today I want to show you how to find out the PPPoE password on a Sophos SG/XG if you don’t have it documented.

This only works if the SG/XG itself establishes the connection.

Start a TCPDump on the hardware interface via the shell. In this example eth1.

tcpdump -i eth1

Then press the reconnect button in the webgui.

Now you just have to look in the dump for the line that contains your PPPoE username. And directly behind it is the password in plain text. :D

08:49:12.384612 PPPoE [ses 0xdc82] PAP, Auth-Req (0x01), id 1, Peer networkguy0001@telekom.de, Name Password123

Have a nice day!

The post Sophos SG/XG How to find the PPPoE password appeared first on Network Guy.

today I will talk about how to configuring a guest Wifi with a Aruba Mobility Controller and the Sophos hotspot solution.

In this example I will using the Sophos SG hotspot solution. With Sophos XG, it’s basically the same.

Sophos SG

Create a new Interface

It’s recommandet, to use a own interface for the guests. If you use a hardware interface or a VLAN interface, it’s your choice. I using VLAN interfaces.

Create a firewall rule for the web access 

To avoid problems with VIP visitors, I recommend allowing any service to access the internet. I will come to the topic of proxy in a moment.

masquerading rule

Without it, the package also gets on the internet, but not back :D

The DHCP 

Do not use your AD DHCP server. If you still have a server at all thanks to Azure. Always keep guest solutions as far away as possible from your infrastructure. That’s why I use the DHCP server from the Sophos SG and also send DNS queries directly to google DNS. Do not use the SG as DNS server for guest solutions. Because most UTMs have a query route to their own domain and the guest user can query your SG/XG via DNS queries about your environment.

hotspot portal

Here you have to put in the new interface and activate the hotspot type of your choice. I prefer the voucher solution.

And finally the proxy

For the guests, only the transparent proxy comes into consideration. No guest user wants to enter a static proxy into the system first. You should also only activate URL filtering, because no one wants to import the proxy CA. Now you have to define the policy and that’s it for the UTM configuration.

What web categories you allow via policy, you have to decide yourself.

Aruba Mobility Controller

My recommendation, configure everything under Mobility Controller level and not on the individual controller.

Add a new VLAN interface

We only need a VLAN interface with the same VLAN ID as the guest interface on the Sophos SG. No IP configuration is required on the mobility controller.

Create the SSID

I recommend using the tunnel mode. This way I don’t have to maintain all VLANs at the access points. Instead, I let the traffic first break out at the Mobility Controller.

We need a simple open WLAN.
Because we are using the Sophos SG guest solution in this example, I won’t go into detail about the possible Aruba solutions.

Now we have to remember the name of the default role. Because we have to edit these right away.

Edit  the role

For simplicity, we could write an Any rule because the Sophos SG takes care of security. But for the good feeling, we restrict the traffic a bit.

Because it’s a bit hard to read, here’s the content: We only allow the client to talk to the Sophos SG on the guest interface. Forbid the rest of the private IP address ranges and then allow Any for the Internet access.

Have a nice day!

The post Aruba Mobility Controller with Sophos SG/XG hotspot Portal appeared first on Network Guy.

today I will tell you how I configured my home server for a virtual Sophos UTM.
All configurations in ubuntu can also be used for a virtual Sophos XG.

In this article I assume that Ubuntu and virt manager are installed. The following link deals with the basic configuration of virt manager under ubuntu:

german https://wiki.ubuntuusers.de/virt-manager/
english https://www.howtogeek.com/117635/how-to-install-kvm-and-create-virtual-machines-on-ubuntu/

What do you need for this?

• A PC (AMD or Intel, what you like. A virt XG also runs under a AMD CPU)
• A Ubuntu System (with a GUI, it’s easier ;) )
• 3 NICs
  • I use the Mainboard NIC for the Server management
  • the second NIC in bridge mode for the VMs
  • and the last NIC via PCI Passthrough exclusive for the UTM WAN interface (you can’t use a dual NIC for this)
    • you need a pcie slot for the NIC where the PCIe lanes are not shared with the chipset or other components
• Sophos UTM ISO for Software Appliance

Why do I use PCI Passthrough? It is safer. With PCI Passthrough, all traffic goes directly to the virtual firewall and cannot escape from a virtual switch and has no logical contact with the hypervisor (the Ubuntu server).

OK,
we have been busy and now have a fully installed Ubuntu and Virt Manager and are starting to configure the virtual UTM.

• Install a new VM

• Adjust the new VM
• • activate auto start while booting of the hypervisor

• • activate the bridge mode for the “LAN NIC”
    I recommend virtio for NIC device model, because according to my own experience it offers the best data throughput.

• • insert the “WAN NIC” via PCI Passthrough
    Be sure if it is the right PCIe slot and NIC.

• Install the UTM
  When installing the UTM, you must select a LAN NIC. The LAN-NIC should be the first interface. If it was the wrong interface, restart the installation process and select the other NIC in the list for the LAN.
  After the installation, you have 2 hardware NICs in the UTM . On my UTM for LAN eth0 (virtio) and for WAN eth1(PCI Passtrough realtec NIC).

A nice feature. You can use vlan interfaces for eth0 without any setup by the hypervisor. But you need a vlan-enabled switch.
You can use it for guest wifi or whatever you want.

If you need inspiration for a home server. These are my server components:

Registration, Software Download and Installation

Feel free to comment the recommendation or ask for further installation help. If you want to support me, buy stuff over my Amazon links or click on an advertisement. Thank you very much!

Have a nice day!

The post Sophos UTM how to install a virtual home firewall under ubuntu via KVM appeared first on Network Guy.

I had the task to secure VMware Horizon via the Sophos XG WAF.

In this example we have a VMware Horizon server with the IP 192.168.100.20.
The Sophos XG DMZ interface has the IP 192.168.100.1.

The following steps were necessary:

Create a new Webserver definition

For a better searce. I write Host for a client/server or LAN for a network before a definition name. In this example Host horizon-server.

Create the WAF policy

skip filter rules:
920370
941100
941160
949110
980130

Create the VMware Blast protocol definition

Create the WAF firewall rule

Create a NAT rule for the VMware blast protocol with the Server access assistant

That isn’t a security problem. Before using the blast protocol, the user must be authenticated by the Horizon server which is protected by the WAF.

After Franks hint in the comments. If you need PCoIP for Teradici ZeroClients you have to add port 4672 UDP with a second DNAT Rule.

And now here comes the tricky part.

The Horizon server (192.168.100.20) is protected by the WAF and from its perspective the server is only communicating with the Sophos XG (192.168.100.1).
But as soon we have the protocol change to blast (port 8443) we can’t use the WAF and a classic DNAT dosn’t change the source IP. (In this case a random WAN IP from the Users ISP).
But why do we need this? Because, if the user comes with his original WAN IP, the Horizon server says “I don’t know you. You have not authenticated with me. Get lost” and cuts the connection.

Therefore we must adjust the DNAT rule for the blast protocol.
We must activate a SNAT with the DMZ IP from the Sophos XG (192.168.100.1).

Finaly from the point of view of the Horizon server we now also have no changed communication partner by a protocol change.

Have a nice day!

The post Sophos XG how to secure VMware Horizon via WAF appeared first on Network Guy.

I compared many vendors and thought that we give a chance to the ASRock mini ITX mainboard series. The ASRock website makes it easy to compare different mainboard modells. I found the J4105-ITX and the J5005-ITX, both have the same hardware, the only difference is the built-in processor. The ASRock J5005-ITX has the Intel Quad-Core Pentium Silver Processor J5005 (up to 2.8 GHz) processor and the ASRock J4105-ITX has the Intel Quad-Core Processor J4105 (up to 2.5 GHz). So what does this mean? The SG and XG hardware are using of course also Intel CPUs. You can see it in the Sophos SG/XG Series Appliances Technical Specifications datasheet:

Sophos SG/XG Series Appliances Technical Specifications

1 file(s) 96.65 KB

Download

So based on this information I compared it with the SG/XG 230 hardware (using Intel Pentium G4400). I found the website UserBenchmark.com to compare CPU benchmarks. The battle between the Intel Pentium G4400 and the J4105-ITX shows, that the CPU are very similiar (only a difference of 7%):

The J5005-ITX mainboard with the Intel Pentium Silver J5005 is only 7% faster but it costs about 45€ more than the J4105-ITX mainboard. So I would recommend the ASRock J4105-ITX mainboard. The original Sophos SG/XG 230 hardware (8GB memory) costs about 1800€ and can easily secure a 100 user company with a firewall throughput of 7Gbit/sec. With all activated security features (Intrusion Prevention, Advanced Threat Protection, Web Protection, Application Control, etc.) you can nearly reach 1GBit/sec. So I think this is a pretty good home hardware ;-)

Hardware recommendation

Self-built system

This recommendations are not tested! Maybe I will order this hardware for proofing or someone of you can proof it.

complete system

I found a similar complete system: Kettop Mi5250L (Intel I5-5200U, 8GB Memory, 128GB SSD, 4 NICs) for 353€ including shipping from Hongkong. The device has four Intel I211-AT network interfaces. I didn’t tested this device, so I give no guaranty that it works with Sophos UTM and/or XG. There is also a cheaper device with four Intel NICs.

Registration, Software Download and Installation

Feel free to comment the recommendation or ask for further installation help. If you want to support me, buy stuff over my Amazon links or click on an advertisement. Thank you very much!

The post Sophos XG/UTM Home Edition appeared first on Network Guy.

you will get a .tar file. Open this .tar file with 7-Zip and go into the “.”-dot folder. There you will find an Entities.xml, open it and you can see some definitions. I already filled in some variables (##number##) for our later XML conversion. There are net definitions:

<IPHost transactionid="">
  <Name>##1##</Name>
  <IPFamily>IPv4</IPFamily>
  <HostType>Network</HostType>
  <IPAddress>##2##</IPAddress>
  <Subnet>##3##</Subnet>
</IPHost>

hosts definitions:

<IPHost transactionid="">
  <Name>##1##</Name>
  <IPFamily>IPv4</IPFamily>
  <HostType>IP</HostType>
  <IPAddress>##2##</IPAddress>
</IPHost>

and service definitions:

<Services transactionid="">
  <Name>##1##</Name>
  <Type>TCPorUDP</Type>
  <ServiceDetails>
    <ServiceDetail>
      <SourcePort>1:65535</SourcePort>
      <DestinationPort>##3##</DestinationPort>
      <Protocol>##2##</Protocol>
    </ServiceDetail>
  </ServiceDetails>
</Services>

with this information and a documented or exported csv sheet, we can migrate this csv file to a perfect xml import file for our Sophos XG firewall (look at the possibilities from your source firewall system, maybe you can copy a list into Excel, delete every unnecessary things and convert it to a csv file like I did). I used the CSV to XML converter from freeformatter.com to built my new xml file (thanks for this!). Example csv for hosts:

pc-mister-bob;192.168.10.5
pc-mister-carl;192.168.10.54

example for networks:

wlan-guests;192.168.250.0;255.255.255.0
wlan-internal;172.16.54.0;255.255.255.0

example for services:

pcANYWHERE-data;tcp;5631
pcANYWHERE-stat;udp;5632

so the converter will convert the csv, delimited by semicolon and will put each line in a new xml format. Just copy your csv and your xml template into the site, choose semicolon as the delimiter like I did and click on “convert csv to xml”:

copy only the definitions from the output (Example:)

<IPHost transactionid="">
     <Name>wlan-guests</Name>
     <IPFamily>IPv4</IPFamily>
     <HostType>Network</HostType>
     <IPAddress>192.168.250.0</IPAddress>
     <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
     <Name>wlan-internal</Name>
     <IPFamily>IPv4</IPFamily>
     <HostType>Network</HostType>
     <IPAddress>172.16.54.0</IPAddress>
     <Subnet>255.255.255.0</Subnet>
  </IPHost>

open the extracted Entities.xml and copy it between this lines:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration APIVersion="1702.1" IPS_CAT_VER="1">

and

</Configuration>

after this, save the xml file and copy it back to the .tar file. Now you can import the file into the XG and your new definitions are migrated easily. If you have many definitions, only import 100 definitions at one time (I had this also on a Sophos XG 650 device).

Feel free to ask in the comments. Have a nice day!

The post Easy migration to Sophos XG firewall appeared first on Network Guy.

Here’s a quick overview of the key new features in v17.5. For a more detailed description please refer to: Sophos-XG-firewall-v17.5-whats-new.pdf

Lateral Movement Protection

Synchronized User ID

Education Features

Email Features

IPS Protection

Management Enhancements

VPN and SD-WAN Failover and Failback

Client Authentication

Sophos Connect

Additionally

Coming in a following Maintenance Release we have:

• Wireless APX Access Point Support provides support for the new Wave 2 access points providing faster connectivity and added scalability.
• Airgap Support for deployments where XG Firewall can’t get updates automatically via an internet connection (due to an “airgap” or physical isolation) – Patterns and Licenses can now be updated manually.
• Sophos Central Management of XG Firewall With v17.5, XG Firewall is also joining Sophos Central.  The Early Access Program for Sophos Central Management of XG Firewall is expected to start soon.You will be able to manage XG Firewall from within Sophos Central along with all your other Sophos Central products.  And there’s a few great new features coming along with Sophos Central Management of XG Firewall:
  • Secure access and management with single-sign-on through Sophos Central from anywhere
  • Backup management and storage for your regularly scheduled firewall backups
  • Firmware update management to make multiple firewall updates easy
  • Light-touch deployment to enable easy remote setup of a new Firewall

Notes

• Enforcement of search engine Safe Search and additional image filters is now configurable per-web policy and is no longer a global option. The settings have been moved from Web >> General Settings into the additional options that are available when editing a web policy. In addition, configuration for YouTube restrictions have been broken out into a separate option.
  Product behaviour will be preserved on upgrade by automatically migrating the existing global settings to all existing web policies.The exceptions to this are the following built-in, uneditable policies: Allow All, Deny All and ClPA-Compliance. KBA 123589
• IPS now with Cisco Talos IPS library and more granular IPS categories KBA 133197

Issues Resolved

• NC-39029 [Authentication] Show proper error message in UI if you enter an used port in Chromebook SSO configuration
• NC-39212 [Authentication] CSD: make sure the userSessions map is not overwritten
• NC-39532 [Authentication] Migration from 17.1 fails if host definition for “*.gstatic.com” exists
• NC-39677 [Authentication] Success message shown in ui even though deleting a user fails
• NC-37683 [Base System] cURL (libcurl) NTLM Authentication Code Buffer Overrun Vulnerability (CVE-2018-14618)
• NC-39192 [CM-Join-to-cloud] Appropriate status should update on SF and Sophos Central once FW is remove from Central and register again
• NC-36497 [Email] POP3 mails reach the proxy empty
• NC-38052 [Email] Subject not displayed properly in mail log with sender generated password method
• NC-38282 [Email] mail_sender opcode stuck in CSC
• NC-38470 [Email] Some reason filters on mail log page are not working as expected
• NC-38571 [Email] Port validation not working when adding new port in SMTP via CLI
• NC-39233 [Email] Email delivery failed for some recipients when email containing 512 recipients
• NC-39280 [Email] Error message ‘Relay not permitted’ when sending an inbound mail to email address base profile
• NC-39379 [Email] Bad (malformed syntax) mails should be displayed separately from network failed emails on UI
• NC-39454 [Email] Mail doesn’t get formatted properly when file filter protection applied
• NC-39513 [Email] Network type IP host should not allowed to add in exception policy
• NC-39668 [Email] RDNS check should be applied to inbound emails only
• NC-39737 [Email] Mail from header changed when wrong “Return-Path” used in smart host deployment
• NC-39953 [Email] Email attachments get corrupted with BDAT
• NC-38505 [IPS] IPS policy backup is not created while applying signature upgrade
• NC-39687 [IPS] IPS log filling up with entries and causing problems for legitimate traffic
• NC-39083 [IPsec] IPsec: charon starts parsing fragmented messages before they are reassembled
• NC-38832 [Network Services] Issue with wildcard FQDN based rule
• NC-37817 [UI Framework] SAC tab not loaded because of OutOfMemory error
• NC-39310 [UI Framework] Control Center: Icons for VPN and Connections have been switched
• NC-38184 [Web] Check settings functionality is not working from device level of firewall manager(SFM)
• NC-38844 [Web] Web Policy Override not working in HA(A-A) mode if traffic served from Aux appliance
• NC-39039 [Web] When “Drop connection” feature is enabled, blocked/warned events are not logged correctly

Issues Resolved in EAP1

• NC-32763 [Authentication] Importing users with .csv file having usernames with Thai characters creates junk character
• NC-34340 [Authentication] Users not getting authenticated via Radius SSO
• NC-37091 [Authentication] Show error when Chromebook SSO is not configured correctly
• NC-37300 [Authentication] Create FQDN Hosts and Groups for Chromebook
• NC-38381 [Authentication] “Record does not exist” error when trying to open created LDAP server
• NC-36185 [Azure] Upgrade Linux VM Agent
• NC-38176 [Base System] garner memory corruption affecting RED
• NC-38471 [Base System] EULA not shown on GUI on Azure
• NC-38473 [Base System] Reading of /proc/timer_list file leads to NMI watchdog soft lockups
• NC-31499 [Email] Unable to send .eml attachments to specific domain
• NC-32682 [Email] SPX generates password for same email recipient in different case
• NC-32690 [Email] SPX encryption corrupting attachments by adding line breaks
• NC-32754 [Email] XG not able to insert spool query
• NC-33360 [Email] Add missing header fields in notification emails
• NC-33391 [Email] Quarantine digest and released emails not sent
• NC-33977 [Email] Unable to release unscannable quarantined emails
• NC-34450 [Email] Fail to send email notifications
• NC-35494 [Email]  UI hangs when user selects specific date on SMTP quarantine page
• NC-36612 [Email] Cross version import/export not working for exception policy
• NC-37849 [Email] Console command ‘subsystem-info’ shows awarrensmtp and smtpd service with same name
• NC-37945 [Email] Scanner crash on low end devices due to high number of forwarders
• NC-38005 [Email] Improper IP reputation reject status message in mail log
• NC-38013 [Email] Typo in Authentication Relay drop message
• NC-38015 [Email]  Emails moved to error queue when header part is big
• NC-38021 [Email] Return-Path/Reply-To header ignored while sending failure notifications
• NC-38252 [Email] Add support of email based routing and RBL scanning
• NC-38257 [Email] No reason logged in mail logs for mails dropped due to file filter
• NC-38297 [Email] Improper label in exception policy at device level from SFM
• NC-38312 [Email] SFM pushes exception policy to firewalls even in legacy mode
• NC-38391 [Email] Core dump in mail scanner
• NC-38392 [Email]  Notifications are logged with ‘0 bytes’ in MailLogs
• NC-38501 [Email] SPX fails to encrypt on hardware appliances when SPX reply portal is enabled template
• NC-39024 [Email] Do not allow multi use for port 587
• NC-32530 [Firewall] Post-Authentication SQL injection in Firewall User Interface
• NC-34612 [Firewall] Appliance frequently rebooting when having IPv6 permitted networks for remote access SSLVPN
• NC-34675 [Firewall] Live connections page not showing connection list
• NC-35656 [Firewall] Internet access being lost, SFOS consuming all memory.
• NC-35660 [Firewall] MAC address missing in export of MAC list having only one list member
• NC-37274 [Firewall] SMTP MTA mode does not support TCP port 587
• NC-37760 [Firewall] Misleading message when adding rule using automatic grouping and group has already 200 rules
• NC-37992 [Firewall] Transferred data not shown in firewall rules when reaching tera bytes
• NC-36318 [IPS, SFM-SCFM] Application filter policy rule not containing any application being pushed from SFM is not applied on SF
• NC-36565 [IPS] Category replacement not working on export/import
• NC-38347 [IPS] Category based IPS policy import not mapping to Talos categories
• NC-30016 [IPsec] Merged IKE gets deleted when one connection is disabled in UI
• NC-32269 [IPsec] GRE traffic forwarded through WAN interface after HA failover event
• NC-34131 [IPsec] L2TP still connects after user was disabled
• NC-38310 [IPsec] IPsec site-to-site tunnel not established with Cisco ASA and gateway type “Initiate the connection”
• NC-39059 [Localization] Using “state” causes mistranslations
• NC-36455 [Networking] WWAN is not connected automatically at boot time if the primary WAN link is disconnected/down
• NC-36720 [Networking] Traffic might flow via backup gateway even hard gateway failback configured
• NC-34149 [nSXLd] Keywords are not deleted when custom web category is deleted
• NC-37809 [nSXLd] Proxy authentication is not cleared after config reload
• NC-38125 [SSLVPN] Unable to edit SSLVPN (remote access) page
• NC-35500 [UI Framework] Apache service start fails if webadmin certificate passphrase having single quote character
• NC-35682 [WAF] Unable  to edit and load business app rule for WAF
• NC-37178 [Web] Name should not be pre-filled while creating new overrides
• NC-37179 [Web] Improve UI for adding website domains to an Application Override

Issues Resolved in EAP0

• NC-29648 [Base System] If Default CA is not configured, Generate CSR option should be disabled
• NC-29906 [Base System] Unable to edit NTP server when 10 servers are configured
• NC-30497 [Base System] [VMware] SFOS Guest OS detail shows wrong/missing
• NC-30635 [Base System] Missing focus after closing dialog when editing default certificate
• NC-31010 [Base System] Configuration import running into timeout on SG/XG 100 series appliances
• NC-31100 [Base System] Upgrade notification pop-up does not work in some cases
• NC-35536 [Base System] OpenSSL – “Denial of service during forward secrecy setup” (CVE-2018-0732)
• NC-34154 [Clientless Access] Unable to connect RDP type bookmark with NLA
• NC-34803 [Email] Possible denial-of-service due to secure client-initiated renegotiation
• NC-35175 [Email] Sophos XG is not adding received-by header as per RFC 5321
• NC-35256 [Email] Invalid XML is generated for Email -> General Settings -> Blocked Senders
• NC-35915 [Email] “POP-IMAP Scanning” policy generated XML does not contain information of filter criteria “Source IP/Network Address”
• NC-26440 [Firewall] Firewall rule dropping traffic when there is no user identity attached to the rule
• NC-30989 [Firewall] CVE-2018-8897: Don’t use IST entry for #BP stack
• NC-31282 [Firewall] Firewall rule group entity name not sent to SFM upon insert/update/delete
• NC-22889 [Hardware] XG85: poweroff command reboots the device instead of shutting it down
• NC-21909 [IPsec] Do not show empty-value-warning on page entry
• NC-30319 [IPsec] Backup fails import when containing IPv6 remotes
• NC-30462 [IPsec] Site-to-Site connection not initiated after DHCPv6 interface update
• NC-30618 [IPsec] New virtual IP on every Phase 1 rekey even though client requests same IP
• NC-30794 [IPsec] NAT checkbox is always enabled in IE11
• NC-30796 [IPsec] Local gateway selection shows invalid interface in IE11
• NC-33410 [IPsec] VPN Connection Status shows ‘Any’ on both sides even when configured only on one side
• NC-22604 [Logging] GUI alignment issue when sender name or subject is longer
• NC-25714 [Logging] Firewall rule ID in log viewer not linking to actual rule anymore
• NC-29974 [Network Services] Disconnect PPPoE interface doesn’t update corresponding interface based DNS static entry
• NC-30753 [Network Services] DGD service in stopped state and segmentation fault
• NC-33876 [Network Services] IPset command shows wrong information for wildcard and FQDN Host
• NC-30483 [Networking] Port and IP address may show “undefined” in WAN Link Manager “Failover Rules”
• NC-30493 [Networking] Link status not updated in WAN Link Manager when RA client has no IP address
• NC-30544 [Networking] Full and selective configuration import fails when bridge innterface configured in WAN zone
• NC-31399 [Networking] Full backup import fails when bridge member interface is LAG
• NC-33628 [Networking] LAG mode related configuration missing on configuration export
• NC-34573 [Networking] Configuration changes of CFM not propagated to XG
• NC-20785 [Reporting] PDF export of reports taking much time or failing completely
• NC-26459 [Reporting, UI Framework] Reports for “Traffic Insight” not shown on dashboard
• NC-29573 [Reporting] Sending of scheduled reports does not consider changes of daylight saving time
• NC-31243 [Reporting] Table headers in reports span two lines and cannot be seen
• NC-32490 [Reporting] Unable to click “PDF”, “CSV”, “Bookmark” or “Schedule” under “Report > Applicazioni & Web” when WebAdmin language is Italian
• NC-28206 [SecurityHeartbeat] Heartbeat deamon does not handle all allowed MAC address formats correctly
• NC-32459 [SecurityHeartbeat] Endpoint name in StoneWall message
• NC-32580 [SecurityHeartbeat] Extend StoneWall protocols/messages
• NC-34169 [SSLVPN] Fail to access SSLVPN (site-to-site) page after any tunnel modification
• NC-30984 [Synchronized App Control] [SAC] improve usability
• NC-30987 [Synchronized App Control] [SAC] no action “acknowledge” for acknowledged apps
• NC-30988 [Synchronized App Control] [SAC] filter with deleted apps should be last in the dropdown field
• NC-28064 [WAF] Form hardening sets block-reason only in case of GET requests
• NC-25805 [Web] Handle non-compliant HTTP status code 999
• NC-27519 [Web] Proxy continues to download files in batch mode even if client closes connection
• NC-28851 [Web] Default Web policies contain duplicate rules
• NC-29305 [Web] “Expect” header not handled correctly
• NC-31837 [Web] Add “alert.hitmanpro.com” to proxy bypass list
• NC-33650 [Web] Enabling web content cache for Sophos Updates blocks further updates

Download

To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA – Sophos Firewall: How to upgrade the firmware: KBA 123285.

Source: community.sophos.com

The post Sophos XG v17.5 released appeared first on Network Guy.

Check out all the enhancements in XG Firewall v17.1 including the new Cloud Application Visibility feature in our XG Firewall v17.1 demo video.

• Cloud App Visibility – brings the visibility pillar of CASB to XG Firewall, providing quick and easy Shadow IT discovery and visibility into data that may be at risk in cloud applications with great reporting on users and volume of data being uploaded and downloaded from cloud services.
• Synchronized App Control – gets further enhancements in managing newly discovered applications, including options to search, filter, and delete applications.  You’ll also see the category assigned to the discovered app in the list for easy reference.
• Email Security – adds user management over individual SMTP block and allow lists via the User Portal.  Domains or email addresses added to the Allow list will bypass policies (except for malware or sandboxing enforcement) and adding domains or addresses to the block list will automatically quarantine emails from those senders.  In addition, more flexible SMTP policy exceptions are supported to provide parity with Sophos SG UTM.
• SSL VPN Port Option – one of the most requested features on XG Firewall is the option to customize the SSL VPN listening port.
• Firewall Enhancements – Enhancements have been made to the firewall and rule management to improve flexibility and streamline management even further.  You can now double-click a firewall rule in the list to open it for editing.  There’s a new option to block Google QUIC’s HTTPS over UDP forcing a fallback to TCP enabling full SSL inspection of the traffic.  And there is now added flexibility in defining ACL exceptions to restrict access to services like the User Portal from a single alias, for example.
• Wireless Enhancements – XG Firewall v17.1 provides wireless networking enhancements including the option to set the channel width for wireless radios in the GUI as well as Radius Accounting.
• IPSec VPN IKEv2 Enhancements – XG Firewall v17 introduced new IKEv2 support for IPSec VPN connections and all stability and reliability enhancements, included in subsequent maintenance releases, are included with v17.1.
• New Hardware Support – Support for the latest XG Series desktop hardware connectivity and features, unveiled in an earlier maintenance release, is also included in XG Firewall v17.1

You can find the PDF of what’s new here: Sophos XG Firewall v17.1 Whats New.pdf.

Notes

In case you are managing your Firewalls using SFM/CFM, Firewalls running SFOS 17.1 GA won’t accept application filter rules when applied from a device group or template. You can manage application rules from the device-level view in SFM/CFM until this limitation is addressed in SFOS 17.1 MR-1.

Issues Resolved

• NC-31554 [Base System] Missing color indication for ATP widget
• NC-31662 [Base System] Change of the XG Firewall login screen
• NC-31484 [Email] Emails are not removed from spool after update to SF 17.0 MR8
• NC-31514 [Firewall] Editing IPv6 host is not possible
• NC-31030 [SSLVPN] Remove misleading message “Port 443 is already in use by User Portal”
• NC-31615 [Web] Remove file type data columns in cloud application dashboard

Issues Resolved in Beta3 build

• NC-30212 [Base System] Device displays fail message for SFM/CFM heartbeat
• NC-29075 [Email] Unable to update mail spool if mail address contains special character (‘)
• NC-29757 [Email] CVE-2011-1473: POP/IMAP – Secure Client-Initiated Renegotiation vulnerability
• NC-30160 [Email] Option “Skip mails (for malware scan) greater than” is not working for outbound traffic
• NC-30183 [Email] Notification test email fails with authentication when mail send without saving configuration
• NC-30303 [Email] Possible authenticated remote code execution in mail_sender
• NC-30649 [Email] Permissions for Email protection are not exported correctly
• NC-29216 [Firewall] Separate out filter and NAT table chains for IPsec in two different services
• NC-29505 [Firewall] Traffic shaping rule for firewall has wrong default policy association
• NC-29776 [Firewall] After migrating from CR to SF DNAT rules stop working after every reboot
• NC-29990 [Firewall] Import/Export of destination local acl always set to “any” if any port is selected before
• NC-30037 [Firewall] Validation missing if IPv4 is selected as IP version
• NC-30197 [Firewall] Firewall rule filter is not working from second page onwards
• NC-30588 [Firewall] Policy Tester ignores IP host groups in the firewall rule
• NC-30766 [Firewall] Unauthenticated XSS in diagnostics component
• NC-30871 [Firewall] Japanese column header not displayed in the right place in Protect -> Firewall
• NC-19980 [Framework(UI)] Filter search containing backslash char will not find the match
• NC-30575 [Framework(UI)] VPN FO Group selection widget doesn’t display correctly in Chrome
• NC-28826 [HA] HA migration does not complete if dedicated link goes down during migration process
• NC-29572 [IPsec] GUI allows admin to select external certificate for Remote Certificate for IPsec Connection for Remote Access
• NC-30830 [IPsec] CVE-2018-10811 & memleak: Import upstream strongswan patches
• NC-30979 [IPsec] IPsec route can disappear if two connections use the same
• NC-29889 [Network Services] Unable to lease the IP to some users
• NC-31017 [RED] RED S2S client does not work with routed server address
• NC-29733 [Reporting] Showing unknown character for Current HA status under reports with HA
• NC-29846 [Reporting] Sort by Users/Byte is not working on Cloud Applications page
• NC-30155 [Reporting] Wrong label displayed for widget of Cloud Application
• NC-30190 [Reporting] Records are not displaying in HTML export for “Records Per Chart 25 and more” for some widget of Cloud application
• NC-28789 [Sandstorm] ExcludeSandstormFileTypes is not available in SandboxSettings XMLAPI data
• NC-27461 [SFM-SCFM] Compatibility v17: Firewall UI issues at device level
• NC-28913 [SFM-SCFM] Compatibility v17: Appliance unsync when applying L2TP (Remote Access) or IPSEC configuration
• NC-29907 [SSLVPN] Not able to edit SSL VPN (Remote Access) policy
• NC-30847 [SSLVPN] Unable to set user portal port to SSL VPN port
• NC-29278 [Synchronized App Control] Renaming an Endpoint does not update SAC table
• NC-29820 [Synchronized App Control] No new logs since 2 days – /tmp is full on XG85
• NC-31020 [Synchronized App Control] Synchronized Application Control page is taking too long to load
• NC-31229 [Synchronized App Control] SAC data table not loaded after migration to v17.1 Beta1
• NC-30054 [UI] Device Access page showing error on Auxiliary machine
• NC-29602 [WAF] API Get for SecurityPolicy does not return Traffic Shaping settings for the policy
• NC-29876 [WAF] Website hosted over WAF taking more time to load when Common Threat Filter enabled
• NC-30448 [WAF] Rewrite HTML for site path with special characters leads to memory allocation failure
• NC-28699 [Web] Cloud Applications Control center widget – spacing issue
• NC-28762 [Web] After power failure, Android devices captive portal does not disappear after logging in
• NC-29002 [Web] API Import for WebFilterPolicy with dependent entities failed
• NC-29164 [Web] Proxy drops HTTP Response when 100 and 200 in same packet
• NC-29166 [Web] AV files served from cache are not scanned if ‘scan av’ flag enabled after file was cached
• NC-29385 [Web] Data mismatch for Control Center and reporting widget for Cloud Application
• NC-29479 [Web] Usercache is not updated when classification set through AppClassificationBatchAssignment
• NC-29504 [Web] Captive Portal customization Reset to Defaults does not work
• NC-29601 [Web] Policy Test Tool not working
• NC-29809 [Web] When cloud dash board page contains more than 10 apps, some apps will not show app-icon warning exclamation triangle mark when changing app classification
• NC-29984 [Web] WebFilterURLGroup API Doc is misleading
• NC-30606 [Web] Fail to change application classification when changing to other languages
• NC-30682 [Web] Cloud Applications page loading failed in XG85 appliance
• NC-31042 [Web] Cloud Applications dashboard column names have overlapping text in French
• NC-27033 [Wireless] Pending text is wrapping to next line for Wireless APs counter
• NC-27535 [Wireless] UI is not displaying WiFi client’s IP when multiple clients are connected to AP
• NC-28763 [Wireless] UI displays AP as inactive even if AP was active
• NC-28765 [Wireless] AP goes in inactive mode when used “2.4 Ghz and 5 Ghz” Frequency band
• NC-29419 [Wireless] Not able to configure channel 12 and channel 13 on Desktop refresh devices
• NC-29988 [Wireless] Wireless network update is not reflecting when it is assigned to LocalWiFi1(OptionalWiFi)

Issues Resolved in Beta2 build

• NC-29977 [WAF] Reverse authentication: Access possible for empty protection profile

Issues Resolved in Beta1 build

• NC-28797 [Access] User Edit page doesn’t load for some users who are part of multiple groups
• NC-26797 [API] HA devices update from MR2 to MR3 result in primary unit being factory reset
• NC-22530 [Authentication] Webfilter policy is not working for auto-created AD user
• NC-28175 [Authentication] Customer from NC-21823 has updated and getting segfault for access_server
• NC-16090 [Base System] Source port changes to random over IPSec VPN
• NC-25783 [Base System] Import certificate option is missing for CSR
• NC-26328 [Base System] Additional CPU cores not detected in v17 after license upgrade
• NC-27022 [Base System] Import from configuration failed due to too long certificate name
• NC-27076 [Base System] Ping utility not working
• NC-27263 [Base System] Incorrect interface speed is shown via SNMP
• NC-28033 [Base System] Packet capture and connection list issue
• NC-28220 [Base System] Garner active.db file size is too big in /tmp/eventlogs due to LogViewer output plug-in
• NC-28566 [Base System] Garner service restarts
• NC-27087 [Certificates] Default CA regeneration fails
• NC-27853 [DDNS] DynDNS update does not happen in the configured time range
• NC-28177 [DNS] Unable to resolve DNS of services.vip.symantec.com when registering it in Services/FQDN Host
• NC-22864 [Firewall] Quick QUIC block
• NC-22878 [Firewall] Allow user to edit rule while double clicking on the rule
• NC-22927 [Firewall] NATPolicy API export fails when it contains NAT profile created on network
• NC-26433 [Firewall] Captive Portal access issue for Android devices
• NC-26560 [Firewall] One time schedule in firewall rule for VPN traffic doesn’t block traffic when schedule expires
• NC-27004 [Firewall] Unable to send email due to Default Internet Scheme Policy
• NC-27164 [Firewall, Performance] LAN interface become unresponsive
• NC-28025 [Firewall] Policy Tester ignores service groups in the firewall rule
• NC-28710 [Firewall] Display of firewall rule in Firewall Group overlaps with display of action
• NC-28756 [Firewall] Appliance inaccessible after the backup restore
• NC-28785 [Firewall] Packet capture log is empty when opened via hyperlink in log viewer for IPv6
• NC-28791 [Firewall] Sometimes VPN is not working when bridge has WAN interface
• NC-28800 [Firewall] Firewall Rule ID is shown with an incorrect ID
• NC-29379 [Firewall] HA Aux appliance goes in failsafe mode when failed to load LBS module (occurs only in specific IPv6 condition)
• NC-29243 [Framework(UI)] Subnet creation is broken for IE11
• NC-25854 [HA] Disable HA fails on auxiliary appliance when LAG interface is used as peer admin port and a bridge interface is also configured in SFOS
• NC-29040 [Hotspot] File name containing space is not working for images/stylesheets and logos of hotspots
• NC-26514 [IPS] IPS core dumps with appliances in HA (A-A)
• NC-27549 [IPS] ATP Exception is getting removed automatically
• NC-28602 [IPS] Filter alignments in Application Filter Policy Rule are displayed incorrect
• NC-29174 [IPS] IPS Policies are not being pushed out via SFM template
• NC-25380 [IPsec] Add an option to auto create a Firewall rule
• NC-22604 [Logging] GUI alignment issue when sender name or subject is longer
• NC-26357 [Logging] Log viewer is not loading after adding any filter and read/write goes high after activity
• NC-21745 [Mail Proxy] i18n file name is not displayed in log viewer and on sandstorm activity page for sandstorm module
• NC-25746 [Mail Proxy] CVE-2012-4929: SSL/TLS CRIME Vulnerability on port 8094
• NC-26472 [Mail Proxy] AwarrenMTA: few mails appear on queue after delivery (DB connect fail)
• NC-26930 [Mail Proxy] XG not able to update spool due to special characters in failure reason
• NC-27240 [Mail Proxy] Unable to send emails due to auto routing to rcpt DNS in case of greylisting reply for MX
• NC-27365 [Mail Proxy] Display issues with german umlauts in SPX Template
• NC-28081 [Mail Proxy] Unable to save the SMTP policy when some MIME types are selected
• NC-28364 [Mail Proxy] Email should be quarantined if scanning fails due to unscannable file
• NC-28819 [Mail Proxy] Quarantined emails are not visible on SMTP Quarantine
• NC-29018 [Mail Proxy] XG is unable to block email attachments when sent via Powershell v5.1
• NC-29103 [Mail Proxy] Unable to release quarantine mails with special characters from spam digest
• NC-29315 [Mail Proxy] CTIPD service should be stopped if Email or WAF subscription is not activated
• NC-29319 [Mail Proxy] Unable to release false positive outbound spam emails
• NC-29339 [Mail Proxy] CVE-2013-0169: Multiple SSL/TLS vulnerabilities – POP/IMAP
• NC-29437 [Mail Proxy] Multi-level subdomain getting 501 syntax error while “Reject invalid HELO or missing RDNS” enabled
• NC-29671 [Mail Proxy] AwarrenMTA restarts when used with high CCLs on certain mails
• NC-21993 [Network Services] Static MAC-IP binding issue
• NC-28815 [Network Services] CVE-2018-5732 and CVE-2018-5733: DHCP vulnerabilities
• NC-27874 [Networking] IP address in static DHCP leases is shown incompletely
• NC-28029 [Networking] Firewall configured as DHCP relay agent is generating flood on internal DHCP server
• NC-28564 [Networking] Backup-Restore failed for different interface name devices when VDSL interface is configured
• NC-29721 [Networking] HA failover is taking 10 minutes in v17.0 MR5
• NC-28320 [nSXLd] URL Category Lookup provides different results for UI and command line
• NC-27556 [PPTP] PPTP Remote Access fails when user name is not in lower case
• NC-27881 [Qos] Unit for bandwidth parameter is incorrect on the Dashboard
• NC-27942 [RED] XG red to XG red not connecting over MPLS network
• NC-22787 [Reporting] Dashboard uses incorrect design for ATP and UTQ widgets
• NC-22829 [Reporting] Reports section in Control Center gets stucked when “None” is configured as Admin Profile for “Reports Access”
• NC-25786 [Reporting] Logo is not displayed properly in SAR report
• NC-27046 [Reporting] “Search Key” filter not working for Google Search Engine
• NC-28918 [Reporting] Unable to view Objectionable websites in Control Center and Reports
• NC-29465 [Reporting] Not able to send mail digest – due to PG connections full
• NC-26575 [SecurityHeartbeat] Heartbeat DB opcode sync command gets stuck
• NC-27258 [SecurityHeartbeat] Ipset opcode stucks in HA setup
• NC-28065 [SSLVPN] Port 8443 should be useable at any time when not used somewhere else
• NC-28219 [SSLVPN] Site-Site SSLVPN: Routes aren’t added with IP HOST Group in remote network
• NC-23106 [Synchronized App Control] [SAC] Extended Filter/Search function in app Lists
• NC-22122 [UI] CVE-2007-6750: Apache Partial HTTP Request Denial of Service Vulnerability for port 8443, 443, 4444
• NC-26436 [WAF] Common Threat Filter should be disabled in default Outlook Anywhere Web Protection Policy
• NC-28405 [WAF] Content gets lost when using form-hardening
• NC-28944 [WAF] HTTPS Certificate Error when editing a Business Application Rule
• NC-29483 [WAF] Creating IP host object inline leads to hanging SlowHTTP UI
• NC-29650 [WAF] CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request
• NC-18038 [Web] Page redirections for authentication (and others) should use hostname not IP
• NC-25617 [Web] Log virus name for unscannable content as “Unscannable” in the Web Virus report
• NC-25745 [Web] CVE-2016-2183, CVE-2016-6329: SWEET32 SSL/TLS Vulnerability and Triple DES on port 8090
• NC-26136 [Web] Change link of Guest User Registration on Captive Portal page into https
• NC-27893 [Web] Unable to use apostrophe character in Captive Portal settings
• NC-28457 [Web] No response when clicking on Captive Portal login button
• NC-28601 [Web] Dynamic app filter rules which do not contain any applications is enforced for all applications
• NC-28695 [Web] Block and warnpage previews use wrong template
• NC-28759 [Web] Awarrenhttp segfaults when killed while scanning
• NC-28792 [Web] IPS fails to close connections which are blocked by an app filter (causing proxy to timeout after 60 sec)
• NC-28899 [Web] ‘Block HTTP’ option disappears if switching from a dynamic category to a non-dynamic one for an activity
• NC-29124 [Web] Possible buffer overflow in Web Proxy’s warn-proceed transformer
• NC-5395 [Wireless] Wrong interface status shown on auxiliary appliance for wireless network
• NC-19851 [Wireless] Support Radius Accounting on Remote APs & Local Wifi models
• NC-26278 [Wireless] IP addresses not visible in Wireless Client List
• NC-27261 [Wireless] Wizard is failing in XG85W(old model) after configuring SSID from wireless config page of wizard

Download

To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA – Sophos Firewall: How to upgrade the firmware: KBA 123285.

Check out all the enhancements in XG Firewall v17.1 including the new Cloud Application Visibility feature in our XG Firewall v17.1 demo video.

The post Sophos XG – SFOS 17.1.0 GA Released appeared first on Network Guy.

at the first step you need to enable SSH (under “Device Access”) for the DMZ zone. The HA port will be configured in the DMZ zone:

Configure an IP address which is not in use in your network. Choose “DMZ” as the network zone like this:

go on with the primary node and configure the peer parameters and choose and document a complex password for the HA data encryption

the slave device is getting 10.1.1.2/30 on DMZ Port 8 and this auxiliary device configuration:

your final configuration will look like this:

now you can connect both Port8 with a network cable:

after this, you will see a new log entry in the system log file:

HA status is also visible in the dashboard:

a “little” bit more complicated but easy after initial configuration :-) keep in mind that you connect all your different networks (LAN, DMZ, WAN [DSL, Cable, etc]) to both devices!

Have a nice sunny day!

The post High availability with Sophos XG appeared first on Network Guy.

First, I had a problem creating the stick with Rufus. The decive couldn’t boot from the usb device:

Starting Firmware Installation
Failed getting ISO disk
press y to reboot

than I tried the DD mode in Rufus. Just load the ISO file from Sophos Portal and load it into Rufus. Plugin your USB stick and click on the small CD-ROM icon, choose the ISO file and click start. You will get a message where you can choose ISO or DD Image mode. Choose DD mode in this case:

now you can successful install XG on your device:

The post Install Sophos XG from USB Stick appeared first on Network Guy.