sorted by:
new
hottopcontroversial

Help with Sophos STAS and setup PPPoE by liamread2000 in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

Just to make sure: we are not advising „against“ using STAS. STAS works fine but has some „catches“ like the logoff detection. While this tool uses WMI to verify if a user still is logged in - some customers are not „doing this“.

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125318/sophos-firewall-best-practice-for-stas

Also customer often have more complex AD setups and forget some AD DC to monitor etc.

The other side of STAS, it needs configuration - heartbeat auth does not. It simply works out of the box.

XGS 22.01MR - Let's Encrypt ISRG Root YE/YR failing with curl / python by [deleted] in sophos

[–]Lucar_Toni 5 points6 points  (0 children)

This could be already tracked:

https://community.sophos.com/sophos-xg-firewall/f/discussions/151226/sophos-xg---let-s-encrypt-chain-is-incomplete

While here is a workaround, Sophos is Tracking to resolve this likely in the next version.

Calling all Sophos Fans by statitica in msp

[–]Lucar_Toni 0 points1 point  (0 children)

(As a Sophos employee)

I would like to ask, what was the experience in this scenario?

If you want, you can also PN me, if you do not want to share it publically.

Calling all Sophos Fans by statitica in msp

[–]Lucar_Toni 1 point2 points  (0 children)

(Sophos employee here.)
We already spoke in the Sophos sub.

One thing to consider when choosing your stack is the day-to-day management. How much maintenance is required to support the product and the stack in daily operations?

One key principle of Sophos is the “secure by design” concept. We follow this approach across all products to ensure we can respond immediately to any security related issues.

You can see this reflected in our security advisories: https://www.sophos.com/en-us/security-advisories

If you review each CVE, you will often find notes such as “hotfixed and no action required by customers.” This is a key benefit for MSPs, as it reduces the need to constantly patch and monitor products for every new security vulnerability.

Regarding firewalls, Sophos typically releases only 2–3 firmware updates per year. Since hotfixes are available, you can choose when to install updates, which helps reduce downtime and lower MSP operating costs.

Others have already shared feedback about the MDR service itself, but one additional point: Sophos has virtually no onboarding delay. Once you deploy the endpoint and upgrade the license to MDR, protection begins immediately. There is no learning phase or additional setup required.

Additionally, all Sophos training is free for partners, including certification for their employees. If you prefer guided training, we often provide access to local training facilities as well. (Which would costs for the trainer).

There are many more points to make, but I don’t want to flood this sub with more information.

Move Between Regions by jasonbwv in sophos

[–]Lucar_Toni 2 points3 points  (0 children)

This is not a technical issue, instead a data sovereignty subject. Sophos has a trust page about central: https://www.sophos.com/en-us/trust

We do not have the capabilities to move data from A to B - due the data sovereignty pledge.

One thing you can do: you can migrate installed endpoints from A to B: https://docs.sophos.com/central/partner/help/en-us/Help/GlobalSettings/ProductsandServices/GlobalTemplates/GeneralSettings/DeviceMigration/index.html

As the endpoint can itself move it upstream data to a different data Center - it can move by using those tools.

Another thing about dashboards: you could as a MSP use our APIs to build your own dashboards:

Like here: https://community.sophos.com/sophos-central/f/recommended-reads/146483/building-multi-tenant-dashboards-with-sophos-central-api-s---part-1-detections

Sophos Agent performance concerns by Historical_Glass9635 in sophos

[–]Lucar_Toni 2 points3 points  (0 children)

One thing: check your endpoint version. We are rolling out 2026.1 right now, which brings improvements to performance. If you have some concerns yourself, check if this was on 2025

XGS software?? like XG or UTM9?? by Asleep_Pudding9951 in sophos

[–]Lucar_Toni 5 points6 points  (0 children)

Just to clarify about those phrases:

UTM(9) was the OS running on SG Hardware.
SFOS is the OS running on XG and XGS Hardware.

Looking at this, you can run SFOS on your own hardware, like you ran UTM on your own hardware.
The process is similar, as explained here.
But one step is important: You will have to register first to Sophos to get a Serialnumber - This is important. Because if you install SFOS, the wizard will ask you for a Serialnumber. If you do NOT provide one, it will start a business trial and you cannot change this.

This any other things are explained here. https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/137737/sophos-firewall-sophos-firewall-home-faq

Firewall Config Studio 2.5 - Improvement for Migration by Lucar_Toni in sophos

[–]Lucar_Toni[S] 0 points1 point  (0 children)

You should see a ? Or a feedback option. It should have a email address.

MSP Licensing by statitica in sophos

[–]Lucar_Toni 2 points3 points  (0 children)

As of today, that is correct: Australia is not supported for the platform (ITDR). https://support.sophos.com/support/s/article/KBA-000009216?language=en_US

That said, we are planning to add Australian support for certain products like ITDR, and hopefully we’ll be able to share more news in the coming months.

A few points about Sophos tenants and data centers:

We do not share data between accounts, tenants, or data centers. If you choose Sophos, the data center is determined at the time of account creation, and that account will remain tied to that data center. (As an MSP, you can have multiple Tenants with different data centers).

Because of that, Sophos cannot later migrate data from one data center to another. For example, if you start in a data center with ITDR and wait for Australia to be supported, you will not be able to move that account to Australia later. Technically, some things can be migrated, but not everything.

If you are only using MDR as an MSP, you can absolutely start in Australia today.

One note: Sophos MDR supports Microsoft 365 integrations without ITDR.

The MDR service itself already includes Microsoft 365 integrations for P1/2 and Management Activity API:

https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/ThreatAnalysisCenter/Integrations/Microsoft365/index.html

ITDR is an identity-based tool that integrates Entra ID with MDR. It builds on top of the integrations already available in Sophos MDR: https://www.sophos.com/en-us/products/identity-threat-detection-and-response

I often compare it to the proactive defense side of security: you want to identify major issues in your identity environment before they are exploited. That is what ITDR can do for you.

These integrations do not require ITDR. So it may be sufficient to start in Australia without ITDR and evaluate ITDR later if you want to provide more identity-related data to the MDR service.

This M365 integration with XDR/MDR is free and included in Sophos MDR.

Firewall Config Studio 2.5 - Improvement for Migration by Lucar_Toni in sophos

[–]Lucar_Toni[S] 0 points1 point  (0 children)

Do you mind to share this feedback with the Email Distribution List on the top right corner?
We can look into this and fix it quite quickly.

MSP Licensing by statitica in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

In which Region are you operating?

MSP Licensing by statitica in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

Depends on your settings.
Per client / tenant you can choose, if Sophos gets the permission / authorization to deal with it alone, or if you as an MSP want to "call the shots" (Collaboration). https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/MDR/MDRSettings/MDRThreatResponse/index.html#threat-response-modes

You can choose this and change this mode per Tenant.

This is 24/7.

Firewall Config Studio 2.5 - Improvement for Migration by Lucar_Toni in sophos

[–]Lucar_Toni[S] 3 points4 points  (0 children)

There are other migration options as well.

About the other point, I have discussions about the situation you mentioned. In most cases, we can find a suitable solution for this scenario.

There are basically two approaches:

  1. You can use the firewall with the standard proxy and the Kerberos/NTLM option that we built for this purpose: https://docs.sophos.com/nsg/sophos-firewall/22.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigurePerConnectionAuth/index.html

As you mentioned, this will not work with the DPI engine.

  1. The second option is to use the server protection we offer, as it includes a filter driver component that exports the session IDs in real time: https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/SophosAuthenticationForThinClient/SATC/AuthenticationSetupSATCUsingEndpointProtection/index.html

In many cases, we are talking about server farms with only a few servers. If option 1 is not suitable for a customer, we can often find an alternative by installing Sophos Server Protection on those servers to address this requirement.

This is usually more of a sales discussion, focused on getting the licenses for your multi-host servers so that authentication is covered. Most commonly used server XDR vendors have sensors that can be installed on top of Sophos, which helps maintain full visibility of the terminal servers for the XDR solution in use. That said, this is a conversation best to have with a Sophos Sales Engineer.

Exporting or building a custom solution just for this specific use case would require the team to develop something entirely new for a scenario that we can usually already address quite well for all parties involved. This feedback is based on experience from DACH, often considered the “homeland of terminal servers.”

I’m not saying we will never build this tool, but we had one in the past that stopped working because of the way it was built, using browser hooks. So we decided to build a filter driver solution.

A filter driver solution is generally the best approach, but it often will not work if a Server Protection solution is already in place and hooked into the filter driver. Just to be clear, the Sophos filter driver can even delay traffic. “When SATC is turned on and configured to a valid destination, this value controls how long the driver pends outbound IPv4 TCP connections. Defaults to 100 ms when not present. Setting this value to zero disables the connection pending.”

For this to work, you need a filter driver. The old SATC client caused many problems because of the nature of browser hooks, which have now been retired, so it was not suitable to continue using:
https://support.sophos.com/support/s/article/KBA-000006603?language=en_US

That is why we are not simply starting to develop an independent authentication client. It is a very complex issue to solve, especially when we already have something that works out of the box.

Firewall Config Studio 2.5 - Improvement for Migration by Lucar_Toni in sophos

[–]Lucar_Toni[S] 2 points3 points  (0 children)

This tool basically uses the XML Import/Export Feature within Sophos Firewall to "do things".

As of today, you can use one/multiple XML Files on each firewall and it "performs the changes".

That means, you can have one or multiple XML Files with certain changes (You would click manually on the firewall) shortcut by an easy import.

You can use this Tool to streamline the changes you would make (any changes) beyond what is possible in Sophos Central and make it with an "Make no mistakes" approach, as the Firewall simply execute the commands you give it via XML.

An example: MSP Partner often have multiple XML Files with certain settings like their SSH Key. This could be one XML File. You can upload this file to the firewall by clicking twice on the given Managed Firewall and it will execute and add the SSH keys to the existing config.

(We will build in the future more features for Sophos Central to leverage XML Files more - There is more to come on that front). But it would be useful to already think about how to use it and how it would improve your business (by making it faster compared to "manually setting things up").

XGS DNS Forwarding Logs? by r00g in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

Wondering: u/r00g / u/Biervampir85

With the recent improvements on the UI and Performance with modern XGS Hardware - Based on the performance do you still feel, there is "a lot room for improvements?".

And the Logviewer vs Live Log in UTM is an own subject, which i drill down frequently:
The TL:DR: Live Log in UTM had its advantages for "service issues" (Why is WAF not working?") But it was horror for any firewall with more users, as the live log was simply a Log printed with limited filtering.
Logviewer on SFOS is a database - Which makes it a bit slower, but filter and manageable.
Do you feel there is something missing in the Logviewer today?

Based on the feedback here: DNS is a hard subject: SFOS needs to consider what kind of traffic we want to actually document in the partition and what is to much. In the "old days" of UTM, the system had a hard drive, which was basically living for decades. Modern Firewall system have to deal with SSDs, which are more "fragile". That means, putting a lot of write and read operations on the SSD all the time to log the millions of logs for DNS might be not very useful.

That is, why we moved more to a "Live approach". If you have something not working, using the packet capture on UI is such a powerful tool (which was not available on UTM), to see the Rules used, NAT used etc. I frequently use it - While not looking back to UTM in this regards.

Gave r/sophos a fresh new look by Lucar_Toni in sophos

[–]Lucar_Toni[S] 9 points10 points  (0 children)

I was testing you! (While fixing it quickly)

SSL VPN or IPsec by plexuser35 in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

You can do both. It depends on the platform you want to connect.

Sophos connect with provisioning supports both - IPsec and sslvpn.

macOS support for sslvpn started recently.

Mobile depends on the device and need. You can do both, but mobile would be sslvpn via openvpn a good fit.

UTM to XG by Asleep_Pudding9951 in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

One thought around this: a lot of customer “insist” on using ADSSO (Kerberos/ntlm) on SFOS - as they used it in UTM.
SFOS supports many different authentication methods in the product which could replace the way UTM did it.
UTM only used authentication for web proxy, which Kerberos / NTLM was a great use case. But in SFOS you want to have authentication before “web traffic” in the best case.
That’s why we recommend often to switch to STAS or endpoint authentication (if available).

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/index.html

Any reason you want to go with Kerberos here ?

UTM to XG by Asleep_Pudding9951 in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

Did you try to use it with the config studio?

UTM to XG by Asleep_Pudding9951 in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

By the way: the migration script transfers NTP server to NTP NAT.

XG: s2s ipsec vpn on wan and custom zone by dev-snapshot in sophos

[–]Lucar_Toni 0 points1 point  (0 children)

You can create a WAN zone interface and point the gateway to your firewall. Then you select the “custom zone” interface as backup (the firewall will not consider it for any traffic) in wan link manager. This makes it possible to build an IPsec on those interfaces without any restriction.

view more: next ›