Sophos Firewall v19.5 - All new features in this update
It has been a few months since I last had time to write an SFOS update article. That should improve again from now on, so I am all the more pleased to introduce the new features and improvements in SFOS 19.5.
The update is available for all Sophos Firewalls in the SG, XG, and XGS series, as well as for virtual appliances or instances on cloud platforms such as Azure or AWS.
The following models will not receive the update because they do not have 4 GB RAM: XG 85(w), XG 105(w), SG 105(w)
Security vulnerability CVE-2022-3236 is fixed
A code injection vulnerability in the User Portal and WebAdmin allows an attacker to execute code on Sophos Firewall version v19.0 MR1 and older. CVE-2022-3236
Hosts and Services Search
In SFOS v19, object search in firewall rules was massively improved. However, the search function was still missing in some places, such as with Hosts and Services objects. Here, it is possible to search by name, ports, or IP addresses, which also simplifies finding duplicate objects.
Deleting duplicate objects if they are still in use is still not quite so easy, as there is no indication of where the object is being used.
Azure AD SSO for Webadmin login
Azure AD has been available on Sophos Central for some time. With v19.5, the integration of Azure Active Directory (Azure AD) now comes to the Sophos Firewall for Single Sign-on (SSO) on the Webadmin console.
The Azure AD integration also enables dynamic role and group access management. You can therefore create your own permission profiles on the firewall, or use the existing ones and assign them to a user in Azure AD.
The Azure AD integration for WebAdmin login is certainly a great start. Things will get really interesting when Remote Access users (SSL VPN or IPsec) and the User Portal can also use it.
High Availability improvements
There are also some genuinely useful improvements for HA clusters. One small change, for example, is the note shown when creating the cluster that the license must be present on the Primary Device or, for an Active-Active cluster, which we almost never use in practice, on both appliances.
It is now possible to configure multiple HA links, not only via a direct connection but also via LAGs and VLANs.
VLAN Interfaces can now also be added to interface monitoring.
The Status Page now provides significantly more useful information. It shows which node the license is activated on, including the date and time of the cluster’s last status change. You can also assign a name and no longer have to remember the serial number.
The widget in the Control Center has moved to the top right and now shows more information about the cluster. The tab name also shows which node you are connected to, although I would prefer to see the firewall hostname here, as I never log in to Node2 anyway.
SD-WAN Load Balancing
SD-WAN has been available since v19, and in the new version it is possible to configure load balancing in the profiles. The available methods are Round Robin and Session Persistence.
Round Robin
Connections are distributed among the selected connections based on weighting. In the screenshot, both gateways currently have a weighting of 1, resulting in an even distribution across both gateways.
Session Persistence
With Session Persistence, you can define whether traffic should be split by source IP, destination IP, both at the same time, or per connection.
This innovation applies to the SD-WAN profile. You can, of course, create multiple profiles and use them according to the requirements of the routing strategy based on application, source, destination, or service.
More performance for all Sophos XGS Firewalls
Every Sophos XGS appliance has a dual-processor architecture. When the XGS Series was launched, Sophos doubled the speed of some connections compared to the XG Series. Sophos also announced that future software updates would offload processes from the CPU to the NPU to improve performance. With version 19.5, additional processes are handled by the Xstream Flow Processor and accelerated as a result. Thanks to this development, the number of IPsec VPN tunnels on XGS models has simply been doubled in this release.
For the XGS 4300, 4500, 5500, and 6500 models, TLS-encrypted connections are accelerated on the FastPath, making Deep Packet Inspection even faster.
Other minor improvements in v19.5
OSPFv3
The new dynamic routing engine offers support for OSPFv3. New features in OSPFv3 include support for IPv6, a smaller header size, and the removal of MD5 for authentication. OSPFv3 does not provide its own authentication support at all and instead relies on IPv6’s more flexible IPsec framework.
Log
Improved storage of log files enables detailed troubleshooting.
Hardware Support
Improved support for 40G interfaces with automatic detection of extended port configurations for XGS 5500 and 6500 models.
The hardware support for the 5G modules, which was listed in the EAP, is no longer included in the final v19.5 version. I therefore suspect the modules will come a little later than expected.
Video on the innovations in Sophos Firewall OS v19.5
As you can see, Sophos is now making a real effort to show new features in videos, which we think is very cool. In the past, new features often disappeared in the release notes and only a few people noticed them. In addition to the videos on individual features embedded above, there is also a video covering Sophos Firewall 19.5 as a whole.
Updates are no longer free for long
Perhaps not everyone has received the information: Sophos Firewall Updates will no longer be free in the future
This means we now have the first update since version 19.0 MR1, and the counter for free updates starts at three. After installation, or more precisely when uploading the new 19.5 firmware image, it drops to two.
If you look at the new features in this update, which is admittedly a larger update, you can already see that many additions are coming that make Sophos Firewall better again. This development has to be paid for, and as we know from smartphone apps, many developers are switching to subscription models to fund exactly that ongoing development.
Consequently, if the firmware counter then stands at zero, an Enhanced Support license is required, which is included individually or in a license bundle such as Standard Protection, Xstream Protection, or Epic Protection.
