Jump to content
RESET Forums (homeservershow.com)
itGeeks

Sophos Copernicus is now out of Beta and Has a New Name, Sophos XG Firewall

Recommended Posts

itGeeks

Well, again it's not exactly obvious!!

 

You need to edit your main network rule and under Policy for User Applications, change Web Filter from Allow All to None (Off would have been a better description!)

Thinking about it, I could probably add another rule above the default and use Web Filter None for the specific Apple devices.

 

However, they MUST be aware of the Netflix issue - it was a problem in the last product so to have not addressed it this time around beggars belief really.

Thanks for the info, And your right "web filter" OFF would be strait forward. This is very interesting because that's what I had done before but it was not working for me but that's when the product was still in beta. I still had the rule in place for gaming consoles so I just added my Android phone to it and what do you know? Netflix now works :) Now I just will add another outbound rule for mobile devices needing Netflix and just disable the web filter and all other protection on. 

Share this post


Link to post
Share on other sites
psykix

I tried creating a webfilter none rule for my iPhone by MAC address but couldn't get it to work.

Share this post


Link to post
Share on other sites
Drashna Jaelre

I feel your pain and agree with you but unfortunately this is the way they are heading and UTM 9 whatever will become a boat anchor at some point. They listen to none of us on the beta forums or at least gave no response in most cases so your guess is as good as mine what there thinking with this product. Think of the CEO of Microsoft that now owns a foot ball team. He did not listen to any of us either.

Wow, that's ... So they didn't care at all about user feedback...  :(

That's depressing. Well, the more people that go and leave negative feedback on their site, the better. Maybe they'll actually fix things...

 

I tried creating a webfilter none rule for my iPhone by MAC address but couldn't get it to work.

Yeah...... 

 

Well, there is no way to really do that well. It's all or nothing. :(

 

And the web filter/application control breaks XBOX Live, as well. No way to fix it other than turning it completely off. 

 

It's not just disappointing, it's just not useful.  Even if the web filter is faster... it doesn't make a difference if we have to turn it off, just to get stuff to work.

 

 

 

they publish an example (http://docs.sophos.com/nsg/sophos-firewall/v15010/PDF/Publish%20Internal%20Server%20over%20Internet.pdf) similar to your first guide, but don't seem to include port numbers. have you looked at the referenced 'reflexive rule' ?

Yeah, they do. Probably because a bunch of enterprise customers complained that they couldn't figure it out. 

 

They have a web filter one too.  But it's garbage. Complete garbage.  

 

 

 

Seriously, I'm going to be reverting to the 9.3 version for a while. Maybe in six months, they'll have fixed their issues... and it will no longer be a stinking pile of shit.

Share this post


Link to post
Share on other sites
psykix

Well my Powerline plugs that were providing the WAN connection to the Gen8 seemed to just stop working properly today, so I'm back on my old router until I can get the master socket moved by a telephone engineer to the other room.

 

I think I may try Untangle and possibly pfSense too..

Share this post


Link to post
Share on other sites
itGeeks

Well my Powerline plugs that were providing the WAN connection to the Gen8 seemed to just stop working properly today, so I'm back on my old router until I can get the master socket moved by a telephone engineer to the other room.

 

I think I may try Untangle and possibly pfSense too..

Sorry to here about your trouble, I am using Powerline plugs to feed 4 cameras mounted on my detached garage and they work just fine with Sophos. I did not do anything special with Sophos to get them working. Powerline adapters do need a fresh start from time to time, That's just the nature of the beast. I have tried sevral manufactures before I settled with Netgear Powerline 1200, They where the best performers and needed the least amount of reboots over a certain time frame and the best part is they work even though they are on two different circuits. Some of the ones I tried would not even connect if they where not on the same circuit, But even as good as these are once in awhile I need to give them a fresh start but much less then others I tried.

http://www.amazon.com/gp/product/B00S6DBGIS?psc=1&redirect=true&ref_=oh_aui_detailpage_o07_s00

Edited by itGeeks
  • Like 1

Share this post


Link to post
Share on other sites
itGeeks

Wow, that's ... So they didn't care at all about user feedback...   :(

That's depressing. Well, the more people that go and leave negative feedback on their site, the better. Maybe they'll actually fix things...

 

Yeah...... 

 

Well, there is no way to really do that well. It's all or nothing.

 

And the web filter/application control breaks XBOX Live, as well. No way to fix it other than turning it completely off. 

 

It's not just disappointing, it's just not useful.  Even if the web filter is faster... it doesn't make a difference if we have to turn it off, just to get stuff to work.

 

 

 

Yeah, they do. Probably because a bunch of enterprise customers complained that they couldn't figure it out. 

 

They have a web filter one too.  But it's garbage. Complete garbage.  

 

Seriously, I'm going to be reverting to the 9.3 version for a while. Maybe in six months, they'll have fixed their issues... and it will no longer be a stinking pile of shit.

The way I got Netflix to work on my Android was not by MAC Address I created a IP-Host, Don't know if that made the difference or not because I don't have any iOS devices and I did not try using the MAC address before trying IP-Host, The reason I decided to use IP-Host over MAC-Host was because you cant create a MAC-Host (Group) of devices, You can only create a IP-Host (Group). Give it a shot and see if it works for you. What I have done now is create 3 different outbound rules, One for Gaming Consoles, IP Cams, TVs, DVRs, Ect. What goes into this rule is anything that's not a computer, tablet or smart phone, I have all the security/scanning settings turned off on this rule so things like XBox Live will work and lets face it you don't want to be scanning gaming traffic because that could kill the win :)

 

The second outbound rule holds all my tablets/smart phones that need Netflix, In this rule I only turn off the web filter to make Netflix happy but all other security/scanning is active even IPS.

 

The 3rd outbound rule is the default rule created by Sophos, On this rule everything is active. It seems to be working well today but only time will tell if there are any other problems.

Edited by itGeeks

Share this post


Link to post
Share on other sites
nrf

another observation about this attempt at a product - they have basically cranked out hundreds of pages of documentation telling you what controls can be set in nitty gritty detail but very little to none on strategy or design concepts. When would I use a certain capability for example.  the scenario documents are a weak attempt at something along those lines, containing 'use cases'.

 

I hope this gets worked out, the 'heartbeat' concept is kind of useless if nobody can set up the devices.

Share this post


Link to post
Share on other sites
psykix

another observation about this attempt at a product - they have basically cranked out hundreds of pages of documentation telling you what controls can be set in nitty gritty detail but very little to none on strategy or design concepts. When would I use a certain capability for example.  the scenario documents are a weak attempt at something along those lines, containing 'use cases'.

 

I hope this gets worked out, the 'heartbeat' concept is kind of useless if nobody can set up the devices.

 

The home version doesn't support the heartbeat anyway as far as I could see..

 

https://community.sophos.com/products/xg-firewall/f/46/t/10801

Edited by psykix

Share this post


Link to post
Share on other sites
nrf

true, I commented on that earlier, but for a supposed enterprise product they are going to have to do better (unless they are going to hawk the service of setting up your 'easy to use' appliance for you)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...