Sophos UTM (formerly Astaro Security Gateway) offers an integrated software solution that provides superior performance in an all-in-one firewall. Its hardened operating system, stateful packet inspection, content filtering (virus & surf protection), application proxies and IPsec based VPN provides a powerful solution to today's security issues.
Having had mixed results with the Sophos XG, and having hardware that just can’t keep up with the latest updates for it, I’ve reverted back to the Sophos UTM9. This still plays nicely with my PIA VPN setup whereby a pfSense router is placed in front of a UTM interface to anonomise traffic however I do miss the highly granular way policy based routing could be done in the Sophos XG.
For example, in the XG it is possible for each ACL rule to define a gateway and failover gateway as well as NAT’ing policies.
Within the UTM9 I’ve had to create ACL rules, NAT rules and Policy Routes separately – no big deal but it certainly needs more clicking around and isn’t as clear how the Policy Routes would handle an interface down situation – will it stall on the rule or move to the next valid rule for that traffic?
Anyway – after setting everything up I was quickly able to get traffic flowing outbound through the pfSense gateway as well as out through the Virgin Media router direct depending on the traffic type. Likewise, getting my PRTG server published outbound was a doddle using Webserver protection. However, try as I might I was not able to update the UTM via the Up2Date process.
018:02:19-00:00:14 utm9 audld[12540]: no HA system or cluster node
2018:02:19-00:00:14 utm9 audld[12540]: Starting Up2Date Package Downloader
2018:02:19-00:00:24 utm9 audld[12540]: patch up2date possible
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 79.125.21.244 (status=500 Can’t connect to 79.125.21.244:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 107.21.214.248 (status=500 Can’t connect to 107.21.214.248:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 54.214.16.252 (status=500 Can’t connect to 54.214.16.252:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Server 175.41.132.12 (status=500 Can’t connect to 175.41.132.12:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 79.125.21.244 (code=500 500 Can’t connect to 79.125.21.244:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 107.21.214.248 (code=500 500 Can’t connect to 107.21.214.248:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 54.214.16.252 (code=500 500 Can’t connect to 54.214.16.252:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: Could not connect to Authentication Server 175.41.132.12 (code=500 500 Can’t connect to 175.41.132.12:443 (Network is unreachable)).
2018:02:19-00:00:27 utm9 audld[12540]: >
2018:02:19-00:00:27 utm9 audld[12540]: All 4 Authentication Servers failed
2018:02:19-00:00:27 utm9 audld[12540]:
2018:02:19-00:00:27 utm9 audld[12540]: 1. Modules::Logging::msg:46() /</sbin/audld.plx>Modules/Logging.pm
2018:02:19-00:00:27 utm9 audld[12540]: 2. Modules::Audld::Authentication::_handle_failure:235() /</sbin/audld.plx>Modules/Audld/Authentication.pm
2018:02:19-00:00:27 utm9 audld[12540]: 3. Modules::Audld::Authentication::start:66() /</sbin/audld.plx>Modules/Audld/Authentication.pm
2018:02:19-00:00:27 utm9 audld[12540]: 4. main::main:174() audld.pl
2018:02:19-00:00:27 utm9 audld[12540]: 5. main::top-level:40() audld.pl
2018:02:19-00:00:27 utm9 audld[12540]: |
2018:02:19-00:00:27 utm9 audld[12540]: id=”3703″ severity=”error” sys=”system” sub=”up2date” name=”Authentication failed, no valid answer from Authentication Servers”
Strangely I could connect fine to the addresses in the log such as https://175.41.132.12:443 I could ping them and resolve DNS records such as v8up2date3.astaro.com all from my PC behind the UTM. After messing for a couple of hours reviewing logs, forum posts and trying various changes including removing all policy routing and going straight out via a non-VPN’d route I finally found out the root cause… the UTM does not follow the rules of Policy Routes!
An Up2Date was released today for Astaro Security Gateway Version 8. This Up2Date is designed to improve the stability of your V8 installation, offers some security patches, and acts as the new target landing version for appliance users who one-touch upgrade to ASG V8 via the 7.508 Up2Date which will be released next week. UTM Up2Date 9.705 Released. Today we've released UTM 9.705. The release will be rolled out in phases. In phase 1 you can download the update package from our download server In phase 2 we will make it available via our Up2Date servers to all installations Up2Date Information. When you are deploying physical Sophos UTM appliances, you can run into a scenario where the Up2Date process fails due to a disk space shortage. This typically happens if you have a large number of updates that are outstanding. Perhaps you have a hardware appliance that has been turned on for the first time after being shipped with an old build. 3.1k members in the sophos community. For all things Sophos related. Announcements, discussions, feedback, questions, and more!
Sophos Utm Up2date Files
Abbyy lingvo x5 free download. I’d set up routes to 192.168.0.1 (VMRouter) and 192.168.10.1 (pfSense) for administration of those routers, with HTTP(S) and ICMP to go via the VPN’d pfSense route.
So while I had no default gateway as such on the interfaces I had instead setup a catch all policy route which sent all traffic not hitting an above rule via the non-VPN’d gateway. Unfortunately the UTM doesn’t follow this and absolutely requires a tick box against “IPv4 default GW” in the interface.
Sophos Utm Up2date Blog
After ticking this the updates flowed in 🙂