Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Replies 68 replies
  • Answers 1 answer
  • Subscribers 20 subscribers
  • Views 10638 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: v19.0 EAP2: Feedback and experiences

LuCar Toni

Release Post: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/b/announcements/posts/sophos-firewall-os-v19-eap-2-now-available

Old EAP1 post: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/f/discussions/131583/sophos-firewall-v19-0-eap1-feedback-and-experiences

Release Notes: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/b/announcements/posts/sophos-firewall-v19-xstream-sd-wan

If you occur an potential Bug: Please raise a ticket with the "Feedback" Option in the V19.0 Webadmin! 



Paste error.
[bearbeitet von: LuCar Toni um 9:09 PM (GMT -8) am 5 Feb 2022]
Parents
  • 0

    Sorry for asking this question here, but I'm really excited about v19. I wanted to clear up two doubts.

    In version 19, are we expected to have improvements in SSL VPN, which go beyond the performance improvement?

    Today SSL VPN RA and S2S share the same service and the same range of IPs, separating this would be very good without interrupting the two services.
    Another improvement would be to be able to specify which remote destinations of the ssl vpn connection could be made to the remote server.

    I really like IPsec and I like to see you dedicating a lot to this technology. I use and will use them a lot, but in small companies the ease of configuring and managing SSL is very practical. LOT


    Another thing I wanted to know that would help a lot is having the option to clone a reverse rule. It is very annoying to create a rule from src to dst and then create another inverse one, if there was a click that already creates the rule in reverse, it helps a lot.

    Is this expected in the new version or the next ones?

    Another thing that would help a lot to save clicks would be to be able to change a part of the rule, on the line without having to go in and edit. Example, I want to change the port in the services part. In the line of the rule, if you could click on services and the window to change appears, it would be very fast for our day to day.

    Is this expected in the new version or the next ones?


    Sorry to use this channel for these doubts, but I couldn't find a more effective place for a roadmap to be implemented.

  • 0 in reply to Gib GoDesk

    You still use SSL VPN for Site to Site? Because from my perspective, this is rather rarely used. Why are you rely on SSLVPN for Site connections? 

    Why do you want to do a "reverse rule"? Stateful firewall will allow the traffic in a stateful manner, if this is the goal? 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Gib GoDesk

    You still use SSL VPN for Site to Site? Because from my perspective, this is rather rarely used. Why are you rely on SSLVPN for Site connections? 

    Why do you want to do a "reverse rule"? Stateful firewall will allow the traffic in a stateful manner, if this is the goal? 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    I use it for very simple scenarios, when I have clients behind nat in the head office and up to a maximum of 3 branches.
    The reason is quite simple... ease. The implementation is very fast and in these scenarios, I don't need RBVPN, the branch as headoffice has its internet behind NAT and there are few branches. I choose SSLVPN for simplicity and less complexity.

    If it's Sophos' business rule, fine. At least I'm aware that it won't go into a roadmap and I change the small environments to just ipsec.

    About the reverse rule. Okay, in a statefull firewall I don't need to create reverse rule. Problem when I have a connection that starts from the other side.
    I like to separate origin from connections. Example:

    FW rule:
    BO -> HO
    src zone: lan
    src: subnet lan
    dst zone: VPN
    dst: remote subnet vpn
    services any

    Reverse Rule:
    HO -> BO
    src zone: VPN
    src: remote subnet vpn
    dst zone: LAN
    dst: subnet lan
    service any

    Here would enter a button to clone the rule in reverse.

    More doubts...

    1 - support assign IPv6 on IPsec Remote Access connection, will we have it in version 19?

    2 - dhcp server today does not reserve ip in the same scope, does it remain?

  • 0 in reply to Gib GoDesk

    Why not using RED Site to Site? It is the same kind of technology just with advantages. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Gib GoDesk

    I recommend to use RED site to site VPN as well. The setup is very easy and fast. You can the forget the SSL VPN clients.

    Jindrich Rosicka

    awin IT

  • 0 in reply to LuCar Toni

    It certainly helps, I always forget about red when I don't use device red.

    When I commented it was a quick thought of the problem I had that day. So I didn't think it through. Thanks.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?