Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 99 replies
  • Answers 2 answers
  • Subscribers 65 subscribers
  • Views 24204 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.0 GA: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-os-v19-is-now-available

Release Notes: docs.sophos.com/.../index.html

"Old" V18.5 MR3 Thread: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr3-is-now-available

The V19.0 EAP Community: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/

About the Upgrade Issues: 

See Known Issue List in Release Note

s: 



This thread was automatically locked due to age.

Top Replies

  • +2

    I have been running V19 on my personal firewall's since the public beta started. Here are my thoughts so far. I also upgraded a cluster of XG230's to test on tomorrow as well.

    * Performance-Based Link Selection

    Works great until the firewall is under load. When the CPU starts getting above 60-70%, this feature doesn't work as it should. The firewall itself will start inducing latency and jitter on links as it gets loaded down, which give false information to the service responsible for the SD-WAN routing. It seems Sophos does not have any type of CPU prioritization in SFOS to guarantee the firewall will have enough core resources to do what it is supposed to do, even if the CPU is approaching it's max.

    * Zero-Impact Transitions

    Again, great feature and it seems to work really well, but not when the firewall is under load.

    * DPI

    No performance improvements on non XGS hardware. It actually increased RAM and CPU utilization slightly on 2 different units. Still no way to disable the DPI engine from looking at inter-vlan traffic and slowing it down, like encrypted SMB that is going across VLAN's at a small site that utilizes the XG as the layer 3 device. Sophos still thinks SMB should have a layer 3 switch for inter-vlan routing, instead of just making a feature to allow the admin to exclude certain traffic from all forms of inspection. The "other guys" allow this. Hopefully Sophos will at some point. It's disappointing because it's nice to know what is flowing between VLAN's, but to do it at true wire speed of let's say 1G, you'd need an XGS 2100 at least, if it's encrypted traffic.

    Overall, I do think it's a great build, but I do wish they would close some product gaps a lot sooner than they do (like the logging that still sucks and the lack of a live flow monitor like UTM. Live Connections isn't even CLOSE to UTM's flow monitor).

    I will post another update once I have a cluster of XGS devices updated to see how they do. I will probably wait until MR1 though.

    Mike

    Jump to answer
  • 0 in reply to LuCar Toni

    I fully understand you can't revoke the entire build, and I understand that the issue wasn't known when the firmware was released, but what I'm saying is that if the Sophos does an upgrade and the device enters "failsafe" then when entering "failsafe mode" it should automatically mark the alternative image as default for the next boot of the device. That way, if a firmware update fails and breaks the device - for whatever reason - we can just tell the customer to power cycle the device and it will boot back in to the previous firmware.

  • 0 in reply to Ryan Partington

    I would have to agree with Ryan. At least put it in the release notes (you finally did) and notify users. This version has been out for almost 2 months, but you just added it to the release notes. This was a known issue but took weeks to document it, and IMO, it's not emphasized enough. I also don't agree with Sophos using a rolling release notes page that you just add to as you find issues. It makes it look like you notified end users before the upgrade, but a lot of "know issues" have been added after V19 GA was released. There should be addendums so users that already did the upgrade can decipher what is new. I really love the XG, but you guys do a terrible job of notifying end users of issues.

  • 0 in reply to Riaan

    Sorry for the late reply. NAT issues have been on going for a long time in SFOS. I reported this back in the V16 days, but they never did anything about it. Every once in a while on upgrades of a few different clusters, some NAT rules would just stop processing. If you had custom NAT rules, the easiest fix is to just delete them, and recreate. I also specify interfaces in NAT rules and disable the default SNAT rule. It seems to help on upgrades.

  • 0

    Hi everyone,

    several bugs for myself:

    • one xg310 unit experimented a factory reset at reboot ; everything is now ok after importing a previous configuration backup.
    • more annoying, problems with IPSec VPNs:
      • throughput is very, very reduced in only one way, outgoing
      • occurs with Sophos Connect and site-2-site VPN
      • reverting to previous firmware restores normal operation
      • seems to occur with XGS hardware, not XG
  • 0

    I have my HomeLab vSFOS always on the latest version, also EAP. Running on Synology KVM with no problems.

    As MSP, I have so far upgraded a small part of my test pool to the latest v19, each from the last or penultimate v18. No problems so far. On an XG210 cluster there is problem with HTTP-Enycrption and the CertCache, but may be related to another problem.

    when you read this you get a little more fear for an update

  • 0 in reply to LuCar Toni

    Response from the L2 team:
    "EdDSA is not supported on V19 and V18.5.4"

  • 0

    I a question the VPN value "conn-remove-on-failover" in the release notes are documented that the default value for new installed 19 MR1 firewalls are "enabled". If I check the value (on my migrated firewalls) it set to "non_tcp" and possible are "all" and "non-tcp". What is correct value for new boxes?

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hi Ben@Network  For New boxes “non-tcp” is the default value.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.