlan routing, instead of just making a feature to allow the admin to exclude certain traffic from all forms of inspection. The "other guys" allow this. Hopefully Sophos will at some point. It's disappointing because it's nice to know what is flowing between VLAN's, but to do it at true wire speed of let's say 1G, you'd need an XGS 2100 at least, if it's encrypted traffic.

    Overall, I do think it's a great build, but I do wish they would close some product gaps a lot sooner than they do (like the logging that still sucks and the lack of a live flow monitor like UTM. Live Connections isn't even CLOSE to UTM's flow monitor).

    I will post another update once I have a cluster of XGS devices updated to see how they do. I will probably wait until MR1 though.

    Mike

    Jump to answer
Parents Reply Children
  • 0 in reply to Ryan Partington

    Ryan summaries my concerns better than I have.

    For us, we manage over 100 Sophos units. We upgraded 1 without issue, waited a few weeks, then did another 5 and again no issues, so push out the update to the rest of the units centrally. Then all of a sudden we had 12 clients dead in the water with no internet access. And because upgrades to critical infrastructure has to happen out of hours, the failures occurred at night and we have to wait until the morning when suddenly 12 different units are down and staff can't work. It's fine for an MSP to perform the steps to rectify, but you can't get a client to log in to advanced shell and run those commands.

    I get the issues with reissuing firmware to resolve a bug, but what I don't understand is that if the Sophos knows it's doing a firmware update and then it ends up in Failsafe mode, it clearly knows the process has failed. Why can't it mark that FW image as faulty so that next the time appliance boots it goes back to the known good FW image? That way we could just tell the client to power cycle the unit and they'd be back online and log in remotely to fix. This was one of my biggest issues with Cyberoam previously as well. If a FW fails to boot, next time boot to the other one. That way the client is not dead in the water.

  • 0 in reply to Stuart James

    First of all, a SIG/ISO build is a finish state. You are using a build XYZ version. In this version, the issue was not discovered. So to "flag this as a failed image" the code is not there to flag in, as the issue was not known to the firewall at this point.

    Sophos could revoke the entire build. This means pull back build XYZ for all customers. Re release a new version (build ABC with the fix). This takes a long time to go through all cycles (QA checks, legal, release infrastructure etc.). 

    Failsafe is some issue, which is actually quite rare in the latest releases. I guess the last time i saw failsafe was 2 years ago. So this is not a common issue. If the migration does not work, it can pull back to the old version. But fail safe is some sort of kernel panic mode. So the entire firewall stopped at this point. 

    There is a lot of background work currently to get a state of this cannot happen again. 

    And again, we do not talk about "every customer is affected". It seems like only a customer base with a old configuration coming from cyberoam. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I fully understand you can't revoke the entire build, and I understand that the issue wasn't known when the firmware was released, but what I'm saying is that if the Sophos does an upgrade and the device enters "failsafe" then when entering "failsafe mode" it should automatically mark the alternative image as default for the next boot of the device. That way, if a firmware update fails and breaks the device - for whatever reason - we can just tell the customer to power cycle the device and it will boot back in to the previous firmware.