Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 242 replies
  • Answers 6 answers
  • Subscribers 68 subscribers
  • Views 36546 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.0 MR1: Feedback and experiences

LuCar Toni

Re-Release: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_190_rn.html

"Old" V18.5 MR4 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/134965/sophos-firewall-v18-5-mr4-feedback-and-experiences

V19.0 GA Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/134009/sophos-firewall-v19-0-ga-feedback-and-experiences



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    Thank you for the response, it was more the point that I was hoping that the Application reporting engine would be able to report on traffic going to these URLs, as listed, and therefore identify them as iCloud + Relay - the same as Netflix is identified etc.

    Tim Grantham

    Enterprise Architect & Business owner

  • 0 in reply to LuCar Toni

    Also seems that the Apple TV / Apple Movies in the Cloud  traffic is not being recognized either. 

    Tim Grantham

    Enterprise Architect & Business owner

  • 0 in reply to LuCar Toni

    Yes, you have to change it (in my case to IPv4) to be able to specify local and remote subnets.

    In the Network, Interfaces section, it tells you that you 'can't assign and IP address or routes to the interface'. That's correct but it also won't let you save the name change - "You must configure at least one IP family" - which you aren't allowed to do because "The XFRM interface is configured for specific local and remote subnets"!

  • 0

    Our users access a public 3rd party website that enforces an access list tied to client wan ip.  Our vpn clients are not configured to route external traffic to the XG and instead use their local isp.  We therefore include the /20 network address of this website in the "remote_ts" section of our Sophos Connect ipsec vpn client SCX files so that traffic from those clients to the webpage routes through our XG wan interfaces rather than the vpn client local isp.   The "Permitted network resources" section in the XG VPN config includes this /20 network address.  This worked in SFOS 17.x - 18.x but now breaks on each XG that is updated from 18.5 mr4 to 19 mr1.  XG log shows the firewall rule allows the traffic and nats but the page will no longer load in the vpn client browser.  I experimented with various alternate ways to nat from the web interface with no change.  As a workaround static routing traffic to this website's ip in the VPN client's XG to another XG still on SFOS 18.5 through a RED connection fixes the problem but is not ideal and will no longer work when the target XG is updated to SFOS 19.  This is being looked into in case #05656076.

  • 0

    please let us filter IP Host Groups...

  • 0 in reply to Lukas R

    What do you mean? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    there is no option to filter IP Host Groups by name, I always have to search through multiple pages till I found the group. I can only filter IP version.

    Filter option by name is only available by IP Hosts.

  • 0 in reply to Lukas R

    This will be implemented soon. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    DPI Engine cannot use QUIC Protocol.

    Out of interest: Is an implementation technically not possible - or is that a limitation for now?

  • 0 in reply to TheMonzel

    It is not that easy to answer. As HTTP/2 and now HTTP/3 is going to take over, it is hard to decrypt this on a native part. There are certainly parts to do this, but it is not that easy to implement it. Going forward, there will be show cases in how to do this.

    You can maybe read something about this here: https://blog.cloudflare.com/unlocking-quic-proxying-potential/

    __________________________________________________________________________________________________________________

Cookie Information Banner