Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 8367 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rebuilt XG using v17 0 MR-2

rfcat_vk

Hi folks,

I decided to rebuild my XG and reconfigure from scratch.

1/. less networks and no vlans

2/. less dhcp servers

3/. one AP55 with 4 SSIDs

4/. 2 ISPs very slow links

5/. reduced number of firewall rules now 6 was 8.

 

Results

1/. Used existing XG licence hoping to fix certificate issues, wrong, now get serial number errors because the licence activation uses the original licence request details.

2/. MTA installed by default does not work. No outgoing mail. Nothing shows in XG logs as to the mail messages actually reaching the XG.

3/. Appears to be better throughput or at least less issues with a troublesome site my wife visits. i have not needed to add an exception for it.

4/. Even though one of the networks is not connected the dashboard shows networks to be green, previously with all networks 4 physical and 3 vlans indicator would be orange.

5/. using the XG as the DNS.

6/. minor point of interest, the LG TV as soon as it was connected was registered as attacking 3 external apache servers. Not done that since refining firewall rules.

7/. I have fine tuned the IPS well sort of removed the linux server, ERP and control stuff.

8/. do not seem to be seeing the same amount of junk in the reports which required fine tuning of the WEB filters.

 

Ian



This thread was automatically locked due to age.
  • 0

    Hi Ian,

    some thoughts on your first points:

    1/: there is no connection between SSL certificate and License Certificat is rebuild (maybe with same parameters but with new Certificate Serial Number) at installation process. to avoid serial number issues you are able to migrate licenses between serial numbers in your MySophos Account to which the license is bound (or Mail to NSGlicense(AT)Sophos(DOT)com). If it is a Home License just generate a new one, since they are not transfereable.

     

    2/: Please make sure your autogenerated MTA Firewall Rule is enabled and on top of Ruleset not to be overwritten by other rules. Please check if awarrenmta service is running.

     

    3/: i have observed similar things: fresh install removes some troubles wich consists through updates (in web and mail modules) - i think broken deamon config is not converted during update

     

    4/: i think the status indicator shows "gateway Reacheable" the healthcheck defaults to "Ping every 60 seconds" maybe you have to wait a little more after unplugging?

     

    Yours Lukas

  • 0 in reply to lna

    Hi Lukas,

    thank you for your thoughts on the various items. The licence I can fix and will because one of my ISP mail servers is throwing up invalid certificates which were valid before the rebuild.

    The MTA issue, I have tried a number of times before and the same result unable to send mail, as soon as mta is disabled the mail flows. I am not the only one with issues to do with the MTA.

     

    Ian

  • 0 in reply to rfcat_vk

    Hi Lukas,

    I cannot find anywhere on my sophos page a place to create a new licence or replace the existing one. What I can find is a place to edit the existing licence then download and re-install the ISO, which is a bit confusing. Having amended the current licence will the changes be reflected in the software download and update the re-installed XG software even after a re-configuration restore or is that part not saved by a configuration backup?

    Ian

  • 0 in reply to rfcat_vk

    Home or Business License?

    Appliance or Software Installation?

  • 0

    I did these days a proper rebuild of a Firewall which has been updated all the way from Beta v15 to 17 MR2.

    In my case, it solved the Problem that  I was not able to use TOTP so far on my old installation.

    Furthermore, the GUI behaves a bit faster, but this can be a subjective feeling of me as well...

  • 0

    I had rebuilt for v17 beta and still using that install. I am fairly happy with v17 and think it does a decent job of protecting the outgoing traffic. Still using UTM for email and WAF. 

    The gui speed is a hit and miss for me. It feels faster sometimes and then its slow at other times, don't know... it should be consistent regardless of where you click.

    One thing that I tried new with this version was IPv6[:#] I have 6rd connectivity from my isp and I had the orange gateway problem on ipv6 also. Although the firewall never sends a mail about gateway being down till you unplug the cable, that orange indicator on the dashboard is annoying. I wish there was a way to change the gateway to ping as a workaround.

    Another thing that I hated was ipv6 client creation. SG, you create one client and as soon as you enable ipv6, that client can then be edited for ipv6 addresses. XG wants duplicate clients and ipv6 rules are sitting by themselves on a separate tab. Not necessarily a bad thing but seems ipv4 and ipv6 are not part of the same system and it feels more like a patchwork instead of integrated design.

    Still not too happy with the log files. They are way better than anything XG had before but sometimes when you generate traffic you don't get any logs (atleast thats what it seems to me). Maybe they are refreshing too slow for my liking and hopefully they will fix that.  

  • 0 in reply to Billybob

    i Lukas,

    I am a home user on home built hardware.

    After the rebuild I am seeing more web traffic blocked (ads etc) in the reports which is good.

     

    @billybob, logs are quite frustrating when trying to debug mail. With mta enabled by default at initial build I thought it would work, wrong, no messages in the XG and the messages just sit in the outbox on the mac generating error messages. If the connection doctor is run on the mac then you get answers, 'relay not allowed' or invalid certificate. You also need to use external mail server for notifications otherwise the message are accepted then discarded.

    IPv6 native in dhcp mode does not work as I am used to while using the UTM. UTM works beautifully, but not as good as it was a couple releases ago.

    Ian