Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 99 replies
  • Answers 2 answers
  • Subscribers 65 subscribers
  • Views 24133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.0 GA: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-os-v19-is-now-available

Release Notes: docs.sophos.com/.../index.html

"Old" V18.5 MR3 Thread: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr3-is-now-available

The V19.0 EAP Community: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/

About the Upgrade Issues: 

See Known Issue List in Release Note

s: 



This thread was automatically locked due to age.

Top Replies

  • +2

    I have been running V19 on my personal firewall's since the public beta started. Here are my thoughts so far. I also upgraded a cluster of XG230's to test on tomorrow as well.

    * Performance-Based Link Selection

    Works great until the firewall is under load. When the CPU starts getting above 60-70%, this feature doesn't work as it should. The firewall itself will start inducing latency and jitter on links as it gets loaded down, which give false information to the service responsible for the SD-WAN routing. It seems Sophos does not have any type of CPU prioritization in SFOS to guarantee the firewall will have enough core resources to do what it is supposed to do, even if the CPU is approaching it's max.

    * Zero-Impact Transitions

    Again, great feature and it seems to work really well, but not when the firewall is under load.

    * DPI

    No performance improvements on non XGS hardware. It actually increased RAM and CPU utilization slightly on 2 different units. Still no way to disable the DPI engine from looking at inter-vlan traffic and slowing it down, like encrypted SMB that is going across VLAN's at a small site that utilizes the XG as the layer 3 device. Sophos still thinks SMB should have a layer 3 switch for inter-vlan routing, instead of just making a feature to allow the admin to exclude certain traffic from all forms of inspection. The "other guys" allow this. Hopefully Sophos will at some point. It's disappointing because it's nice to know what is flowing between VLAN's, but to do it at true wire speed of let's say 1G, you'd need an XGS 2100 at least, if it's encrypted traffic.

    Overall, I do think it's a great build, but I do wish they would close some product gaps a lot sooner than they do (like the logging that still sucks and the lack of a live flow monitor like UTM. Live Connections isn't even CLOSE to UTM's flow monitor).

    I will post another update once I have a cluster of XGS devices updated to see how they do. I will probably wait until MR1 though.

    Mike

    Jump to answer
  • 0

    Installed and appears to be running okay. Memory and CPU are up significantly, but on past experience I expect them to drop over the next couple of days.

    Hopefully the missing email messages will appear in the email log or is that v19.0.1 fix?

    Ian

    Ii can no longer enable the additional features in CM which you could be do in previous version even with an expired licence so that Sophos received the data but the user did not get any reports. The result is that the GUI now shows failed services.

    I note the support/help function has been removed, so I can remove the application filter for it.

    Some more items, I seem to have alot of Port2s, but no port1, port3 or port 4?

    The port numbering/naming in the diagnostics appears to have corrected overnight and now has the correct names against the graphs.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.



    Updated port identification issues.
    [edited by: rfcat_vk at 11:11 PM (GMT -7) on 21 Apr 2022]
  • 0

    Hello!

    Just upgraded to v19 GA on my appliance and everything is working as expected.

    Also, NC-83395 isn't on the change-log, has this issue been fixed on v19 GA?

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Your ID was the reporting ID of your initial Feedback. The Fix Version is: NC-79417 Web SSL/TLS rules can't be seen on the web admin console. 

    Included in V19.0 GA. 

    __________________________________________________________________________________________________________________

  • 0

    Upgraded, everything seems to be up and running.

    Keep on testing.

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0

    Upgraded from EAP2 to GA now. Until now everything seems to be fine, but

    - Searching for Host content (IPs, networks) in all VPN settings (S2S, mobil VPN with IPSec, SSLVPN, ...) is still not possible for me. Only fulltext search of objekt name works

    Is this a known problem or wanted?

  • 0

    Upgraded from EAP2 to GA and have a strange error: it says my GW is down, but everything seems to be getting through:

    The IP address of the gateway responds to ping, and traffic basically just gets through, but I've got a big red dot here and in the Gateway Detail page, and in the Control Center I've got a red interfaces icon. I have an SD_WAN profile set up with no SD_WAN routes, just to monitor the QoS, and the Latency, Jitter, and Packet Loss, and all of these indicators are normal.

    I also note in the System Logs that Interface 2 (WAN) went down and up twice within about 10 seconds about 10 minutes after I'd rebooted with the GA, which was about 20 minutes ago.

  • 0 in reply to rfcat_vk

    Going to re-install Sophos XG this weekend, but based on the about, trying to run it on an Atom isn't probably worth it?  I've got a Dell R220 12340L sat in the spare room, but not running it due to power consumption thoughts.  Atom unit is a Intel® E3845 based CPU with 8GB RAM.  The Dell unit currently has 32GB installed, but I'd drop that back to a single 8GB DIMM (reduce power consumption and sell off spares).

  • 0 in reply to Wayne Folta

    Reboot did not fix it. Still same problem: GW Status is down (red) on multiple screens, but it's working.

  • 0

    My alias under the WAN connection stopped functioning after the update, I had to remove the alias and re-add it to get it to work again.

  • 0 in reply to Wayne Folta

    Do a packet capture on your WAN for port ICMP and check, if the gateway actually answers or not. 

    __________________________________________________________________________________________________________________